One of the business units (ou1) within our company is in the process of establishing an encrypted communication feed with an external vendor. The vendor provided a set of requirements for the actual implementation. That ou1 is asking info sec to approve the solution without having any runbook or SoP written yet. They already explained the solution to me and it is in accordance with the vendor requirements. What is my exposure, if vendor requests an audit at a later time (By that time all documentation will be in place)?
Asked
Active
Viewed 90 times
-1
-
1Isn't that specified in the details of the contract that you are signing with the external vendor? I don't see how we could provide you with a specific answer. – Neil Smithline May 12 '16 at 19:11
-
What do you mean by "my exposure"? Are you the info sec person approving the solution? Are *you * comfortable approving something that isn't even implemented yet and has no controls in place? – schroeder May 12 '16 at 20:50
-
Controls are in place, I am comfortable with the implementation, the only concern is obstructing some businesses availability because of lack of documentation (actually a delay in posting it to the audited repository) – RIN May 13 '16 at 15:07
-
We're not here to do your job for you. Nobody here knows anything near enough detail about context (your company, its policies, its agreements with external vendor etc.) in order to give you any sort of sensible answer. – Little Code Jun 12 '16 at 06:53
1 Answers
1
This is most definitely something that should be outlined in the contract between your company and the vendor. Is it not possible for you to contact the vendor and discuss the question you have asked here? Because unless someone here works for, and is a party to the specific contract, I wouldn't see how anyone here could really answer the question for you without knowing the terms of the agreement.
Yokai
- 795
- 4
- 7
-
Yes, the whole implementation is clearly outlined in the contract and is executed in accordance. The only missing part is the documentation from the implementation team that is delayed. Business want to sign the contract, and I am in the middle. I trust the team with the implementation and with the fact that documentation will be in place before going live. Should I vouch for them? what is my exposure? – RIN May 12 '16 at 19:32
-
This is one of the reasons I hope to avoid such positions as you are in. For myself, personally, I play it safe in such instances and would petition for a runbook or the SoP before committing. Contract law is nothing to tally with lightly in the enterprise world and if you don't feel right about the lack of a runbook or SoP, I would make that known at least to my supervisor or someone else in the company with at least equal authority as you. I am always a fan of a second or third opinion, but I feel like we here, being absent of personal involvement are at a help-wise disadvantage. – Yokai May 12 '16 at 19:50