Outsourcing: Understanding the business risks

BROWSE BY TAG Expert Archive: Security Management,   Security Awareness Training and Internal Threats,   Information Security Management,   VIEW ALL TAGS

RELATED CONTENT Expert Archive: Security Management What is the GISP certification and how does it compare to the CISSP certification? Using a QSA to write up a PCI DSS report on compliance (ROC) How can gap analysis be applied to the security SDLC? Comparing cheap security products and appliances to costly appliances What are some tips on protecting my security budget in a poor economy? What value do research firms provide to their subscribing enterprises? What certificate offers the best ROI for an IT project manager? Is insider activity or outsider activity a bigger enterprise threat? How does information security prevent fraud in the enterprise? Differences between an SAS 70 data center and a Tier III data center Security Awareness Training and Internal Threats CISOs take measured steps to reduce social media risks Information security book excerpts and reviews Schneier-Ranum face-off, part 2: Social networking Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Shon Harris, past SearchSecurity.com expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED February 2006:

Although outsourcing can greatly reduce labor costs, because countries have different laws, regulations and enforcement motivations, many companies have to deal with a range of unfamiliar issues to ensure their work is secure. For example, in 2002, Shekhar Verna, an employee at Indian company Geometric Software Solutions Ltd. (GSSL) became a lethal weapon after he was fired. He stole a copy of a customer's source code, contacted several of their competitors and sold the information to the highest bidder. Fortunately, Verna unknowingly sold the code to an undercover Indian Intelligence agent. Unfortunately, stealing trade secrets did not violate Indian law, so Verna was only charged with a simple theft.

It is also unfortunate that this is not the only incident. There have been several cases in the past few years where off-shore employees have taken customer intellectual property. However, it's important to note that while they still do not have intellectual property or privacy laws in place, many governments, including India, have been actively working to decrease these risks, because these incidents directly affect the vendor's reputation and bottom line -- their revenue.

People who aren't familiar with outsourcing may think it's just too risky. However, many organizations are having a hard time staying in business, because they are competing with companies that do outsource, which drives down the market price for their goods and service. So, in many industries, outsourcing is unavoidable and therefore must be properly managed. If you are in one of these industries and are hesitant, again think of the profit -- several sources have estimated that U.S. companies that outsource labor will save hundreds of billions of dollars by 2010.

Choosing an offshore outsourcing company can be difficult. As you look for a company, it's important to look under the covers and do the necessary due diligence. Also, it's a good idea to address the following issues:

• Don't rely on a supplied customer list or claims that they adhere to quality management standards and regulations.
• Physically go to the facility. Hire staff that can manage the company locally, hire an attorney in that region to review the legitimacy of the contract as it pertains to that country's laws and interview the vendor's current customers.
• If the company is in a country that is a member of the World Trade Organization it may adhere to the intellectual property protection objectives laid out in TRIPS (Trade-Related Aspects of Intellectual Property Rights)
• Note: This has to be enforced locally, therefore, investigate the track record for this type of enforcement.
• If the company is incorporated in the U.S., it can be sued under the U.S. legal system.
• If the vendor has assets in the U.S., it can be more easily controlled by the U.S. legal system.
• Ensure the company does background checks on all employees and contractors.
• Review the actual documentation instead of just listening to the vendor's sales staff.
• Review the company's history, how financially stable it is, and the retention rates of employees.
• Many offshore vendors experience high turnover, which increases the risks of loss of control over your company's IP.
• Ensure that indemnification agreements are in place.
• Obtain a software escrow company and get insurance to protect your source code.
• Define an acceptable risk level with the vendor and monitor enforcement efforts.
• Audit the company to ensure it is compliant with your contract and policy, and that it is meeting your regulation requirements.
• Understand the laws of the country this company resides in. For example, Singapore has more mature intellectual property laws than China, India and Russia.
• Understand your company's legal and regulatory requirements that can come into play. For example, if the outsourcing company handles your customer's medical or financial information how will you ensure HIPAA and SOX compliancy?
• Review how the vendor uses subcontractors, and how they ensure this crew meets the same requirements as their employees.
• Give the proper amount of time and effort to due diligence before moving forward with a vendor.
• Remotely monitor firewalls, IDS and other security technologies within the vendor's facility.
• Your company may be able to own and deploy the systems and technologies to ensure a certain level of protection.
• Check to see if the vendor has disabled floppy, CD-ROM and USB drives on employee and contractor workstations to reduce the risk of theft of your company's IP.
• Review physical security and business continuity measures.
• Understand the political context of the country the company resides in. If there is potential for civil war or other types of unrest, this is not where you want to do business.
• Require non-disclosure and non-compete contracts for the vendor, employees and contractors.
• Investigate if these items are recognized and enforced in the country the vendor resides in.
• Put financial sanctions in your contract instead of just relying upon the legal system.
• Make payments "performance-based" on both security and quality control performance.
• Require that all legal disputes be handled in U.S. courts. Document it in your contract.
• Require the vendor to carry insurance that will protect its customers from losses.
• Ask for proof of security certifications obtained by employees and contractors (CISSP, GIAC, Security+).
• This will show the exposure of information security this group has had.
• Evaluate the vendor's access control procedures and ensure that least privilege is enforced.
• Find out if the vendor has a SEI Capability Maturity Model (CMM) or ISO 17799 certification.

Since different companies have different levels of acceptable risk, management of outsourced companies will vary based on effort and cost. A company that outsources its call center or assembly line will not have the same security risks as a company who outsources its software development or processing of sensitive data. Remember, no matter what type of contract you put in place, enforcement can be very difficult when it crosses country boundaries. This does not mean your company should not outsource specific types of labor – just be prepared to do what it takes to ensure the processes are secure.