What you will learn from this tip: How to identify and mitigate the top 5 offshore outsourcing risks.
Offshore outsourcing can cut costs, but if you fail to analyze a vendor's track record, as well as its certifications, methodologies and security procedures, it'll cost you more than money in the long run.
In the case of outsourcing private data, a major concern is the current lack of international standards with regard to security laws. The viability of any approach, therefore, will owe much of its success to the security measures taken by vendors relative to their systems, business practices and data infrastructure. Without this in place, the business value of outsourcing could be lost and much more could be damaged.
Large companies need to ensure that the vendors they select have extensive experience engaging companies of their size and associated IT scope. For instance, can they support their enterprise applications? This on its own does not qualify the vendor's security capability, but leads to the bigger question of checking the provider's pre-production experience. Have they worked closely with product development companies and tools vendors by providing them with development, validation, testing and maintenance support services? Another key consideration is the protection of intellectual property.
The predominant theory among world regulators, policymakers and providers is that when something is outsourced, the outsourcing company still
- Owns it
- Is responsible for managing it
- Needs to control it
Over the last year, a number of issues have surfaced regarding security breaches, software development and service quality.
The risk analysis methodology followed by many offshore providers does not vary significantly, however, there are huge differences when it comes to providing results and measuring the controls in place. Most top tier companies should provide measurements based on certifications like BS 7799 or SAS 70. To date, these appear to be the most acceptable standards for U.S. and European companies depending on the industry vertical they belong to.
The most important thing to recognize is that any model is a continuous process that management should annually undertake to ensure that the system of controls maintains its integrity.
The top 5 identified risks include:
- Total dependence/exit barriers – this refers to the complete reliance that an organization has on an outsourcing firm and the problems that arise when the outsourcing relationship ends.
- Physical IS security – which pertains to the control over physical security; physical access to and location of systems and the frequency and location of system backups an organization relinquishes once these are handed over to an outsourcing firm.
- Legal consequences – which involve the potential lack of a fiduciary relationship between the organization and the outsourcing firm and the increase in liability that may arise during the creation of an outsourcing relationship.
- Logical IS security/confidentiality/privacy – that takes into account the loss of confidentiality and privacy an organization experiences when it hires an outsourcing firm.
- Human resource issues – which result from changes in employee skill sets an organization experiences when it chooses to outsource.
Most outsourcing organizations have proven methodologies and processes to mitigate these risks. CMM and ISO for instance, have become de facto standards that protect the confidentiality, integrity and availability of information or data. This requires a robust yet flexible framework which can provide for evidence of tolerable controls if threats result in actionable events.
Physical access control, 24x7x365 manual security, and network and data access control are other measures that ensure security. Infrastructure and data centers should be audited and certified for BS7799 (ISO 17799). Additionally, vendors should have adopted the comprehensive Information Security Management System (ISMS) framework to effectively manage, protect, monitor and supervise information security and also to assess a vendor's security capability and the measures they put in place regarding physical access. Typically, this involves the physical security at the entrance of a facility and inside the data center. Common measures include using security guards to monitor and manage visitor and employee access, instituting a formal identification process for visitors, maintaining a log of all magnetic media (including laptops and their serial numbers) brought to the facility and the use of photo IDs for all vendor employees as well as the third party contractors. Security conscious vendors routinely carry out audits of contract personnel, specifically covering their access privileges and project work. This security infrastructure ensures that all vendor employees, external contractors and third party personnel adhere to these security policies.
To date, there is no standard global security legislation for private data outsourcing in place.As such, it becomes more critical not only to review a vendor's credentials, but to thoroughly research and consider their security capabilities.
About the authorSatish Joshi is Executive Vice-President at Patni. His responsibilities include internal MIS, global DRP & BCP facilities and communications. In addition, Satish supervises the Enterprise Application Integration, Japan, and eBusiness business units.