My blog has been unattended for a couple of days as I returned from some overseas travels and have been playing catch-up on home and work life. One of the subjects that came up whilst away was offshore vendor security.
Offshore vendors are used for an ever increasing variety of work. One of my roles is to evaluate the risk associated with using a particular vendor. It’s something I wish I was doing more of because my visits to India and other places east are full of friendly hosts and excellent food. In one particular Mumbai restuarant, Miss World was sitting a couple of table away. She must have known that I was in town although was obviously too shy to come over and say hello…
Besides the hospitality, the onsite visits provide an opportunity to dispel any prejudgements that might have been made with regards to how operations might be organised within a particular location. Without exception, my experiences to date have been very positive, but we need to be clear about something: when we outsource the one thing we do not do is outsource the liability for security. We still have to perform due diligence work to ensure that risks are being adequately mitigated.
There are a number of elements that we focus on dependant to some degree on the sort of work being performed. The one place that we usually start is by making an assessment of the vendor based upon our own standards. If the vendor can meet the same trust levels as one of our own business units in terms of infrastructure and asset management then that’s a good indication of them being an acceptable partner for us to have a level of trust in.
However, one of the things I want to draw attention to is that the onus for delivery and the security around it is not completely down to the vendor. When looking at outsourcing I also tend to look inwardly too at the business unit making use of the services. There are a few questions I’ll be asking – for instance the degree to which the SLA takes security into account and the estent to which deliverables are reconciled against the SLA. In the case of software development it’s also good practice to review deliverables.
It’s that final point that often causes me the most frustration because while a business group might state that deliverables are reviewed I am likely to find that the requirements originally given to the vendor lack enough detail for a thorough post-delivery review to be completely successful: because if requirements were lacking then how can a full review be performed!?
Anyway, that’s a theme I’m sure I’ll come back to. In the meanwhile here’s a couple of good blogs dedicated to outsourcing that you might find interesting.