Thursday, January 7, 2010

An IT Vendor Checklist - Minimum Standards for IT Outsourcing

A co-worker keeps the following handy list of items to request from vendors during IT contract negotiations:

• Require that the vendor operate under security model conformant to a standard such as ISO, COBIT, or PCI-DSS
• Require that the vendor disclose breaches that may materially affect the organization
• The vendor must permit the organization to audit and/or assess their operation, with reasonable advance notice or request
• They must escrow data, possibly in addition to code, in case of supplier insolvency
• And finally, they must destroy data upon termination of services

This short list is easy to hand off to project managers and departments looking for quick advice, and while it doesn't cover every situation, it helps make sure that contracts have reasonable language in them. It can also help spur discussions about why vendors might not be desirable partners.

No comments: