Retain control of Security (even in the wake of an IT Outsource)

Outsourcing Information Technology (IT) was once thought to be an exception; now it is considered the norm. Many enterprises would rather move away from the expensive and complex tasks of IT systems management to focus on aspects of the business they are expected to be good at - manage the core business. Many business-critical applications operate on IT systems that are outsourced, and the security of these systems is often paramount to the successful running of the Enterprise. How can the Enterprise evaluate the security posture of outsourced IT? In this paper I attempt to deal with the real issue of 'How can the Enterprise retain control of the security of its business-critical information systems whilst it is in the hands of a third party?' The paper discusses actual problems encountered and two real solutions that were deployed. It gives examples of the tools used, policies that were implemented and so on. More importantly, the paper serves as a methodology for dealing with any outsource where security is of concern.