In the film Meet the Parents, the character played by Robert De Niro unveiled his new invention dubbed the nanny camera. It had a motion-activated camera positioned within a teddy bear that would record the babysitter for later viewing. This may be an excessive measure, but it provides the requisite level of assurance that critical assets are well looked after by the outsourcer, writes Raj Samani, vice-president of communications at ISSA's UK Chapter.
Herein lies the conundrum for security professionals: exactly how much assurance is required? The greater the assurance sought, the greater the internal resources required to manage the outsourcer. It is equally important not to lose sight of the key reason for using an outsourcer - cost.
Consider the nanny cam, although this introduces cost (as opposed to relying upon assurances from the outsourcer) it provides a level of auditing that can be used to assess the value of the service provided. Choosing which controls are used to monitor the outsourcer should always be the result of a risk assessment that considers the likely risks and manages them to an acceptable level.
There are a multitude of options in managing risk when using outsourcers and subcontractors. These range from simply relying on assurance statements and SLAs to comprehensive regular auditing. Deciding on the appropriate approach for the business is dependent on cost, legal obligations, and more importantly risk appetite.
As data controller (and as defined in the seventh principle of the Data Protection Act) there is an expectation to "choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures".
Moving to outsourcers is a business decision, and with economic challenges facing businesses, it is inevitable for many. Despite this inevitability, the security professional has to provide the same level of assurance as if the data is under lock and key within the company boundaries.
So defining the risk appetite, and translating that into the level of assurance sought would be the first step in preparing for the change.