Risks in Outsourcing the IT Function

8/8/2019 Risks in Outsourcing the IT Function

1/26

ACHINTYA AGARWAL

AKHIL KAPOOR

SAKSHI DUBE


2/26

RISK CONTROL

Account

creation/deletion not

on time

SLA

Penalty Clause in

Contract

2


3/26

RISK CONTROL

Improper user account

created

Improper privileges to

account assigned

Maker-checker concept

applied

Maker outsourced,

checker in-house

3


4/26

RISK CONTROL

Improper configurations

Unneeded accesses

Maker-checker concept

applied

Maker outsourced,

checker in-house

4


5/26

RISK CONTROL

Updates/Patches to

systems improper or

fake

Purchase Genuine

Software

Create autopatching

scripts/configurations

5


6/26

RISK CONTROL

Vendor not flexible to

changing demands

Selection of proper

vendor

Contract terms

Understanding of

Company requirements

6


7/26

RISK CONTROL

Vendor Outages Uptime Guarantee

SLA

Penalty clause in

Contract

7


8/26

RISK CONTROL

Improper configuration

of Hardware/Software

Clarify requirements

Verify changes

Try pilot before major

changes

8


9/26

RISK CONTROL

Excess Response Time

Excess Turnaround Time

SLA for response time

Penalty Clause in

Contract

9


10/26

RISK CONTROL

Vendor Resource non-

availability

SLA for required

resources

Penalty Clause in

Contract

10


11/26

RISK CONTROL

Accountability in case of

incident

Appointing SPOC

Contractual Agreement

on incident handling

11


12/26

RISK CONTROL

Security &

Confidentiality of data

Encryption of stored

data

In-house Audits

Non-Disclosure

Agreement like clauses

in Contract

12


13/26

RISK CONTROL

Knowledge ofVendors

Resources

Selecting a reputed

vendor

Contractual stipulations

on required skills

13


14/26

RISK CONTROL

Loss of physical access

to system

Access to equipment

when required

Authorised personnel

only

Stipulated in contract

14


15/26

RISK CONTROL

No control over location

of systems

Physical locations of

hardware mutually

decided

15


16/26

RISK CONTROL

No control over

frequency and location

of backups

Contractual agreement

16


17/26

RISK CONTROL

Social Engineering of

vendor

Insurance against losses

Selection of reputed

vendor with good

information security

policies

Contractual penalties

17


18/26

RISK CONTROL

Improper Processes In-house and 3rd party

process auditing

Quality certifications

18


19/26

RISK CONTROL

Quality of Services

Rendered not upto the

mark

Regular updates

KPI generation and

monitoring

Testing of services being

availed

Quality Checks Quality certifications

Contractual penalties

19


20/26

RISK CONTROL

Loss of confidential data

over network while

connected remotely

Encrypted tunnel to

Company systems

20


21/26

RISK CONTROL

Non-compliance to

Legislation

Quality certifications

Compliances to be

followed

Mentioned in contract

21


22/26

RISK CONTROL

Termination of contract Creation of good Exit

Plan while negotiating

contract

22


23/26

RISK CONTROL

Improper Knowledge

Transfer/Improper

Documentation

Creating of a Knowledge

Bank/Wiki

Regular Auditing

23


24/26

RISK CONTROL

Data might be modified Access levels to Vendors

proper

Encrypted stored data

Implementation of data

change monitoring

softwares Regular Auditing

24


25/26

RISK CONTROL

Company Employees

non-understanding of

upgraded system

Conduction of Training

before making major

changes

25


26/26

26

Documents

Risks in Outsourcing the IT Function