In your opinion, what are the key business risks associated with outsourcing in developing countries, and what role can security risk management play in mitigating them?
Although outsourcing can greatly reduce labor costs, because countries have different laws, regulations and enforcement motivations, many companies have to deal with a range of unfamiliar issues to ensure their work is secure. For example, in 2002, Shekhar Verna, an employee at Indian company Geometric Software Solutions Ltd. (GSSL) became a lethal weapon after he was fired. He stole a copy of a customer's source code, contacted several of their competitors and sold the information to the highest bidder. Fortunately, Verna unknowingly sold the code to an undercover Indian Intelligence agent. Unfortunately, stealing trade secrets did not violate Indian law, so Verna was only charged with a simple theft.
It is also unfortunate that this is not the only incident. There have been several cases in the past few years where off-shore employees have taken customer intellectual property. However, it's important to note that while they still do not have intellectual property or privacy laws in place, many governments, including India, have been actively working to decrease these risks, because these incidents directly affect the vendor's reputation and bottom line -- their revenue.
People who aren't familiar with outsourcing may think it's just too risky. However, many organizations are having a hard time staying in business, because they are competing with companies that do outsource, which drives down the market price for their goods and service. So, in many industries, outsourcing is unavoidable and therefore must be properly managed. If you are in one of these industries and are hesitant, again think of the profit -- several sources have estimated that U.S. companies that outsource labor will save hundreds of billions of dollars by 2010.
Choosing an offshore outsourcing company can be difficult. As you look for a company, it's important to look under the covers and do the necessary due diligence. Also, it's a good idea to address the following issues:
- Don't rely on a supplied customer list or claims that they adhere to quality management standards and regulations.
- Physically go to the facility. Hire staff that can manage the company locally, hire an attorney in that region to review the legitimacy of the contract as it pertains to that country's laws and interview the vendor's current customers.
- If the company is in a country that is a member of the World Trade Organization it may adhere to the intellectual property protection objectives laid out in TRIPS (Trade-Related Aspects of Intellectual Property Rights)
- Note: This has to be enforced locally, therefore, investigate the track record for this type of enforcement.
- If the company is incorporated in the U.S., it can be sued under the U.S. legal system.
- If the vendor has assets in the U.S., it can be more easily controlled by the U.S. legal system.
- Ensure the company does background checks on all employees and contractors.
- Review the actual documentation instead of just listening to the vendor's sales staff.
- Review the company's history, how financially stable it is, and the retention rates of employees.
- Many offshore vendors experience high turnover, which increases the risks of loss of control over your company's IP.
- Ensure that indemnification agreements are in place.
- Obtain a software escrow company and get insurance to protect your source code.
- Define an acceptable risk level with the vendor and monitor enforcement efforts.
- Audit the company to ensure it is compliant with your contract and policy, and that it is meeting your regulation requirements.
- Understand the laws of the country this company resides in. For example, Singapore has more mature intellectual property laws than China, India and Russia.
- Understand your company's legal and regulatory requirements that can come into play. For example, if the outsourcing company handles your customer's medical or financial information how will you ensure HIPAA and SOX compliancy?
- Review how the vendor uses subcontractors, and how they ensure this crew meets the same requirements as their employees.
- Give the proper amount of time and effort to due diligence before moving forward with a vendor.
- Remotely monitor firewalls, IDS and other security technologies within the vendor's facility.
- Your company may be able to own and deploy the systems and technologies to ensure a certain level of protection.
- Check to see if the vendor has disabled floppy, CD-ROM and USB drives on employee and contractor workstations to reduce the risk of theft of your company's IP.
- Review physical security and business continuity measures.
- Understand the political context of the country the company resides in. If there is potential for civil war or other types of unrest, this is not where you want to do business.
- Require non-disclosure and non-compete contracts for the vendor, employees and contractors.
- Investigate if these items are recognized and enforced in the country the vendor resides in.
- Put financial sanctions in your contract instead of just relying upon the legal system.
- Make payments "performance-based" on both security and quality control performance.
- Require that all legal disputes be handled in U.S. courts. Document it in your contract.
- Require the vendor to carry insurance that will protect its customers from losses.
- Ask for proof of security certifications obtained by employees and contractors (CISSP, GIAC, Security+).
- This will show the exposure of information security this group has had.
- Evaluate the vendor's access control procedures and ensure that least privilege is enforced.
- Find out if the vendor has a SEI Capability Maturity Model (CMM) or ISO 17799 certification.
Since different companies have different levels of acceptable risk, management of outsourced companies will vary based on effort and cost. A company that outsources its call center or assembly line will not have the same security risks as a company who outsources its software development or processing of sensitive data. Remember, no matter what type of contract you put in place, enforcement can be very difficult when it crosses country boundaries. This does not mean your company should not outsource specific types of labor – just be prepared to do what it takes to ensure the processes are secure.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Shon Harris
When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ... Continue Reading
Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ... Continue Reading
Is your organization capable of having true information security governance? In our expert Q&A, Shon Harris reveals the ideal components of a ... Continue Reading