Vendor Management: Services are Invisible - Until They Don't Work
ThePlanet, an ISP based in Texas, suffered a small explosion on May 31, knocking out a large number of hosted websites. According to the Houston Chronicle, "about 7,500 customers were impacted by the fire at ThePlanet's facility. By Sunday, a few thousand customers remained without service. The company was told not use its backup generators because of fire safety issues, officials said." Upon reading this story, I immediately thought of the community banks and credit unions I work with, the majority of whom use hosted solutions for their external-facing websites. What would an outage such as ThePlanet's mean to them?
For starters it would render unavailable their internet banking capabilities. While most of these services are hosted by other third-party vendors, that fact is largely invisible to the customer/member. They only know they go to their institution's website, click on a link and access the desired service. For all intents and purposes, when the institutions website is unavailable, these services are unavailable. Consider what some of these features are:
For all intents and purposes, when the institutions website is unavailable, these services are unavailable.
Now try and imagine what the impact would be when a customer/member tries to access the website because they have a pressing financial matter to address and they can't!
Most of my clients don't extend their vendor management programs to assess how such an outage would be addressed. And because most disaster recovery/business continuity plans only cover internal scenarios, it wouldn't be addressed there either.
Coincidentally I was asked last evening by the Managing Partner of my firm what were the three highest-risk topics I'm seeing on my recent engagements and I replied:
Based on ThePlanet outage it's not hard to understand why.
As for PCI, check back in a few days and I'll explain why you should keep an eye on where the standard is going.