Intuitively, the belief is that security risks are raised
when outsourcing or offshoring. But, if you analyse it, I doubt
that there is any real increase in risk, providing the vendor
selection process is conducted properly and the results are fed
through to the contract stage (ie, research, RFI and RFP stages,
selection and contract negotiation stages).
There should be regular independent audits of the vendor's
processes, including HR/staff vetting. The audit process and
frequency should be defined by a schedule attached to the contract
to allow for updating during contract period.
The customer must realise that they cannot outsource their
responsibility (legal, industry, etc), only the execution, and that
therefore they will need to keep in house sufficient skills to
understand what has been outsourced so that they may effectively
manage the vendor.
If this is wrapped up in an effective contract (with regular
inspection/audit), then outsourcing and offshoring should be no
more risky than running systems in-house. Indeed, it might be less
risky to the business because the outsourcer/offshorer has a better
trained and broader skill base of staff and a better maintained
infrastructure.
Peter Wenham, is a committee member of theBCS
Security Forum Strategic Paneland director of
information assurance consultancyTrusted
Management.
Read more expert advice from the Computer Weekly Security Think
Tank >>