Don't Export Security

It is up to CIOs and CSOs in the companies sending work offshore to define what's an acceptable risk, outline security measures (in the contract wherever possible) and monitor their enforcement with the cooperation and support of the offshore provider.

Christopher Koch (CIO)
22 June, 2005 12:18
Comments

Page:

1
2
3
4
5
next >

Sure, you can save money by working with an outsourcing vendor in a faraway land. But don't trust the outsourcer to install the right security protections. Follow these best practices to verify that your relationship is cost-effective and safe.

This is what it's like to be an employee for Tata Consultancy Services (TCS), an Indian IT services vendor, when working for a big insurance company (in this case CNA):

When you come to work, your bag is searched. You may be too. You hand in your mobile phone to the security guard, to be picked up when you go home.

When you arrive at your desk, there are no traces of the papers you worked on yesterday - they got shredded last night. Don't bother trying to copy a digital picture of your kids onto your work screen (you can't copy or move files). There's nothing but a phone (which can't call anyone but the insurance company's help desk) and a computer with CD-ROM and floppy drives that work fine but are locked to you, as are the Internet and e-mail. And taking home a copy of CNA's confidential business process manual to bone up on in your spare time will get you fired, as one employee recently learned.

"The data and our processes are too sensitive. We can't afford to be lax," says Scott Sysol, director of infrastructure and security architecture for CNA.

While experts disagree wildly about the degree of extra risk involved in offshore outsourcing, companies such as CNA, an insurance giant that entrusts TCS with its sensitive financial and health-care information, are not taking chances with security when they send IT and business process work overseas. They are setting up rigid control processes with high levels of IT security. These initiatives cost money and cause disruption for outsourcers everywhere, but they are also the best ways to limit risks associated with sending such work offshore. (For its part, TCS declined to discuss its work with clients.)

And while practices such as forcing contractors to wall off work areas, slice up server farms and keep employees exclusive to one customer do not serve the basic economic tenets of outsourcing - scale, sharing and repeatability - they are the kinds of risk-mitigating actions that customers and their contractors must take when working with sensitive business data and processes.

Risk Is in the Eye of the Beholder

Not all companies need the kinds of security measures that CNA has in place. It is up to CIOs and CSOs in the companies sending work offshore to define what's an acceptable risk, outline security measures (in the contract wherever possible) and monitor their enforcement with the cooperation and support of the offshore provider. That sounds like a no-brainer. But it turns out that few companies take an active role in what experts say is a classic case of out of sight, out of mind.

"I'd say fewer than 20 percent of my clients audit the security of their providers," says Atul Vashistha, CEO of NeoIT, an offshore outsourcing consulting company. "They just accept the suppliers' defined security plan and don't check to see if they are living up to it."

Steven DeLaCastro, an offshore outsourcing consultant with Tatum Partners, puts the total even lower, at 10 percent. "Sarbanes-Oxley requires the right to audit outsourcers, yet companies aren't putting [audits] into the contract," he says.

Companies routinely underestimate the extra elements of risk introduced into the offshoring equation by issues like poor infrastructure, political instability and legal systems that don't line up with local practices, says Ken Wheatley, vice president, corporate security of Sony Electronics. "People are so focused on saving money and shifting operations that they don't think about the safeguards that need to be put in place," he says. "They assume that people in different countries have the same mind-set and safeguards and sense of due diligence, and that's just not the case."

Page:

1
2
3
4
5
next >

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email CIO
Follow CIO on twitter

More about: AT Kearney, Citibank, e-Security, Exposure, Forrester Research, Gartner, Inference, INS, ISO, Microsoft, Provision, ProVision, SAS, Sony, Tata, Tata Consultancy Services, VMware

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Whitepapers

Latest Stories

Community Comments

"Ich kenne einige Leute, die aus Kanadakommen. Eines Tages werde ich auch ..."

Australia's first 4G smartphone is the HTC Velocity 4G
"Actually when someone doesn't know then its up to other visitors that ..."

Swedish e-commerce startup's execs linked to NYC sex crime
"Hi to all, how is everything, I think every one is getting ..."

Face Time - Interview with John Brennan and Robert DiStefano
"I am truly thankful to the owner of this website who has ..."

How to implement next-generation storage infrastructure for Big Data
"hwjae , click here http://www.breastenhanceproduct.org/how-to-benefit-from-herbal-breast-enhancements"

Pfizer's Future Depends on IT Transformation

Latest Blog Posts

Whitepapers

Key Considerations in Modernising Your Backup and Deduplication Solutions
There is a definite need for better data backup solutions in today’s enterprise data centers. The question is whether to continue with software-only backup and deduplication solutions, or to make the move to a purpose-built backup appliance with deduplication capabilities. This paper provides a structured approach to assessing the advantages of the appliance model. Read this whitepaper.

Learn more »
Traditional Backup is Dead - Are you prepared?
Conventional backup and recovery approaches clearly can't keep up with ever-growing storage rates. It's time to take on a new strategy.

Learn more »
Shedding Light on Backup and Availability Challenges in Virtual Environments
This IDG white paper explores specific backup and availability challenges organisations must surmount as they move to virtualise their business-critical applications. It then shows how attaining proper service levels for these applications requires a high degree of visibility into the VMware virtual environment.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

HP Security Action Plan for Enterprise Printing and Imaging

Security is a part of how we work. When you walk through the front door of your office every morning, you probably pass a level of security. At your desk, ...

Don't Export Security

Risk Is in the Eye of the Beholder

Comments

Post new comment

Building trusted relationships

Planning your IT career

Taking the risk out of diversity

5 open source help desk apps to watch

NBN Co focuses on continuous delivery to meet its deadlines

How to create a clear project plan

5 open source billing systems to watch

10 Tips for Dealing with a Bully Boss

Face Time - Interview with John Brennan and Robert DiStefano

Pfizer's Future Depends on IT Transformation

All Systems Down

IT service management going social

Australia's first 4G smartphone is the HTC Velocity 4G

HP Business Efficiency - Money Payback Guarantee Resource Centre

The Australian Cloud

HP Security Action Plan for Enterprise Printing and Imaging

The Pathways ICT Leadership Development Program Brochure and Curriculum 2012