For firms and organisations embracing offshoring and outsourcing, the challenges of data privacy and data protection are real, writes Alessandro Moretti, co-chair (ISC)² European Advisory Board.
For those professionals working in multinational organisations, the topic of cross-border data movement and data protection zones are not new. However, for offshoring and outsourcing, it is more likely that data is made accessible to third-party vendors or other combined legal entities (such as captives). For this reason, the involvement of legal professionals is paramount to understand processing and disclosure principles and policy.
Once data disclosure rules have been defined, the information security professional will assess and design controls to ensure the principles of least privilege and appropriateness are applied.
For day-to-day operations, there are two main approaches for security control. The first puts emphasis on the control environment of the vendor or service provider. It enables your organisation to copy electronic information to the vendor, but by doing so increases the supervision requirements, and ultimately the long term cost of sustaining the risk management process.
The second approach extends your IT environment to the vendor, with control maintained by your firm or organisation. This simplifies supervision and audit, is sustainable and existing electronic cross border controls can be applied. However, this option brings with it further challenges in setting up desktop virtualisation and increasing supervision of user end-point physical security.
Depending on the economic and strategic factors, your firm or organisation may have a mixed mode of the two approaches, with several flavours of technological implementation. Herein lies the challenge for the IT security professional, tasked with assessing risk and ensuring the controls are sustainable.
For greenfield projects, simplification is key to ensuring longevity and sustainability of controls. Organisations with a complex mix of environments and vendors must simplify, centralise and deploy "edge" solutions according to the agreed data disclosure rules that uphold the well rehearsed mantras of "need to know" and "least privilege", and deliver sensitive data at the very last minute in the process.
Such programmes may increase the complexity of the environment, and can also increase the burden of supervision but should not increase information security risk. Rather basic control principles apply. However, fundamental issues need senior management involvement and collaboration with stakeholders, including legal and IT.
The problem should be broken down into manageable components that are outlined in both the IT and business strategy, while the associated investment in security supervisory requirements should be anticipated in any business case proposed for off shoring and outsourcing.