In the film Meet the Parents, the character played by Robert
De Niro unveiled his new invention dubbed the nanny camera. It had
a motion-activated camera positioned within a teddy bear that would
record the babysitter for later viewing. This may be an excessive
measure, but it provides the requisite level of assurance that
critical assets are well looked after by the outsourcer,writes Raj Samani, vice-president of communications
atISSA's UK
Chapter.
Herein lies the conundrum for security professionals: exactly
how much assurance is required? The greater the assurance sought,
the greater the internal resources required to manage the
outsourcer. It is equally important not to lose sight of the key
reason for using an outsourcer - cost.
Consider the nanny cam, although this introduces cost (as
opposed to relying upon assurances from the outsourcer) it provides
a level of auditing that can be used to assess the value of the
service provided. Choosing which controls are used to monitor the
outsourcer should always be the result of a risk assessment that
considers the likely risks and manages them to an acceptable
level.
There are a multitude of options in managing risk when using
outsourcers and subcontractors. These range from simply relying on
assurance statements and SLAs to comprehensive regular auditing.
Deciding on the appropriate approach for the business is dependent
on cost, legal obligations, and more importantly risk appetite.
As data controller (and as defined in the seventh principle of
the Data Protection Act) there is an expectation to "choose a data
processor providing sufficient guarantees in respect of the
technical and organisational security measures governing the
processing to be carried out, and take reasonable steps to ensure
compliance with those measures".
Moving to outsourcers is a business decision, and with economic
challenges facing businesses, it is inevitable for many. Despite
this inevitability, the security professional has to provide the
same level of assurance as if the data is under lock and key within
the company boundaries.
So defining the risk appetite, and translating that into the
level of assurance sought would be the first step in preparing for
the change.
Read more expert advice from the Computer Weekly Security Think
Tank >>