In the ever-changing world of technology, outsourcing is big business. As organisations face the challenge of meeting the increasing demands of customers, alongside the limited resources within the current market, many have chosen outsourcing as one of their key organisational strategies.
Today, organisations large and small are continuing to outsource everything from back-office functions, to the hosting of infrastructure, to systems development, driven further by the increase in cloud-based solutions.
An organisation can outsource its operations, but ultimately accountability cannot be outsourced.
In technology, the most common and serious risks associated with outsourcing are those that affect operations and transactions, the confidentiality of information, business continuity and regulatory compliance. For example, businesses that regularly outsource their IT operations, rather than build an in-house team to take care of all technological issues, could be putting themselves at greater risk if cyber security standards are not uniformly upheld by all contractors.
Security considerations in outsourcing contracts
As more and more businesses migrate to the cloud, the need for stricter security measures becomes even more pressing, as any leaks or hacks could potentially put vast amounts of data into the hands of cyber criminals. It is for this reason that organisations must insist on more diligent safety measures from those suppliers which are given access to their network.
Apart from realising the tangible and intangible benefits to be gained through outsourcing, organisations need to become more wary of the security procedures outsourcing suppliers have for the protection of sensitive and personal information. When any IT operation of an organisation is contracted out, the external service provider (or the outsourcing supplier) effectively becomes an “insider”, handling sensitive and important information for the company.
When an information system is outsourced to one or more third-party service providers, proper security management processes must be in place to protect data, as well as to mitigate any security risks associated with the outsourced IT project and/or service. Upfront and detailed due diligence and clear contractual arrangements are key. The following areas should be considered:
Define the requirements
When preparing an outsourcing service contract, the organisation should clearly define the security requirements of the information systems to be outsourced, such as how all personal and sensitive data should be handled throughout the contract. These requirements should form the basis of the tendering process and become an integral part of performance metrics.
The outsourcing contract should include requirements for all of the staff of third-party service providers and suppliers must sign a non-disclosure agreement to protect sensitive data in the systems.
The contract should also include a set of service level agreements (SLAs) to define the expected performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance. In addition to defining SLAs, the contract should include an escalation process for problem resolution and incident response so that incidents can be handled according to a pre-defined process to minimise any impact on the organisation.
When engaging IT service providers, an organisation should ensure that the supplier employs adequate security controls in accordance with their own organisational IT security policies, wider regulatory requirements or other industry best practices.
The security control compliance of service providers and users should be monitored and reviewed actively and periodically. The organisation must reserve the "right to audit" responsibilities defined in the service level agreement, and have those audits carried out by an independent third party.
The organisation should ensure the adequacy of contingency plans and backup processes provided by the service provider.
The security roles and responsibilities of the service provider, internal staff and users pertaining to the outsourced information system should be clearly defined and documented.
It is essential to ensure that all data to be handled by the outsourcing party is clearly and properly classified, and security privileges for access should only be assigned on an as-needed basis, for the performance of their work or the discharging of contractual obligations.
If the outsourcing service involves hosting information systems at a third-party datacentre, an onsite visit to assess the security environment of the hosting company should be conducted before making any final decision to outsource.
If customer data or other sensitive information is to be transferred to servers owned by a service provider, a security risk assessment covering the physical and logical security controls at the premises hosting the servers should be conducted before sensitive data is released to the service provider. The service provider should set up an isolated environment to segregate the organisation’s data from that of other clients. When the servers involved are based in another country, the impact due to different jurisdictions should also be assessed.
The business environment is dynamic and ever-changing, and so is technology. The technology used for security controls, as well as for controlling roles and responsibilities, might change over time. Regular reviews of the security operation and corresponding access controls should be conducted.
The running and monitoring of outsourcing arrangements is not easy. Any failure in IT governance can have a substantial effect on business.
While the services provided by an outsourcing supplier may be beneficial and cost-effective, proper security management processes and procedures must be in place to protect sensitive data and customer privacy in outsourced IT projects or service.
An organisation can outsource its operations, but ultimately accountability cannot be outsourced.
Sheila Pancholi is partner, risk management, at professional services firm RSM Tenon and leads the Technology Risk Services practice across the UK and Europe.
