How to secure an outsourced project
- — 30 January, 2013 10:22
Despite our desire for simplicity, IT continues to become more complex. Decentralised applications or client-server models have become the norm. Smartphones and tablets are pushing mobile computing into a new era and changing user behaviour. Cloud has significantly altered the way we provide IT solutions and how we meet business needs with technical solutions.
Long gone are the days when a single person could master and manage an entire enterprise network. Today, many businesses lack the dedicated staff and financial resources to manage their ever expanding IT needs. Faced with this situation, a growing number of companies contract out part of their IT to external suppliers.
While many articles have explored the security issues linked with cloud services, there are still many people who fail to recognise the same arguments apply to other outsourcing services. In fact, the challenge of managing risks and security in a diverse IT environment remains the same; whether it’s cloud, outsourcing or managed services, the reality is you are handing control of your business’ devices or applications to someone else.
The security challenge
The challenge for many businesses is deciding the level of security controls and risks your company is willing to accept – you can choose a fully-dedicated environment where security levels are dictated by your organisation, or you can use a public environment in which you accept the default setup.
Today’s Chief Security Officer is assigned the task of managing security risks associated with these changes and must come up with appropriate solutions to alleviate them. For many businesses, the move to an outsourced model presents an opportunity to increase the level of network security. It could even be the trigger for a security upgrade.
Establishing an outsourced project
Outsourcers will generally set technical, physical and organisational security controls that will be applied across all of the outsourcer’s services. This creates a baseline and spreads the cost of security across its client base. It is essential to understand your outsourcer’s baseline and request additional security if your project requires it.
Before entering into an outsourcing agreement, it is also important to consider legal matters. If the outsourcer is providing a “standard” service, it up to your company to ensure that your legal requirements are met – for example, regional data storage compliance and confidentiality legislation.
Managing multiple outsourcers
Outsourcer management is often neglected despite the fact that many companies outsource different parts of a project to a range of suppliers. For example, one company might handle the telephony infrastructure, while another manages WAN. In this situation it is essential to ensure both outsourcers deliver the same level of security for their services. It is also crucial to establish clear communication between the various outsourcers and internal departments – especially during periods of disruption or change.
Incident management (both poor and effective) has significant legal, reputational and operational impacts. It is essential to establish a process that dictates when a security incident is detected by your outsourcers, it is adequately evaluated, and reported to you within a predetermined timeframe.
Before entering an outsourcing agreement, ensure that the outsourcer’s obligations are clearly stated and check to confirm the outsourcer doesn’t have any legal constraints that are incompatible with your business.
Whatever part of your IT or process is outsourced, it is essential to ensure all security aspects are fully considered and met, and each outsourcer delivers the same level of security for their services. Detailed consideration of these challenges will allow businesses to benefit from the cost and productivity gains offered by outsourcing, while maintaining strategic security plan of the business.
Today’s CSO must take a 360 degree view of the project in order to ensure requirements are met and managed efficiently, and incidents will be detected and dealt with correctly.