Out-sourcing and Risk

Recently we have been reminded frequently about the growth in outsourced services; Computer Weekly’s recent report showed the continued growing appetite for outsourcing across the globe http://www.computerweekly.com/news/2240151385/Shared-services-take-up-fastest-in-growing-market) and both PwC (http://www.pwc.com/gx/en/information-security-survey/giss.jhtml) and CIF (http://www.cloudindustryforum.org/) have lately demonstrated the growth in these markets.  If you are entrusting someone else with your information and information processing facilities clearly this has some implications for your security.  But what are they…?

Can you see and understand the whole Risk picture?

Well, first of all not all arrangements with external parties are equal.  Clearly the persons hosting your hotel reservation and train fare booking systems are important, but probably not as important as those hosting your critical business systems and client information.  Security is a risk based discipline and before you start making decisions about what security controls you should and should not put in place you should risk assess the third party.  Examples of things you should consider include the type and sensitivity of the data, the extent and maturity of their existing security controls, any legal and regulatory requirements you or your clients are required to meet and the impact of not having access to your information and information processing facilities would have.

Any agreement with a third party involving their access to your information and information processing facilities should be comprehensive and (as a minimum) include the physical and logical controls you expect to be maintained around your assets, the requirements you expect of their personnel (if you vet your staff then you might think it pertinent to make sure they do their’s?), incident and weakness reporting procedures to you, their procedures for access to and segregation of your assets, applicable SLAs and your right to audit them.  And once you have entered in to agreement with them make sure you enforce your right to audit!

If your outsourcing strategy does or may include the use of Cloud based services read our short guide to Cloud security


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s