Remember you are outsourcing process, not legal responsibility


Remember you are outsourcing process, not legal responsibility

Intuitively, the belief is that security risks are raised when outsourcing or offshoring. But, if you analyse it, I doubt that there is any real increase in risk, providing the vendor selection process is conducted properly and the results are fed through to the contract stage (ie, research, RFI and RFP stages, selection and contract negotiation stages).

There should be regular independent audits of the vendor's processes, including HR/staff vetting. The audit process and frequency should be defined by a schedule attached to the contract to allow for updating during contract period.

The customer must realise that they cannot outsource their responsibility (legal, industry, etc), only the execution, and that therefore they will need to keep in house sufficient skills to understand what has been outsourced so that they may effectively manage the vendor.

If this is wrapped up in an effective contract (with regular inspection/audit), then outsourcing and offshoring should be no more risky than running systems in-house. Indeed, it might be less risky to the business because the outsourcer/offshorer has a better trained and broader skill base of staff and a better maintained infrastructure.

Peter Wenham, is a committee member of the BCS Security Forum Strategic Panel and director of information assurance consultancy Trusted Management.

Read more expert advice from the Computer Weekly Security Think Tank >>

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This was first published in June 2009


COMMENTS powered by Disqus  //  Commenting policy