When outsourcing IT, your company is giving up its operational control; therefore, it is more critical than ever to exercise IT security diligence and confirm that your IT vendor has the proper security controls in place throughout the term of the engagement. Regardless of how much is outsourced, the risk and financial liability from an IT security perspective is still the responsibility of the customer.
Here are 10 security questions to ask of any vendor before outsourcing IT.
Question No. 1: Where will my data and applications physically reside and what security protections are enforced for those locations? Does my data go to any other entity outside of the vendor? Does it ever leave the country?
Information security is about securing the entire data supply chain to ensure protection of data in-flight and data at rest, no matter where it travels. An outsourcing/cloud/IT service vendor will easily know the physical locations of data centers, but it is the client's responsibility to dig deeper and demand the same level of intelligence about the security of their new virtual data center as if they were doing it themselves. Who has access to that data? Can you get criminal background checks on those resources? Where is the disaster recovery (DR) data center? Where do the tape backups go? Who has access to those facilities?
Your data IS your business. Protecting that information and keeping it safe is like protecting a nation's gold reserve when that was the standard of currency.
Question No. 2: Will my company have a dedicated or shared infrastructure? If shared, how does the vendor maintain compliance between its customers? How does the vendor maintain isolation and privacy of my data?
Whether it is public cloud, personal cloud or any other services engagement, vendors will naturally want to leverage virtualized shared infrastructures to drive down cost and increase utilization.
Clients should demand an understanding of the security controls in place protecting their "home away from home" data center, and include tightly prescriptive controls around isolation and protection of their data and applications from other vendors' clients. The potential savings of that outsourcing initiative can be all wiped away with a single breach. It is always about risk and reward.
One must take a hard look and ask themselves, "At what risk am I saving this 50 percent plus TCO?" It is the client's responsibility to manage the risk and enforce security controls as part of the contract since the vendor's primary motivator is to demonstrate the cost savings. The client should take their new role as an auditor seriously.