Although these organizations and associations are not regulators imposing mandated duties, following their guidelines and “best practices” shows a deeper commitment to diligence in calculating the risks involved in a certain outsourced transaction that is being contemplated or managed. Regulatory organizations such as the Federal Financial Institutions Examination Council (FFIEC), National Institute of Standards and Technology (NIST), the Payment Card Industry Data Security Standard (PCI DSS) and the Cloud Security Alliance (CSA) generally provide standards and guidelines for handling data, security and information governance. ![]() In addition to statutory and regulatory compliance, Outsourcers face the risk of consumer class-action litigation based upon theories of negligence or unfair competition. Virtually all of these regulations create broad requirements concerning technology governance, which in turn impacts an organization’s outsourcing decisions. ![]() Rules are enacted by, among others, the FDIC, FTC, DOJ and most state legislatures. All of these risks implicate the broader topic of compliance, and when key functions are outsourced, it becomes increasingly difficult to manage risk and monitor compliance.Įxamples of regulations IT organizations are working to comply with include the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Foreign Corrupt Practices Act and the Sarbanes-Oxley Act. At the broadest level, lack of oversight and management controls create the majority of the risks associated with outsourcing. These risks include business continuity, information security and data privacy, intellectual property and un-transferred litigation risks. Unfortunately, significant risks associated with outsourcing important technology functions to Providers are being ignored. Companies that outsource (“Outsourcers”) may do so to reduce operational cost or for subject matter expertise. ![]() Organizations have varied reasons for outsourcing information technology functions to third-party service providers (“Providers”).
0 Comments
Leave a Reply. |