Print Article

Outsourcing Step-By-Step Guidelines Checklist


Most jurisdictions have rules on outsourcing rules/regulations for examp[le

AND In light of the above the Comsure has put together the following step-by-step guide to what financial institutions should be checking their outsourcing requirements

Organisations should check that:

  1. They have correctly identified all their “outsourcing” arrangements and all the arrangements that affect “critical and important processing”.
  2. No one can implement new cloud computing outsourcing arrangements without following the correct procedures.
    1. In particular, it is recommended to check for the use of free, personal (as opposed to company-owned) and low-cost services that may have been put through on expenses.
  3. The risk assessments are up to date, accurate, and include all necessary documentation.
  4. Contracts have been reviewed and updated in line with the requirements.
  5. Documentation is up to date, accurate, and that all the documentation is correctly aligned with no gaps or conflicts.
  6. Incident response playbooks have been updated and tested.
    1. Incidents must be both recognised and reported quickly, while also ensuring that they do not interrupt normal business activities.
  7. There are appropriate audit trails to demonstrate management oversight of the decision-making process and cloud computing arrangements.
  8. Each outsourcing arrangement has a documented owner who is aware of their responsibilities.
  9. Appropriate training has been provided recently to ensure everyone understands the requirements and what they need to do personally to comply with them.
    1. It is also worth ensuring that people who have recently joined or changed roles have received the appropriate information and training.
  10. Where the company withdraws a cloud computing arrangement; the following should be considered.
    1. Where appropriate, evidence such as data deletion certificates or audit reports should be held to prove that the arrangement has ended, and
    2. the cloud services provider has securely erased and/or returned the organisation’s data.