School
of Visual Arts is hereinafter referred to as “the company.”

1.0
Overview

Outsourcing is a
logical practice when specialized expertise is required, which happens
frequently in the field of Information Technology (IT).  Trust is necessary for a successful
outsourcing relationship, however, the company must be protected by a policy
that details and enforces the terms of the outsourcing relationship.

2.0 Purpose

The purpose of this
policy is to specify actions to take when selecting a provider of outsourced IT
services, standards for secure communications with the provider, and what
contractual terms should be in place to protect the company.

3.0 Scope

This policy covers any
IT services being considered for outsourcing.

4.0 Policy

4.1
Deciding to Outsource

Outsourcing IT
services is often necessary but should be carefully considered, since by nature
a certain amount of control will be lost by doing so.  The following questions must be affirmatively
answered before outsourcing is considered:

•           Can the service be performed
better or less expensively by a third party provider?

•           Would it be cost-prohibitive
or otherwise unreasonable to perform this service in-house?

•           Will outsourcing the service
positively affect the quality of this service?

•           Is the cost of this service
worth the benefit?

•           Are any risks associated with
outsourcing the service worth the benefit?

4.2 Outsourcing Core Functions
The company permits
the outsourcing of critical and/or core functions of the company’s Information
Technology infrastructure as long as this policy is followed.  Examples of these types of functions are data
backups, remote access, security, and network management.

4.3 Evaluating a Provider
Once the decision to
outsource an Information Technology function has been made, selecting the
appropriate provider is critical to the success of the endeavor.  Due diligence must be performed after the
potential providers have been pared to a short list of two to three
companies.  Due diligence must always be
performed prior to a provider being selected. 

Due diligence should include an evaluation of the provider’s ability to perform
the requested services, and must specifically cover the following areas:

•           Technical ability of the
provider

•           Ability to deliver the service

•           Experience of the provider

•           Reputation of the provider

•           Policies and procedures
related to the service

•           Financial strength of the
provider

•           Service Level Agreements
related to the service

If the outsourced service will involve the provider having access to, or
storing the company’s confidential information, due diligence must cover the
provider’s security controls for access to the confidential information.

4.4 Security Controls
The outsourcing
contract must provide a mechanism for secure information exchange with the
service provider.  This will vary with
the type of service being outsourced, but may include remote access, VPN, or
encrypted file exchange. 

The company and provider must also maintain a mechanism for verifying the
identity of the other party and confirming changes to the service.  This will prevent an attacker from using
social engineering tactics to gain access to company data.

4.5 Outsourcing Contracts
All outsourced
Information Technology services must be governed by a legal contract, with an
original of the executed contract maintained by the company.

Contracts must:

•           Cover a specified time period

•           Specify exact pricing for the
services

•           Specify how the provider will
treat confidential information

•           Include a non-disclosure
agreement

•           Specify services to be
provided, including Service Level Agreements and penalties for missing the
levels

•           Allow for cancellation if
contractual terms are not met

•           Specify standards for
subcontracting of the services and reassignment of contract

•           Cover liability issues

•           Describe how and where to
handle contractual disputes

4.6 Access to Information
The provider must be
given the least amount of network, system, and/or data access required to
perform the contracted services.  This
access must follow applicable policies and be periodically audited.

4.7 Applicability of Other Policies
This document is part
of the company’s cohesive set of security policies.  Other policies may apply to the topics
covered in this document and as such the applicable policies should be reviewed
as needed.

5.0
Enforcement

This policy will be
enforced by the IT Manager and/or Executive Team. Violations may result in
disciplinary action, which may include suspension, restriction of access, or
more severe penalties up to and including termination of employment. Where
illegal activities or theft of company property (physical or intellectual) are
suspected, the company may report such activities to the applicable
authorities.

6.0 Definitions

Backup 
To copy data to a second location, solely for the purpose of safe
keeping of that data.

Encryption  The process of
encoding data with an algorithm so that it is unintelligible without the
key.  Used to protect data during
transmission or while stored.

Network Management  A far-reaching
term that refers to the process of maintaining and administering a network to
ensure its availability, performance, and security.

Remote Access  The act of
communicating with a computer or network from an off-site location.  Often performed by home-based or traveling
users to access documents, email, or other resources at a main site.

VPN  A secure network implemented
over an insecure medium, created by using encrypted tunnels for communication
between endpoints.

7.0
Revision History

Revision 2.0, 1/1/2015