Information Without Borders: Maintaining Security Controls for Outsourced IT

When it comes to outsourcing, out-of-site shouldn't mean out-of-mind

Another problem with outsourcing software is source-code control. One company I know hired a team in Europe to port a program from Mac to Windows. The company got back a Windows installer and source code for the completed application. But the company never bothered to see if the source code could be compiledit couldn't. A year later, when the company wanted a new version brought out, the Europeans demanded considerably more money than the project was worth. Without working source code, the company ended up abandoning the product.

Outsourcing isn't the only risk for software development. It's a risk whenever sensitive information leaves your perimeter of control. In October, the San Francisco Chronicle reported that a woman in Pakistan who was transcribing audio tapes for the University of California at San Francisco Medical Center had threatened to release patient records unless she was paid more money. It turns out that UCSF wasn't outsourcing directly to the woman in Pakistan. It had hired a medical transcription company in Sausalito to do the work. But that company outsourced the work to a woman in Florida, who wired somebody in Texas, who sent the work to Lubna Baloch in Pakistan. The recordings were being sent to Pakistan over the Internet, and when Baloch felt that she wasn't being paid enough money, she sent an e-mail to UCSF with a copy of some patients' reports and those audio recordings.

As UCSF found out, when you outsource work, you also outsource control. You may have a policy that work should not be sent overseas, as the Florida-based transcription company apparently did, but it's hard to make sure that that policy is enforced.So What's a CSO to Do?The first step is to carefully review outsourcing agreements with law firms both in your home country and in the country in which the outsourcing is taking place. Make sure that the agreements cover poor security and bad employees on the part of contractors and subcontractors alike. And make sure that the country has legislation that makes your contracts enforceable.

The second thing to do is to see if you can make anonymous or obscure personal information so that a leak will be less damaging. There's no reason that the audio recordings outsourced to Pakistan should have had the names of patients or even the medical institution attached to them. Had that information been withheld, Lubna Baloch wouldn't have known where to send her threat.