Small and Medium Organizations: Secure Cloud and Outsourced IT Services
Outsourcing IT services is a common practice for most small and medium organizations. Outsourced services provide cost-effective solutions, but they can also be a source of cyber security issues.
What are outsourced IT services?
Cloud and outsourced IT services include storage, processing or computing, applications, hosting and management of websites, and management of online payment systems. These services can provide some of the following benefits:
- Reducing the cost of purchasing, maintaining, and ever-greening hardware and software
- Eliminating the need to develop and maintain internal IT expertise
- Accessing scalable and flexible pay-as-you-go services based on organizational requirements
- Using off site back up services and disaster recovery plans
Outsourced IT also has pitfalls. Handing over complete access of sensitive information to outsourced providers can have consequences. Your organization should consider how outsourced providers will handle sensitive information. Consider, for example, what notification processes are in place when sensitive information is accessed by the providers without prior authorization. Be sure to know what protections exist (e.g. Trust Service Principles compliance) so that your organization can manage the risks introduced by outsourcing IT services.
Your organization should also consider data residency issues. Outsourced providers may have servers in other countries, which means the data stored is subject to different privacy legislation. Organizations should learn where outsourced providers will house their services and consider their level of comfort with whether local legal protections meet their needs within Canada.
Recommendations for your organization:
- Require all cloud service providers to share their SSAE 18 SOC 3 (AICPA) to verify that they achieved Trust Service Principles compliance.
- Note: The Canadian equivalent, CSAE 3416 by the AASB, is also available.
- Evaluate how outsourced IT providers can handle and access your sensitive information
- Evaluate legal jurisdiction where outsourced providers store and use sensitive information
- Ensure that networks and users communicate securely with all cloud services and applications
- Ensure that administrative accounts for cloud services use two-factor authentication and differ from internal administrator accounts