Intuitively, the belief is that security risks are raised when outsourcing or offshoring. But, if you analyse it, I doubt that there is any real increase in risk, providing the vendor selection process is conducted properly and the results are fed through to the contract stage (ie, research, RFI and RFP stages, selection and contract negotiation stages).
There should be regular independent audits of the vendor's processes, including HR/staff vetting. The audit process and frequency should be defined by a schedule attached to the contract to allow for updating during contract period.
The customer must realise that they cannot outsource their responsibility (legal, industry, etc), only the execution, and that therefore they will need to keep in house sufficient skills to understand what has been outsourced so that they may effectively manage the vendor.
If this is wrapped up in an effective contract (with regular inspection/audit), then outsourcing and offshoring should be no more risky than running systems in-house. Indeed, it might be less risky to the business because the outsourcer/offshorer has a better trained and broader skill base of staff and a better maintained infrastructure.
Read more expert advice from the Computer Weekly Security Think Tank >>
This was first published in June 2009