Organizations that are serious about offshore outsourcing and simultaneously maintaining an appropriate level of data privacy need to understand the varying offshore security issues from client and service provider perspectives. Once businesses identify and understand issues surrounding offshore outsourcing security, they can take steps to work with service providers to reduce security risks by utilizing best practices to adopt a systematic security framework.
In recent years, with global delivery and proliferation of service providers, it is natural for client businesses to be concerned about potential security breaches, given the access that providers may have to confidential data related to customers and/or employees. Clients are also cognizant of regulatory and compliance requirements that vary across regions, and are concerned about their enforcement by the providers.
The service provider community, in general, has recognized that privacy and security issues are of paramount concern and has tried to mitigate these risks by investing in security infrastructure, compliance and training. While service providers have taken many steps to improve and meet client expectations, the fact remains that, globally, providers operate across a broad spectrum of security levels. This while clients remain concerned about them having strong internal controls to manage information security, privacy risks and contractual compliance risks. As we work with clients on global security assessments, we observe three things:
1. Clients tend to place maximum emphasis on providers’ security policies and frameworks and on the networks being secure-however, most service global providers (other than some niche providers) have uniformly rigorous policies based on ISO and ITIL frameworks.
2. Personnel security controls represent the biggest risk areas (these controls tend to score the lowest in assessments).
3. Additionally, wide variation exists between different providers regarding the rigor of their “physical and environmental” controls as well as “system development and maintenance” controls.
This is illustrated in the chart below by the median and variance of scores we tend to see in our assessments:
Designing an Offshore Security Program
Designing an offshore security program
Even with a growing number of functions being outsourced to an offshore location across geographies, rarely does one comprehensive security program exist. Designing and implementing a systematic offshore security program can mitigate offshore data security concerns.
Below, as the graphic illustrates, a well-defined framework that encompasses people, policies, processes and infrastructure can help benefit both the client and the service provider.
With a clear understanding of the concerns, you’re ready to tackle the issue of how to address common offshore data security issues, from ensuring security in your IT infrastructure to proper training. Here are some tasks to tackle:
Task #1: Tweak the enterprise IT architecture to improve security
Companies do not always require an overhaul of their enterprise architecture to make it security compliant. Usually, just some tweaking is needed. It begins by understanding the IT systems that control sensitive data and then securing the data and the IT systems. Here are three examples of some specific initiatives:
a. Data classification and masking: Data is classified based on its importance, and the critical data fields are masked before they are sent offshore. The data masking is usually a one-time, large effort followed by an incremental small effort. This effort helps the service providers focus and put effective controls on the important data instead of dissipating their effort on all the data.
b. Role classification: Once critical data is classified, it is important that it only be accessed by those authorized to see it. This calls for role definition and data access classification. The key step is to properly define the roles and find gaps in the IT systems where role-based data access is not working as per the security policy.
c. Define enterprise security standards: Clients have begun specifying standards related to network, desktop, and servers in order to incorporate security policies. For example, in the network area, standard policies exist around network segregation, firewalls and data encryptions to which all service providers adhere. These standards reduce the risk of breaches and provide audit trails for future analysis.
More Tasks to Tackle
Task #2: Carry out a detailed pre-assessment of each provider and each delivery site prior to signing off
Do your homework. Review the corporate information security policies and physical facility security policies of the providers to ensure all key risks are covered. Make sure that network security controls exist and the delivery site is certified according to internationally recognized security compliance standards including ISO 27001, BS 7799, SAS 70 and so on.
Task #3: Set up a regular audit and assessment program
Reviewing and conducting audits on the security policies of the remote service provider is recommended on an annual basis at minimum. More frequently, consider performing an on-site review of the specific site and area used to conduct client business on a bi-annual basis or as dictated by project requirements and risks.
Task #4: Build security obligations in the outsourcing contract
We recommend that clients bring all security-related controls into the contract. Specifically, include items like a non-disclosure agreement, personal background checks and security assessments. A contingency stipulating that service provider staff cannot be deployed to a direct competitor for a specified amount of time should be part of the contract, as should definitions of breach of security and related liabilities.
Task #5: Build a culture of security in the organization
Above all, a culture of security is paramount and starts with having the right set of people driving the initiative and constantly reinforcing the message. Here are four initiatives that should be considered to establish a culture of security:
a. Client security team: Offshoring clients have started to create IT security teams or, alternatively, increase the number of people on those teams. The security team is aware of issues that may arise and thus publishes the security policies applicable to service providers and assists in ensuring the controls. The team ensures the continuous education of stakeholders on the client and service provider sides.
b. Client visits: We recommend regular calendar-based client visits. These visits help the service provider teams appreciate the clients’ business and concerns. Clients should also include security on the agenda for their discussions with service provider staff.
c. Formal assessments: Generally, assessments do not happen regularly enough and should be performed at least once a year. Assessments keep the key open items current in any security-related discussion and improve accountability. Additionally, the service providers should perform a voluntary assessment once a year and submit the findings to clients.
d. Continuing education: Mixing an inexperienced workforce with multiple cultural backgrounds accentuates the need for a continuous education program around corporate security policies.
As organizations embrace off shoring, the IT systems and the data will become more and more dispersed. A well defined security plan that balances control and freedom can be effective in securing data and increasing the confidence of consumers and other stakeholders.