Best Practice Five:Understand Where Your Work Gets Done
With markets throughout Asia and Europe offering services, the world can seem like one big outsourcing oyster. But it's important to understand the political context of your contractor's work situation.
So while it's hard to conceive of a foreign government stepping in and demanding disclosure of your proprietary software and data, it's important to know it has happened. According to Gartner, in 2000 the Chinese government decreed that any software using encryption had to be registered with the government, along with anyone using it. The government also said that any software used in China must include encryption software manufactured in China. The government eventually rescinded the decree, but if it had remained, foreign companies would have faced the threat of industrial espionage by the government.
Security consultants specialize in tracking offshore political risks. "You want to understand the powers and predilection of the national government to look at your data and the chance that the service provider would comply," says Kelly Kavanaugh, a Gartner analyst. "Some country is always getting caught doing some industrial espionage . . . It's nothing new."
Put It in the Contract
The outsourcing pact spells out security requirements and sets up regular audits - and costly penalties.
With legal recourse limited in many countries, the contract with the provider becomes critically important for outlining security responsibilities and penalties for breaches. Leave plenty of time for negotiation, says Scott Sysol, director of infrastructure and security architecture for CNA. "It is a strenuous process with multilevel reviews inside both companies," he says. There are also certain levels of sanctions that can be built into the contract. "You need to get something in the contract that says if someone steals something, the contractor will take responsibility," says Sysol. "We've built some [financial] sanctions into our contracts. But you can't go overboard because the providers will walk away from the deal." Other contract recommendations:
• Demand nondisclosure and noncompete agreements. With offshore providers growing so rapidly and turnover high - as high as 30 percent in some companies - it's important to understand what your offshore vendor is doing with your intellectual property and to do what you can to keep people from taking information about you with them, says Vinnie Mirchandani, principal of consultancy Deal Architect.
• Bring legal disputes to Australian courts. Require that the offshore vendor agree to handle legal disputes in Australia.
• Require insurance. Top offshore vendors have insurance to protect customers against losses caused by the vendor or its contractors, says Forrester Research.
• Keep discussions private. Insist on a separate meeting room near the work area.
• Look for certifications. Though they do not guarantee good performance, the Certified Information Systems Security Professional, or CISSP, certification program and Global Information Assurance Certification at least demonstrate that employees have had exposure to security issues and best practices.