Task #2: Carry out a detailed pre-assessment of each provider and each delivery site prior to signing off
Do your homework. Review the corporate information security policies and physical facility security policies of the providers to ensure all key risks are covered. Make sure that network security controls exist and the delivery site is certified according to internationally recognized security compliance standards including ISO 27001, BS 7799, SAS 70 and so on.
Task #3: Set up a regular audit and assessment program
Reviewing and conducting audits on the security policies of the remote service provider is recommended on an annual basis at minimum. More frequently, consider performing an on-site review of the specific site and area used to conduct client business on a bi-annual basis or as dictated by project requirements and risks.
Task #4: Build security obligations in the outsourcing contract
We recommend that clients bring all security-related controls into the contract. Specifically, include items like a non-disclosure agreement, personal background checks and security assessments. A contingency stipulating that service provider staff cannot be deployed to a direct competitor for a specified amount of time should be part of the contract, as should definitions of breach of security and related liabilities.
Task #5: Build a culture of security in the organization
Above all, a culture of security is paramount and starts with having the right set of people driving the initiative and constantly reinforcing the message. Here are four initiatives that should be considered to establish a culture of security:
a. Client security team: Offshoring clients have started to create IT security teams or, alternatively, increase the number of people on those teams. The security team is aware of issues that may arise and thus publishes the security policies applicable to service providers and assists in ensuring the controls. The team ensures the continuous education of stakeholders on the client and service provider sides.
b. Client visits: We recommend regular calendar-based client visits. These visits help the service provider teams appreciate the clients' business and concerns. Clients should also include security on the agenda for their discussions with service provider staff.
c. Formal assessments: Generally, assessments do not happen regularly enough and should be performed at least once a year. Assessments keep the key open items current in any security-related discussion and improve accountability. Additionally, the service providers should perform a voluntary assessment once a year and submit the findings to clients.
d. Continuing education: Mixing an inexperienced workforce with multiple cultural backgrounds accentuates the need for a continuous education program around corporate security policies.
As organizations embrace off shoring, the IT systems and the data will become more and more dispersed. A well defined security plan that balances control and freedom can be effective in securing data and increasing the confidence of consumers and other stakeholders.