How do you secure outsourced IT services?

I personally believe these are the factors that are just at a very high level. I also feel 3V policy or Three Vendor policy is just another way for bypassing the compliance and to showcase that there are no actual risks. I have been part of such negotiations with clients and I have seen the procurement teams being bribed to get those contracts. So along with the above risks that are considered, I suggest they should put up automation (systems or bots) where the requirements are specified and any and all possible vendors could submit their proposals, and then let the best one win and take the contract. The legal compliances and criteria should also be part of the same automation/system.

If you outsource a mess, be prepared to pay the price. Get your house in order... know what you want. Write clear and concise agreements. Ambiguity usually means you will pay more, suffer breaches. Make sure the outsourcer has a fiduciary responsibility in the event of a breach of services they provide. Do some sort of threat risk assessment and base your decisions upon those findings. Being cheap on security will come back to haunt you. A simple thing like not keeping patches up to date will vastly increase your risk - all patches - OS, firmware, network devices. As part of any outsourced security service, it should be checked/validated on at least an annual basis - by a different organization.

Honesty plays a critical role in choosing the right IT vendors, some may have policies and systems in place but their personnel have no integrity.

It is only when they go wrong that machines remind you how powerful they are..................................................

A RACI matrix is a great visual way of demonstrating roles and responsibilities, including this into a contract is an easy way of confirming between both entities and remove any possible confusion. The right to audit should also be included into the contract if the vendor will be handling any sensitive or private data.

SLAs should be used. Clear and concise KPIs must be used to hold vendors accountable. Penalties should also be included, but should be reasonable.

Debrief with a service form is done on the spot to explain the tasks carried out by the engineer. Feedback is collected for further adjustments for improvement.

There should be accountability and detailed documentation on who has access to what and any credentials provided to all third parties, how they access systems, and if possible configure and enforce access reviews

Soft skills are often overlooked, but they are one of the most crucial elements in successful cooperation with IT vendors. 🍀 Here's why: 1️⃣Communication: Clear and concise dialogue ensures that both parties understand expectations and responsibilities. 2️⃣Empathy: Understanding the vendor's perspective helps in building a relationship that goes beyond mere transactions. 3️⃣Adaptability: The IT world changes rapidly. Being flexible helps in adjusting to new technologies and market demands. In essence, soft skills create a bridge between technical know-how and human interaction. In the complex landscape of IT vendor relationships, these skills are not just beneficial; they are essential.

Training for customer staff will be provided as they can act as a first responder to any incidents that happen on the ground and remedy it if possible.

I think it has been said previously but in order to have a true partnership with a provider you need to have a strong relationship with them. There will often be conflicts over the term of a contract and knowing the team that you are reliant on will help when the going gets tough. Also, I have often said that if I have to go look at a contract to get my vendor to do something or hold them accountable for something that they did not do then I need to find a new vendor.

Fastfood outlets are convenient, useful and economic in times but only a lazy fool will close down own kitchen and opt outsourcing as a permanent replacement.