Compliance, the Missing Piece to a Managed IT Service Puzzle

As IT environments are becoming increasingly complex, more community financial institutions are looking to outsource monitoring and management of some of their entire IT infrastructure. As anyone who has ever been part of a new product or service implementation knows, there are times when certain items seem to fall off the radar. Of course, this does not always happen intentionally. Given the complexity of implementing new products and services, especially a managed IT service, it is likely that steps to address risk/compliance will either be overlooked or postponed to be dealt with at a more convenient time.

This is concerning to me because compliance should be considered and addressed during each step of a managed IT service roll out; before, during and after the process. Initially, incorporating a managed IT service into your network will impact your IT Strategic Plan and Vendor Management service level standards. Specifying and clarifying performance expectations for vendor relationships and measuring to these standards are important risk/compliance objectives as well as examiner expectations. Consider, for example, how a managed IT service will impact your infrastructure needs (current and future), IT and business innovation objectives, and risk/regulatory requirements. These items should be documented in your IT Strategic Plan. Appropriate due diligence must also be completed for managed IT services, especially given the criticality of the service to your institution.

Your existing policies and procedures will certainly be impacted when outsourcing any level of IT management. Changes to your governance structure or assignment of responsibilities are a prime example of this. To expand on this idea a bit more:

• You will need to document which members of your internal personnel will be involved in the development, operation, and supervision of the managed IT service.
• Will there need to be additional training and which individuals will be responsible for reviewing monthly and on demand reports?
• In addition to enhancing your existing policies, you may find yourself having to incorporate new policies such as a cloud computing and storage policy or a data classification policy, if your institution does not already have such policies in place.
• Of course, as with any new product or service implementation, you cannot forget about your GLBA risk assessment. It should be updated accordingly to address how the managed IT service helps you to mitigate risks associated with your network infrastructure.

At the end of the day, your ability to document your institution’s risk and compliance efforts will prove essential. You should be able to demonstrate to examiners that you have addressed the additional compliance elements that come with sharing IT management with an outside service provider and that you can prove that the vendor is doing the job they contracted to perform for your financial institution. Remember, implementing and overseeing a managed IT service doesn’t stop with deployment. Managed IT services are incredibly beneficial partnerships for community financial institutions looking to improve not only their IT environment, but also business innovation and productivity. Including risk/compliance initiatives as pieces of the managed IT Services puzzle will help to ensure your IT environment is operating at its most effective state.