Remember you are outsourcing process, not legal responsibility

Opinion

Remember you are outsourcing process, not legal responsibility

Intuitively, the belief is that security risks are raised when outsourcing or offshoring. But, if you analyse it, I doubt that there is any real increase in risk, providing the vendor selection process is conducted properly and the results are fed through to the contract stage (ie, research, RFI and RFP stages, selection and contract negotiation stages).

There should be regular independent audits of the vendor's processes, including HR/staff vetting. The audit process and frequency should be defined by a schedule attached to the contract to allow for updating during contract period.

The customer must realise that they cannot outsource their responsibility (legal, industry, etc), only the execution, and that therefore they will need to keep in house sufficient skills to understand what has been outsourced so that they may effectively manage the vendor.

If this is wrapped up in an effective contract (with regular inspection/audit), then outsourcing and offshoring should be no more risky than running systems in-house. Indeed, it might be less risky to the business because the outsourcer/offshorer has a better trained and broader skill base of staff and a better maintained infrastructure.

Peter Wenham, is a committee member of the BCS Security Forum Strategic Panel and director of information assurance consultancy Trusted Management.

Read more expert advice from the Computer Weekly Security Think Tank >>

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in June 2009

 

COMMENTS powered by Disqus  //  Commenting policy