Recently we have been reminded frequently about the growth in outsourced services; Computer Weekly’s recent report showed the continued growing appetite for outsourcing across the globe http://www.computerweekly.com/news/2240151385/Shared-services-take-up-fastest-in-growing-market) and both PwC (http://www.pwc.com/gx/en/information-security-survey/giss.jhtml) and CIF (http://www.cloudindustryforum.org/) have lately demonstrated the growth in these markets. If you are entrusting someone else with your information and information processing facilities clearly this has some implications for your security. But what are they…?
Well, first of all not all arrangements with external parties are equal. Clearly the persons hosting your hotel reservation and train fare booking systems are important, but probably not as important as those hosting your critical business systems and client information. Security is a risk based discipline and before you start making decisions about what security controls you should and should not put in place you should risk assess the third party. Examples of things you should consider include the type and sensitivity of the data, the extent and maturity of their existing security controls, any legal and regulatory requirements you or your clients are required to meet and the impact of not having access to your information and information processing facilities would have.
Any agreement with a third party involving their access to your information and information processing facilities should be comprehensive and (as a minimum) include the physical and logical controls you expect to be maintained around your assets, the requirements you expect of their personnel (if you vet your staff then you might think it pertinent to make sure they do their’s?), incident and weakness reporting procedures to you, their procedures for access to and segregation of your assets, applicable SLAs and your right to audit them. And once you have entered in to agreement with them make sure you enforce your right to audit!
If your outsourcing strategy does or may include the use of Cloud based services read our short guide to Cloud security