Enterprises that outsource without properly assessing the provider's security profile are at risk of losing their data, reputation, and customers. Protect the organization's interests by following best practice guidelines for gauging outsourcer security risks.

Outsourcers: A Growing Target

Enterprises outsource a variety of tasks for a variety of reasons. Typical IT services slated for outsourcing include application development, Web design, data center services, and help desk. Many of these functions are shipped overseas, where security oversight and governance are logistically difficult to monitor.

Also at risk are outsourcers that collect, dispense, or process personal data. These outsourcers are often targeted by hackers intent on stealing personal information for identity theft purposes. Potential candidates for hacking include:

• Financial accounting and banking services.
• Credit card transaction processors.
• Human resources providers.
• Application hosting services.
• Payroll companies.

The severity and frequency of threats continue to rise. A number of high-profile data thefts occurred in 2005 against Citigroup, Bank of America, ChoicePoint, DSW, and Marriott's timeshare unit. As the outsourcing trend grows, so too may the number of security breaches at the provider end.

Recommendations

Enterprises seeking to outsource IT and processing services must evaluate provider security from the outset. Incorporate the following recommendations into the enterprise's RFP process.

1.Outsource highly sensitive IT services only to SAS 70-certified providers. The Statement on Auditing Standards No. 70 (SAS 70) is a third-party report on a service organization's security and the effectiveness of its internal controls. SAS 70 Type II defines the standards an auditor must employ in order to assess the internal controls of a service organization that is contracted by any enterprise subject to SarbOx evaluation. For more information on SAS 70 generalities, see "Obtain SAS 70 Certification for Competitive Advantage" from McLean Report.

2.Ask the right questions and seek evidence. Does the IT outsourcer firm have appropriate security policies and management procedures in place? Does it have development systems for maintaining an accurate inventory of IT assets? Are outsourcing workers and business partners qualified to fulfill their responsibilities? Are data centers physically protected against access by unauthorized individuals? Have comprehensive business continuity plans been developed and tested?

3.Follow the banking industry's best practice guidelines. A consortium of top U.S. financial services firms - known collectively as the Banking Industry Technology Secretariat (BITS) - released a set of guidelines for evaluating the security risks of outsourced IT. The ISO 17799-based IT Service Provider Expectations Matrix provides a single set of rules for evaluating outsourcers. Regardless of industry, all IT shops should follow the BITS matrix - the banking industry is a high liability trade that's very stringent about to whom they outsource. The questionnaire-style matrix focuses on the following outsourcer security control areas:

• Security policy.
• Organizational security.
• Asset classification and control.
• Personnel security.
• Physical and environmental security.
• Communication and operations management.
• Access control.
• System development and maintenance.
• Business continuity management.
• Compliance with legal and regulatory requirements.

4.Ensure the privacy and confidentiality of personal data. Privacy-focused industries such as healthcare must take additional safety steps when personal data is outsourced. Not only should the outsourcer ensure confidentiality, but it must further guarantee that any entity (e.g. a medical transcriptionist) to which the outsourcer sends personal information also ensures data confidentiality. Healthcare organizations should also demand the following from outsourcers:

• Indemnification for breach of contract.
• Subcontractors must adhere to the same standards as the initial outsourcer.

5.Establish a contract exit plan. Despite best efforts, an outsourcer may still experience a negative security event. Depending on the severity of a breach, it may be necessary to break the contract with the outsourcer. This cannot be accomplished without a well-crafted disengagement clause in the contract. Before signing anything, negotiate disengagement scenarios with the outsourcer and agree on disengagement provisions. Also include financial penalties for security breaches, as you would for any other SLA. For an idea on how this might look, see Transport for London's Exit Plan for service provider contracts.

Bottom Line

When outsourcing, enterprises must be able to assess and track the security of the service providers with whom they wish to do business. It is the only way to ensure that the company's data and intellectual property remain secure once they leave the organization.

Sidebar: Outsourcing-A Widespread Practice

About 62% of mid-sized enterprises have outsourced some part of their IT services already. Outsourcing will continue to gain significant traction as the larger outsourcers move down-market.

Management of outsourcing is among the lowest rated priorities for mid-sized IT decision makers. This is a mistake. Top-performing enterprises and their IT shops are much more likely to have formal systems in place for outsourcer management, and are also far less likely to suffer disastrous consequences should the outsourcer's security become compromised.