260 Chapter 7 · Perilous Outsorcery Key Concepts: Outsourcing AV Services and Risk Management We start here by assuming you have been informed of a formal contract being signed between a managed services company (and service provider) and your "normal" business; that is, one that is not itself a managed services provider. We assume that the business has selected that service provider in the course of a service procurement project, after carefully analyzing the responses to a Request for Proposal. We also assume that this contract declares, among many other things, the commitment of both companies "to undertake to fulfill as much as possible of a list of AV activities together, starting on [a specific date]." We assume that a legally binding contract has been signed by senior management, and that it has been agreed which security staff at both companies will be working, for a predefined period, to implement any needed changes. We also assume that it is known which staff are to be transferred from the company to the AV service provider at the formal start of the service, so as to manage the AV infrastructure and processes as described in the contract. What triggered the "desire to outsource" is not particularly relevant to this topic. In most implementations of managed security services, AV is just one of the many domains owned by senior management (unless, perhaps, they work for an AV company) and may even, in many cases, be an implicit infrastructural component of IT services rather than being specifically addressed in the contract. No matter what your work in