Outsourcing and offshoring have been part of the business
toolset for some time. The security risks associated with
outsourcing and offshoring should now be well understood and easy
to mitigate. Indeed, the Information Security Forum Benchmark
Survey consistently shows outsourcing to be an area of strength in
security controls. So, time to relax then?
Hardly. Outsourcing and offshoring risk assessment and
mitigation are areas of strength because we understand that the
risks, when information is processed by a remote third party, are
different. They might be higher, and they could be lower - in both
cases outsourcing and offshoring demands, and usually gets, our
attention.
But as we move into a brand new world of uncertainty the
business pressures change. Previously marginal benefits from
outsourcing may now look positively attractive to an organisation
seeking to conserve cash. New variations of outsourcing - such as
cloud computing - may sound attractive and be a compelling business
proposition. And the business wants to act now.
And there lies the problem. Consistently the biggest information
security problem associated with outsourcing has been in being late
to the party. Finding out about the outsourcing deal after it had
been signed, not being invited to participate in the vendor
assessment process and realising that security was not part of the
deal.
Outsourcing deals tend to be long term, and managing security in
a long term outsourcing relationship is a specialised skill
involving contract management, service monitoring and establishing
working relationships. In addition to acquiring these (sometimes)
new skills, information security professionals can find it harder
to understand the security status of an outsourced operation.
It is often difficult enough to identify security metrics that
the business understands; to conduct a covert investigation; to
ensure that everything is patched when the IT operation is in
house. If it is run by a different company where the servers are on
the other side of the world (and it may be that you don't actually
know where they are) then the day job can be much harder.
So what to do? Understand: that security in an outsource
requires specialist skills; the criticality of the systems that are
being outsourced; how security works in a shared environment. Be
assured of the ability of the outsourcer to recover your systems
from a disaster, and know how you would maintain service if your
outsourced service terminates early or unexpectedly.
But above all, get to the party early and avoid the
hangover.
Andy Jones, is principal research consultant at theInformation
Security Forum.
Read more expert advice from the Computer Weekly Security Think
Tank >>