For a safer the outsourcing market grows, problems will inevitably grow security side. The relationship with the outsourcer, the audit, the SLA. What can be done to alleviate the risks and threats?
Today reduce the risk of security is more important than ever. A particular aspect, usually little attention, the subject of security is that concerning the outsourcing contracts. In the following interview, the analyst specializing Diana Kelley, Burton Group provides a range of suggestions to determine the levels of risk, monitor the activities of your suppliers and negotiate the best Service Level Agreement (SLA) contracts of outsourcing.
How would you describe the scenery that surrounds the world of outsourcing with regard to security?
E 'a scenario that is increasingly clear and that is gaining increasing attention. Companies have learned that outsourcing is essential to link the issue of security. And recently there has also realized that along with the applications or systems can not outsource the risk to drop image: if something goes wrong in the application outsourcing this will affect your image, rather more than on the outsourcer.
Is there any advice you can give to ensure the highest levels of security outsourcing?
The first thing to do is to first understand what is working in outsourcing. This might seem simple. Let's take the example of the call center. I'm not just giving in outsourcing my call center, but with this I'm going through my security all'outsourcer management. We must understand, in short, what are the implications of a choice of outsourcing, with regard to risk management. So, if I'm giving in outsourcing of data is important to ask such a question: In these data there is information personal, for example, on health of certain people? Is there any other kind of personal information that must be protected? Remember that words are not just giving in a data center outsourcing, but rather data and procedures to monitor that data.
All this to say a simple thing: that you give to others by outsourcing a lot of things: your image and your reputation, data protection and the risks associated with this, the business processes that are involved from that data ... For this you must make sure you can handle what you are entrusting all'outsourcer and know exactly what you need to do to protect it.
All things they buy of even more important when an organization relies on an outsourcer in another country. This implies the need to know the details of risk in that country ..
Absolutely, because there are different legal systems by country. There are different requirements in the U.S., where standards apply as HIPAA and Sarbanes Oxley (SOX), privacy laws and specific rules (SEC 17a-4) for brokers and traders. In Canada there Piped out of respect for privacy in Japan are introducing a sort of Sarbanes Oxley (JSOX), there are other EU directives. These different rules define, for each country, what you can and can not be done with the data, their processing and storing them. This requires attention to the formalities required by the jurisdiction of your country of residence of the outsourcer, and extreme attention to the possibility that if you have any legal recourse for breach of contract. This caution, you will not remain with our hands in case of loss of your data, and then try to recover your data, or at least to be compensated for their losses.
How important is it to know the personal background and professional employees who work at our outsourcer contact with our company's systems and data?
This is a topic of great importance. You must know, for example, if your provider has the possibility to control the presence of ex-offenders among its employees, and if these are assigned to your company's sensitive data, have an idea if these people were perhaps involved in previous events in which there was data theft, sale of credit card information or similar cases. Well, what does the outsourcer with these controls, and how secure? And what are the measures put in place a daily basis to ensure that people with a history like that do not leave office even a day with a good chunk of your business is stored on a USB stick? And yet, as they are kept separate from your data the people who are not authorized to access it? What kind of access control, authentication and authorization systems which are used to ensure that people who can see certain data or work on specific jobs are the only ones to actually do these things? It would be the case also learn to understand what the outsourcer is doing to secure the necessary controls within the data center. It is often economically advantageous to have multiple instances on the same server in a sort of virtualized environment. But what if on the same server, along with information about your customers you can find information of your competitors? You should therefore ensure that your provider has taken steps to separate these data, not just to be sure that only authorized employees can see them, but also because anyone can have access to the data center, for example, your competitor, in ways remote client, is kept away from your data.
And speaking of ALS, which are the most important things you do?
The important thing in this context, is to act immediately, because it is very difficult to renegotiate the contract terms after a certain event happened, if the provider does not want to treat yourself to this possibility. Sometimes the engineers prefer not to involve lawyers and experts in contracts for fear that things may going too slow. But it is important that everything is clear and that before embarking on a long term contract with an outsourcer be assured of making it clear to the bottom of the terms acceptable to you and those that are not. One thing to devote particular care has to do with the presence in the outsourcing contract signed with a clause that allows the use of auditing procedures that will be specified from the outset: for example, if you prefer to use your auditor trust or have a particular preference for a specific mode of auditing standards and so on. Another important thing to point out now is about how to agree than any problem occurs. It does not matter whether it's call center or development, sooner or later something happens. So to better define the procedure and the way forward in these cases: what are the people to be involved and at what levels of responsibility, what is the right time to intervene and so on.
A 'else to define the quantification of damages should be paid in case of system failure and data loss.
There is something that usually happens to someone they do not know or may not think you can or need to ask?
The first thing to remember is what we said at the beginning and that is really worth repeating: most companies have not thought enough to what is the real risk associated with information that is outsourced. Your supplier may really be a 'best in class' processes so that you are interested in entrusting the security levels at which these processes are managed, this does not mean you have to make sure that the outsourcer to ensure the level of risk management which you feel need. Do not forget to assign someone in your organization the task of a liaison with the provider, as trustee, with the task even just to talk regularly with the outsourcer to make sure that things are going exactly the right way.
Source: ComputerWorldOnline - 09/05/2007
