Security and Outsourcing: Negotiate Early

By John Wagley

As a growing number of U.S. companies outsource software creation and data-handling functions to service providers located in other countries, the issue of data protection has gained prominence. There are two concerns: that "backdoors" could be inserted in code for later use and that personal financial data could be stolen.

A report by the Center for Strategic and International Studies (CSIS) addresses the first point, noting that "Some intelligence analysts believe that software offers one of the best mechanisms for technical intelligence collection by a range of adversaries." One recommendation: Government and industry should develop a formal process to coordinate risk assessments.

Companies may not yet be focused on the potential for backdoors, but they are well aware of the second risk—that personal client or staff data could be compromised when it is handed over to third-party service providers for processing. Businesses ranked data security second in importance out of 12 outsource-related factors, just behind "service quality" and directly ahead of "operational efficiency" and "loss of managerial control," according to a recent study by Duke University and Booz Allen Hamilton (BAH).

Largely due to some high-profile security breaches, data security concerns have increased since the first study was conducted in 2004, says Matt Mani, one of the study's authors and a BAH senior associate.

While the issue is now top of mind, companies don't always know how to address it. One mistake many companies make is to choose an overseas outsource provider without first establishing how the provider will address data handling security concerns, according to a presentation on global outsourcing by Arabella Hallawell, a research vice president with Gartner Inc.

That practice results in companies losing a lot of the leverage they would have had if the issue had been negotiated during the contract bidding process. It is also important to get security personnel involved early and to put incentives in place, explained Hallawell during the presentation. Companies will need the outsource provider's cooperation with implementation of any security protocols.

While companies should require providers to have security certifications, such as ISO 27001 or BS 7799 Part 2 across all relevant data center locations, such credentials are only a start, Hallawell told Security Management.

"They can be a good proxy for showing [that] a provider has made some investment in making a sophisticated control network. But they're not very granular in terms of what companies need," she says.

Most important, companies should make security one of the criteria that are evaluated in the search process. During the selection and negotiation phase, companies should discuss issues such as receiving regular security reports and the speed of notification after a potential breach.

Security assessments should also be discussed. "Customers should have the ability to conduct their own security assessments or to use a third party, at least annually," says Hallawell.

Policies on employee screening practices and background checks should be negotiated, as should security training. Gartner recommends that 50 percent to 75 percent of security staff hold a security certification.

Companies also may want to augment their controls with tools and technology, says Hallawell. "You may want to monitor or restrict certain kinds of access. Or you might want to monitor your traffic carefully, to ensure trade secrets don't go out the door."

Infrastructure management is another important consideration. This includes business continuity plans, antivirus and patch management, and the use of adequate encryption. As a general rule, companies should try to align their own security measures with those of the outsource provider, says Hallawell.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.