Offshore outsourcing is an emotive topic, and the security
and privacy risks specific to offshoring can often be perceived,
rather than real. Indeed, many companies have significant
challenges managing security requirements with third parties
regardless of location,writes Arabella Hallawell,
research vice-president atGartner.
There are multiple reasons for the challenges. First, typically
security requirements are never detailed in contracts with third
parties. Security is often brought in after the deal is negotiated,
when requirements are difficult to put in after the fact.
Other companies have gone to the other extreme, and insisted on
draconian, and expensive, measures for offshore outsourcers because
of perceptions of elevating risks, often slowing down the process,
and never implementing on-going assessments to ensure security
controls agreed to, are actually instituted.
While there can be country-specific security challenges,
typically related to the ability to conduct background checks,
government track record of interception of data, or the IP
protection landscape, most, with the exception of government
interception, can be largely mitigated by additional security
controls at the provider or within the organisation.
Companies with a well-defined process have a much better chance
of protecting their business by putting in place a well-constructed
process that includes:
- Working with legal and procurement departments to ensure
security requirements go into every contract before a deal is made
and security is involved to define the security requirements and
selection criteria for providers.
- Ensuring budget is allocated for security diligence and ongoing
assessment of providers.
- Having a process that includes consistent controls for all
third parties, especially for outsourcers, be they domestic or
offshore providers. If a particular destination is determined to
have elevated security risks via a defined country risk evaluation,
additional controls can be instituted either internally or via the
provider.
- Customising security requirements for the type of outsourcing
being conducted, ie, application security methodologies and the use
of third parties to test code before acceptance should be
emphasised in application development contracts. Employee
screening, training, monitoring and identity management procedures
and how tools such as encryption and data-loss prevention (DLP) are
deployed, are more significant for business process outsourcing
(BPO) or IT operations outsourcing.
Read more expert advice from the Computer Weekly Security Think
Tank >>