HelpSource Q&A 

Download Article Article in Digital Form

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

Q The vendor to whom my company outsources key activities currently services multiple clients. What should be the recovery strategy that I must impose on the vendor to ensure an effective recovery of the services, if a crisis were to ever occur? My concern is that I must not be accorded a low priority by the service provider. What are the conditions that I must stipulate on the contract?


A Multiple scenarios are possible in outsourcing. Outsourced vendors house and operate multiple clients in a shared infrastructure environment. Some clients may opt for a dedicated infrastructure, but it may mean higher costs compared to operating in a shared environment. It is a decision that the outsourcing company must make—taking into account needs and cost implications.

There is also the concept of ‘seat sharing’, which is prevalent in the industry. In such a scenario, one client’s work is delivered in the day shift, with the same workstation then used to deliver work for another client during the night shift. Operating like this saves on hardware costs. However, some clients may prefer not to have this and may choose to operate using dedicated workstations only.

The outsourcing service provider may choose to deliver the service from more than one location. This can be within the same city or from multiple cities. This model has a sort of built-in recovery arrangement. If a facility or a location were to fail, the jobs could be transferred to another adjacent facility in the same city or to another city from where the services get delivered. In some cases, the hosting of the applications is done from different continents to avoid any geographical risks.

The standard practice in the industry is to promise the recovery of a fraction of total services provided immediately in the case of a crisis and then to incrementally enhance the quantum of recovery. For example, on day one of the recovery, the service provider may promise a recovery of 20 percent of the total services provided and may provide incremental recovery over a period of one or two weeks, until the recovery is made 100 percent. The service provider may give an option for buying at an additional cost additional recovery services over and above the standard immediate offering of 20 percent. If the processes outsourced are business- critical to the company’s operations, the company should opt for a higher percentage even if it means paying additional costs.

Some clients who may prefer undisturbed continuity of operations will opt for a dedicated infrastructure coupled with a redundant link or connectivity, which can be activated and used in the event of a disaster. Having such an arrangement may incur additional costs, but if the nature of the business demands continuity of operational activities, such arrangements are essential and unavoidable.

No service provider will commit to an immediate recovery of 100 percent of service unless the recovery is paid for and pre-arranged. Some clients may opt for providing continuity of business operations in the event of a disaster using in-house resources.

As an outsourcer, what are the things that you must take into consideration when you negotiate with your service provider to whom you intend to outsource?

  • Your contract with the service provider must define in no uncertain terms the desired recovery strategy in the event of a crisis. The clauses chosen must describe the arrangements in absolute, clear terms and nothing must be ambiguous—i.e., nothing should lead to multiple interpretations. The recovery arrangements must be explicitly stated.
  • You must decide whether you need a dedicated infrastructure or whether a shared environment would suffice for you. The criticality of the business process that you outsource will help determine this.
  • Whilst the network infrastructure may be shared, you need to assess whether you want the seats and desktops to be shared. Such a model works well only if there is no business need to store the data locally. Any local storage of data implies inappropriate and unauthorized access.
  • The percentage of the services to be recovered in the event of a crisis has to be pre-agreed. This has to be a meaningful number acceptable to the stakeholders. It is essential that the stakeholders from the business formally sign off and provide their approvals and acceptance of the recovery arrangements.
  • The next important element is to ensure that the agreed-upon arrangements actually work. The best way to assess this is to conduct recovery testing on at least an annual basis. Testing more frequently can also help. Unless the arrangements are actually tested and the test reveals no glitches, there is always an element of uncertainty. Whilst there can be planned recovery tests on a regular basis, it is essential that some surprise unplanned tests are also conducted. Such tests will help assess the robustness of the recovery arrangements.

As always, a proper risk assessment combined with an appropriate business impact analysis will dictate your recovery strategy. This list includes some indicative controls and must not be construed as exhaustive.

Gan Subramaniam, CISA, CISM, CCNA, CCSA, CIA, CISSP, ISO 27001 LA, SSCP, is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.