For firms and organisations embracing offshoring and
outsourcing, the challenges of data privacy and data protection are
real,writes Alessandro Moretti, co-chair(ISC)²European Advisory Board.
For those professionals working in multinational organisations,
the topic of cross-border data movement and data protection zones
are not new. However, for offshoring and outsourcing, it is more
likely that data is made accessible to third-party vendors or other
combined legal entities (such as captives). For this reason, the
involvement of legal professionals is paramount to understand
processing and disclosure principles and policy.
Once data disclosure rules have been defined, the information
security professional will assess and design controls to ensure the
principles of least privilege and appropriateness are applied.
For day-to-day operations, there are two main approaches for
security control. The first puts emphasis on the control
environment of the vendor or service provider. It enables your
organisation to copy electronic information to the vendor, but by
doing so increases the supervision requirements, and ultimately the
long term cost of sustaining the risk management process.
The second approach extends your IT environment to the vendor,
with control maintained by your firm or organisation. This
simplifies supervision and audit, is sustainable and existing
electronic cross border controls can be applied. However, this
option brings with it further challenges in setting up desktop
virtualisation and increasing supervision of user end-point
physical security.
Depending on the economic and strategic factors, your firm or
organisation may have a mixed mode of the two approaches, with
several flavours of technological implementation. Herein lies the
challenge for the IT security professional, tasked with assessing
risk and ensuring the controls are sustainable.
For greenfield projects, simplification is key to ensuring
longevity and sustainability of controls. Organisations with a
complex mix of environments and vendors must simplify, centralise
and deploy "edge" solutions according to the agreed data disclosure
rules that uphold the well rehearsed mantras of "need to know" and
"least privilege", and deliver sensitive data at the very last
minute in the process.
Such programmes may increase the complexity of the environment,
and can also increase the burden of supervision but should not
increase information security risk. Rather basic control principles
apply. However, fundamental issues need senior management
involvement and collaboration with stakeholders, including legal
and IT.
The problem should be broken down into manageable components
that are outlined in both the IT and business strategy, while the
associated investment in security supervisory requirements should
be anticipated in any business case proposed for off shoring and
outsourcing.
Read more expert advice from the Computer Weekly Security Think
Tank >>