The growing risks associated with data/system security have prompted many senior care organizations to wonder if outsourcing IT is better than managing it in-house. Certainly, it relieves executives of some worries, but how do you decide what's right for your organization?
So, what are some drivers for IT outsourcing?
- Organizations want to achieve efficiency and cost savings.
- Organizations do not have financial or technical resources to develop/maintain an enterprise risk management plan.
- Organizations struggle to bring all parts (procurement, operations, security, etc.) together to establish IT requirements
To help, the National Risk Management Center (NRMC) at the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) compiled Risk Considerations for Managed Service Provider Customers. Following are some highlights on what to consider when outsourcing.
- Balance cost-effectiveness and efficiency with reliability and security
- Account for risks with multiple IT vendors
- Even with outsourcing, executives should still:
- Maintain awareness of the technologies and systems
- Understand risks from potential loss of 1) core systems/services; 2) confidentiality, integrity, and data availability; 3) consumer/market confidence; and 4) productivity and financial (fines, legal fees, or other regulatory costs).
- Coordinate procurement, operations, continuity, and security requirements to decrease enterprise risk and improve system performance.
- Organizations with staff dedicated to each of these functions should coordinate IT requirements across organizational silos.
- Organizations with non-dedicated staff should have an enterprise risk management plan to account for each requirement.
- Continue to drive policies around network access, controls, and logs.
- Identify staff to monitor/manage the day-to-day activity of IT providers.
- Set careful access policies for all third-party vendors.