While I’m still on an outsourcing kick, let me go through what I call the keys to the wonderful kingdom of outsourcing.

In true ISM-Community form, let me give you a “Top 10 Keys to Outsourcing” list.

1. Know Thyself:  Like the Oracle at Delphi, the most important thing you can do before outsourcing is to know where your weaknesses are and to sculpt the contract to your needs.  More on this subject.
2. Bottom Line up Front:  It works for newspaper editors, it can also for you.  Being as explicit with security categorization and must-have requirements as you can without defining the solution will allow the contractor to determine a solid security model and staffing to support the outsourcing effort.  More on this subject.
3. Use Compensating Controls:  You can’t control the vendor’s infrastructure, so use compensating controls where you have to sacrifice control for economy of scale.  More on this subject.
4. Retain Authority to Make Decisions:  This is why the contractor shouldn’t be the system owner.  If you lose the authority to make decisions, you will be “worked over” by the vendor.  More on this subject.
5. Understand the Added Complexity of Outsourcing:  Things sometimes get slower when you outsource them because there is the added layer of abstraction in the contracting officers.  More on this subject.
6. Have Requirements-Driven Roles and Responsibilities:  Start with what your security requirements, roles, and responsibilities and then divide them up between government and contractor.  More on this subject.
7. Tie into the Existing Security Organization:  Create a dotted line on the organization chart between your organization and the contractor’s.  More on this subject.
8. Get a Gap Analysis:  Bring in a third party to assess you for areas that need fixing, both pre-outsourcing and during outsourcing.  More on this subject.
9. Hedge Your Bets:  By having a minimum of one security representative on either side of the contracting fence, you have a parallel path other than through contracting officers.  More on this subject.
10. 2 Is Sometimes better than 1:  If you have IT services outsourced through one contractor, you can have a second contractor provide security support.  It sometimes adds more complexity at reducing conflict-of-interest.  More on this subject.
11. (The Freebie) It’s all About Transparency:  Be wary of vendors and contractors that withhold information.  In a partnership, you share information.  More on this subject.

• You Didn’t Outsource Your Responsibilities
• How Much Security Should the Outsourcer Do?
• Introduction to Outsourcing in the US Government
• What the Government Looks for in a Product
• Compensating Controls