Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.
“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”
The one word reply to this statement is, “Wrong!” If I audit your organization and you don’t have a disaster recovery policy, a password policy, or any of the other topics in the long list of necessary and expected information security and privacy practices, you are going to get a huge number of findings (these are bad things, not good things) in your audit report. And possibly, depending upon the entity doing the auditing, some fines and/or penalties that will hit your organization in the pocket book. Potential clients or customers may also decide not to do business with you if you don’t have a comprehensive set of policies; also hitting your revenues.
“But how can we have a policy for what we don’t do?”
Because you ultimately need to establish the safeguard requirements for the information that your business is ultimately responsible for protecting! You must govern how your organization will ensure the security of your information assets. Even if you aren’t administering that activity directly, you still must establish the safeguards for what your outsourced entity must do, which is on behalf of and supporting your organization. If your policy is not specifying your organization’s direct activities, then they should specify the requirements you have established for your outsourced entities.
Policies communicate safeguard requirements
Consider the purpose of information security and privacy policies: They are to communicate the safeguards that you require to be in place for the information that you obtain, process, and otherwise have access to and for which you are ultimately responsible. These apply to safeguards throughout the entire information lifecycle. Even when you’ve passed it on to others, it is ultimately your organization’s responsibility to ensure appropriate safeguards endure through that lifecycle.
A common situation my clients encounter is how to write policies when they outsource their information systems processing activities, especially now that so many businesses use cloud services to do so many things that used to be done in-house. Some of my clients have said, “We don’t need technology policies because we outsource all technology activities.” Wrong! You still need to have requirements by which those outsourced entities abide. Simply saying you trust them to be doing what is appropriate is not only *not* acceptable, it is a huge risk and liability for you to take for your business. Let’s consider a couple of simple examples.
Disaster recovery policy
Even if you outsource all your data processing activities, you still need a disaster recovery policy and supporting procedures. Your policy will not read the same as if you did your processing activities internally, but you must still document the rules by which you will ensure disaster recovery will be appropriately addressed, and in compliance with all your applicable legal requirements.
Here are some examples of some of the types of statements that will typically be within such policies:
- The Company will require each outsourced managed systems services entities to:
- Have a documented disaster recovery and backup plan.
- Have a documented disaster recovery team, with roles identified and documented for each team member.
- Regularly test the backup media to ensure they are actually usable if an event occurs when they are needed.
- Maintain a log of backup media test dates and results, and the locations where backups are stored.
- Provide, up request, a copy of the above documentation.
- The Company will ensure that all information assets entrusted to outsourced entities during the course of the contract (plus any copies made such as backups and archives) are retrieved upon request or destroyed at the appropriate point on or before termination of the contract.
- For computing and storage devices that are used by Company employees, the data on such devices will be backed up according to the Company Data Backup Procedure.
Password Policy
Here’s another topic that you might be surprised to hear many businesses, especially start-ups, small and mid-sized businesses, believe they don’t need because they have their information systems activities outsourced: a password policy. Every organization that uses computers, of any type, needs a password policy!
This one can be pretty straightforward. Here is just one policy statement example from your full list of password policy statements:
Passwords for computing systems used for Company business purposes will be a minimum of eight characters in length, and include at least one numeral, one alpha character, and one special symbol.
Since this indicates that this is the policy for all the computers used for your Company (whatever your “Company” name is), this would mean that your outsourced vendors would also need to meet this minimum requirement, as well as your personnel using their personally owned computing devices for business purposes.
Policies for all types of outsourced activities
An organization that outsources a wide range of data processing, storage, or other types of business activities involving personal information, and other types of sensitive and confidential information, should have policies that follow these same types of statements. Here is a generic formula to follow for such policy statements:
- Company outsources [put activity/activities here] to a managed services provider (MSP).
- The Company requires that the MSP has the following minimum safeguards in place:
- Documented information security and privacy policies.
- Assigned information security and privacy responsibilities.
- Regular training and ongoing awareness communications to their personnel to ensure they know how to incorporate safeguards into their every-day job activities.
- Occasional compliance audits and consistently applied sanctions.
- [Put more specific information security policies required of any outsourced vendor here that are directly related to the types of services they are providing. A couple of good documents to reference to see such policy topics are the internationally accepted information security controls found within ISO/IEC 27001 and ISO/IEC 27002].
- [Put more specific privacy policies required of any outsourced vendor here that are directly related to the types of services they are providing. A good document to reference is the internationally accepted AICPA Generally Accepted Privacy Principles (GAPP)].
Bottom line for organizations of all sizes…
Every business, of any size, in any location, that processes data (and you would be hard-pressed find any business nowadays that doesn’t) needs to establish documented information security and privacy policies that cover the full range of information security and privacy domains. Even if you are outsourcing a little, to a lot, of your information processing activities, you still need a full set of policies that include your organization’s requirements of your outsourced entities for those associated security and privacy domains. If you don’t have a full set of policies, you will not only get some serious findings (those are bad) for any audits that include information security and/or privacy in its scope of activities, but you are also leaving your company extremely vulnerable to incidents and breaches as a result of not having such minimum requirements established for those vendors doing business processing on your behalf.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, due diligence, HIPAA, HITECH, IBM, incidental, Information Security, information security policy, infosec, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, training, vendor, vendor contract, vendor oversight