Security Watch
Outsourcers Beware
Security and compliance should be weighed just as much as saved costs.
- By Roberta Bragg
- 11/08/2004
Outsourcing. Off-shoring. Right-sourcing. It goes by many names but it basically
means that the organization is contracting its work to other companies. Whether
the other companies are located down the street or across the world doesn't
matter. It represents a huge cultural shift in the way IT is done and it opens
up whole new areas of risk.
I have to ask you to put aside for a moment your conclusions about whether
IT outsourcing is good or bad. This is not simply an issue of IT jobs or reduced
cost. This is a global information security issue, and we all need to look at
outsourcing from an information security angle.
Many of you have spent the last decade growing your knowledge of information
security. Some, but not all, have learned that which is necessary to protect
your information and your information systems. Others have been forced to do
so by new legislation. You've implemented security programs, purchased devices,
restructured your networks, trained employees and locked down systems. When
you contract with companies to do work for you, do you ask if they have also?
- Do these companies have information security programs in place? Have
they implemented programs based on generally accepted standards such as ISO
17799? ISO 17799 is based on the British Standard 7799 and a company can be
audited for compliance with it. Is the company so certified? Or, have they had
an SAS 70 audit? SAS 70 is a U.S. standard for auditing that is well respected
internationally.
- Does their program match yours? Security is not just about fulfilling
legal requirements or matching some standard. Every company has its own needs.
If your policy requires two-factor authentication, is the other willing to implement
it if they don't have it? Is a PKI infrastructure in place to support encryption
of communications and digital signatures to guarantee non-repudiation and integrity?
Are all communication lines secured and data secured in transit? Is stored and
active data protected? What about employee security awareness training, IT security
training and background checks?
- Do they keep their systems patched and up-to-date? In some countries
the use of pirated software is rampant. Will companies that use illegal copies
of software request or be able to obtain patches? Will they keep systems up
to date?
- If they handle financial information, patient data, or employee information
are they compliant with your country's laws? While one country's laws cannot
be enforced in another country, your country can require you to ensure that
its laws are upheld no matter where your data is kept or processed. For example,
European Union privacy laws require that work cannot be outsourced to other
countries if the same protection cannot be guaranteed. U.S. companies that must
be compliant with HIPAA, Sarbanes-Oxley and other regulation cannot escape their
obligations by outsourcing IT work.
- Are you thoroughly familiar with the other country's laws that impact
IT operations? They may require you to adjust the way that you manage your
systems, your demands on the contractor or provide little support for your needs.
- Are business continuity and disaster recovery plans in place? What
would happen if a natural or man-made disaster were to occur? Are the outsourcer's
operations located in areas where these disasters are more likely to occur?
- Will the company you contract with subcontract with others? As business
grows, and as businesses attempt to comply with the security and professional
requirements and demands placed on them, their costs will increase. As they
continue to do business, perhaps their access to educated, trustworthy employees
will decrease. How tempting will it be for them to subcontract to smaller companies,
and/or to companies in still other countries who may not meet the stringent
requirements you have placed on them? Just where is your data today?
- What will happen should a successful attack occur? Will local authorities
cooperate in investigations? Will they seek, arrest and prosecute the perpetrators?
These few thoughts that I've offered do not encompass the entire sphere of
security questions that you must answer before subcontracting your IT operations
elsewhere and periodically during the outsourcing engagement. Since my personal
data may be in your IT data banks, I hope you are doing so.
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.