This tip is excerpted from Outsourcing Information Security, written by C. Warren Axelrod and published by Artech House Publishers. Download Chapter 4, Risks of Outsourcing or learn more about the book.

---

One of the main reasons to outsource is the expectation of receiving better service from the outsourcer than from internal staff. This expectation is often based on the knowledge that there will be an explicit SLA in place, which can be enforced by the customer and which might bear remedies against the outsourcer for nonperformance. While companies are increasingly establishing SLAs for internal providers, they are often harder to enforce since everyone is a member of the family.

If an outsourcer loses a customer because of poor service, it is much less excusable. Of course, the perception of poor service could be misguided, or service expectations may not have been realistic in the first place. However, SLAs between customer and provider generally specify what constitutes acceptable service and what does not. Therefore, a base set of metrics exists against which to measure performance. The SLA is discussed in greater detail in Chapter 6.

There is a strong argument that the measures in an SLA may not adequately depict the perceived service. In an article by Jiang et al., quality measures are categorized into tangibles, reliability, responsiveness, assurance and empathy items [5]. Some items are typical of those included in a SLA, whereas others are not. The quality measures include the following categories.

Tangibles

In tangibles:

• The service provider has up-to-date hardware and software.
• Physical facilities are visually appealing.
• Employees are well dressed and neat in appearance.
• Appearance of the physical facilities of the information systems unit is in keeping with the kind of services provided.

Reliability

In reliability:

• When outsourcer promises to do something by a certain time, it does so.
• The outsourcer provides services at the times promised.
• The customer insists on error-free records, and the outsourcer agrees.
• When users have a problem, the outsourcer's information systems units show sincere interest in solving it.
• The outsourcer's information systems units are dependable.

Responsiveness

In responsiveness:

• The outsourcer tells customers' users exactly when services will be performed.
• The outsourcer's employees give prompt service to users.
• The outsourcer's employees are always willing to help users.
• The outsourcer's employees are never too busy to respond to users' requests.

Assurance

In assurance:

• Behavior of the outsourcer's employees instills confidence in users.
• Users feel safe in their transactions with the outsourcer's information systems units' employees.
• The outsourcer's employees are consistently courteous with users.
• The outsourcer's employees have the knowledge to do their jobs well.

Empathy

In empathy:

• The outsourcer's operational hours are convenient for all their users.
• The outsourcer gives users individual attention.
• The outsourcer's technical units have employees who give users personal attention.
• The outsourcer has the users' best interests at heart.
• The outsourcer understands the specific needs of users.

---

MORE INFORMATION:

• Learn about the risks of outsourcing in Chapter 4 of Outsourcing Information Security.
• Read a review of Outsourcing Information Security.
• Here is a list of factors to consider before jumping on the outsourcing bandwagon.
• Malware guru Ed Skoudis outlines the pros and cons of outsourcing AV services.

09 Mar 2005