For some time, many large corporates have been offshoring - outsourcing part of their IT service to overseas contractors - and smaller companies have followed suit. But how do you ensure that your company's data remains secure? writes Michael Pike CISSP.
Some suppliers are so keen to win business that they sometimes go overboard with security controls. One company I visited in Chennai, India had several armed guards with rifles outside the main entrance. As you can appreciate, I was rather worried about this, as I assumed that it was a proportional response to some kind of threat. However, an independent expert assured me that there were no security threats in the area. It later emerged that one of the supplier's biggest customers was worried about overseas terrorism, and the armed guards were introduced to retain their business.
On that visit to Chennai, it was actually an automatic door closer that was the weakest link. Because it wasn't working, it was possible to get into an area of the building that processed confidential data without using an access card. The guards with guns outside the building, although very noticeable, were largely irrelevant.
Issues like a faulty door can happen anywhere in the world, and can only be found with a visit to the supplier's premises. Yet because offshoring is often done to save money, some companies can be reluctant to fly staff out on a regular basis to conduct audits. But it is really the only way to perform due diligence.
Enforcing your company's IT security policy and outsourcing policy, and all the processes around this, are key here. Information security requirements should be much the same, regardless of the supplier's location, although you will need to make allowances for overseas laws and customs.
If your company relies on a contract that allows spot checks to be conducted on suppliers with little or no notice, remember that it may be largely irrelevant overseas. Some countries will only issue an entry visa if you have a supporting letter from the supplier you are visiting. Instead, you may have to rely on working closely with the supplier to spot the early signs of things going wrong between scheduled audits.
If your supplier has an ISO27001 (Information Security Management System) certificate that will cover most or all of your offshored service, this is a good sign. Because ISO27001 is a global standard, the supplier will have met the same criteria as a company back home. Consequently, if the scope of certification seems too narrow, or if some of the supplier's buildings aren't included, ask why. Don't assume it is due to differences in certification around the world - there shouldn't be any.
Similarly, the supplier's security controls should be robust, and any shortcomings (perhaps due to limitations of local infrastructure or expertise) should be formally accepted by your senior management.
Hopefully, you can now see that due diligence and a close relationship with your supplier are equally important whether the supplier is at home or overseas. There may be subtle differences due to geographical or cultural reasons, but in the main, the only way to gain assurance is through tried and trusted methods - such as the supplier audit.
Michael Pike, CISSP GSNA MBCS, is an information security consultant who advises on infrastructure security and third-party risk and manages security audits
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².