Organizations that are serious about offshore outsourcing and simultaneously maintaining an appropriate level of data privacy need to understand the varying offshore security issues from client and service provider perspectives. Once businesses identify and understand issues surrounding offshore outsourcing security, they can take steps to work with service providers to reduce security risks by utilizing best practices to adopt a systematic security framework.
In recent years, with global delivery and proliferation of service providers, it is natural for client businesses to be concerned about potential security breaches, given the access that providers may have to confidential data related to customers and/or employees. Clients are also cognizant of regulatory and compliance requirements that vary across regions, and are concerned about their enforcement by the providers.
The service provider community, in general, has recognized that privacy and security issues are of paramount concern and has tried to mitigate these risks by investing in security infrastructure, compliance and training. While service providers have taken many steps to improve and meet client expectations, the fact remains that, globally, providers operate across a broad spectrum of security levels. This while clients remain concerned about them having strong internal controls to manage information security, privacy risks and contractual compliance risks. As we work with clients on global security assessments, we observe three things:
1. Clients tend to place maximum emphasis on providers' security policies and frameworks and on the networks being secure-however, most service global providers (other than some niche providers) have uniformly rigorous policies based on ISO and ITIL frameworks.
2. Personnel security controls represent the biggest risk areas (these controls tend to score the lowest in assessments).
3. Additionally, wide variation exists between different providers regarding the rigor of their "physical and environmental" controls as well as "system development and maintenance" controls.
This is illustrated in the chart below by the median and variance of scores we tend to see in our assessments: