Security Watch

Outsourcers Beware

Security and compliance should be weighed just as much as saved costs.

• By Roberta Bragg
• 11/08/2004

I have to ask you to put aside for a moment your conclusions about whether IT outsourcing is good or bad. This is not simply an issue of IT jobs or reduced cost. This is a global information security issue, and we all need to look at outsourcing from an information security angle.

Many of you have spent the last decade growing your knowledge of information security. Some, but not all, have learned that which is necessary to protect your information and your information systems. Others have been forced to do so by new legislation. You've implemented security programs, purchased devices, restructured your networks, trained employees and locked down systems. When you contract with companies to do work for you, do you ask if they have also?

- Do these companies have information security programs in place? Have they implemented programs based on generally accepted standards such as ISO 17799? ISO 17799 is based on the British Standard 7799 and a company can be audited for compliance with it. Is the company so certified? Or, have they had an SAS 70 audit? SAS 70 is a U.S. standard for auditing that is well respected internationally.

- Does their program match yours? Security is not just about fulfilling legal requirements or matching some standard. Every company has its own needs. If your policy requires two-factor authentication, is the other willing to implement it if they don't have it? Is a PKI infrastructure in place to support encryption of communications and digital signatures to guarantee non-repudiation and integrity? Are all communication lines secured and data secured in transit? Is stored and active data protected? What about employee security awareness training, IT security training and background checks?

- Do they keep their systems patched and up-to-date? In some countries the use of pirated software is rampant. Will companies that use illegal copies of software request or be able to obtain patches? Will they keep systems up to date?

- If they handle financial information, patient data, or employee information are they compliant with your country's laws? While one country's laws cannot be enforced in another country, your country can require you to ensure that its laws are upheld no matter where your data is kept or processed. For example, European Union privacy laws require that work cannot be outsourced to other countries if the same protection cannot be guaranteed. U.S. companies that must be compliant with HIPAA, Sarbanes-Oxley and other regulation cannot escape their obligations by outsourcing IT work.

- Are you thoroughly familiar with the other country's laws that impact IT operations? They may require you to adjust the way that you manage your systems, your demands on the contractor or provide little support for your needs.

- Are business continuity and disaster recovery plans in place? What would happen if a natural or man-made disaster were to occur? Are the outsourcer's operations located in areas where these disasters are more likely to occur?

- Will the company you contract with subcontract with others? As business grows, and as businesses attempt to comply with the security and professional requirements and demands placed on them, their costs will increase. As they continue to do business, perhaps their access to educated, trustworthy employees will decrease. How tempting will it be for them to subcontract to smaller companies, and/or to companies in still other countries who may not meet the stringent requirements you have placed on them? Just where is your data today?

- What will happen should a successful attack occur? Will local authorities cooperate in investigations? Will they seek, arrest and prosecute the perpetrators?

These few thoughts that I've offered do not encompass the entire sphere of security questions that you must answer before subcontracting your IT operations elsewhere and periodically during the outsourcing engagement. Since my personal data may be in your IT data banks, I hope you are doing so.