Welcome » IT Booklets » Information Security » Information Security Strategy » Architecture Considerations » Outsourced Security Services
Security services may be outsourced to obtain greater expertise, a greater range of services, or to decrease cost. Should security services be outsourced, the institution retains the same responsibilities for security as if those services were performed in-house. The "Outsourcing Technology Servicing" booklet in the FFIEC IT Examination Handbook, provides additional information relevant to outsourcing.
Institutions should ensure they have sufficient expertise to oversee and manage an outsourced security service relationship. The expertise applied to monitor the outsourced security service relationship should be both contract-related, and security-related. The contract-related oversight addresses contract compliance. The security-related oversight entails understanding the scope and nature of the service sufficiently to identify and appropriately react when the services provided are not at the level indicated in the service level agreement, no longer appropriately coordinate with the security controls at the institution, or no longer provide the risk mitigation desired.
Institutions should monitor outsourced security service providers appropriate to the level of risk to ensure the service provider fulfills its responsibilities. Monitoring tools include reports from the service provider, independent reviews of the service provider's performance, and independent tests of the service provided.