Outsource IT with Caution

Theresa Grant, director of information security for Dow Chemical, answers readers' outsourcing questions.

. What's this?

March 01, 2004CSOQ: What do you consider to be the top three benefits and pitfalls for outsourcing IT security? A: There are a number of benefits when it comes to outsourcing IT security. Security service providers deal with a wide range of clients and, as such, have a wide range of expertise. Outsourcing information security allows companies to leverage the best practices the provider has gained from other clients. Additionally, economies of scale can be leveraged, reducing costs while providing a variety of resources. Finally, for routine activities such as password resets, security monitoring, security management and others, outsourcing information security requires less resources.

However, there are disadvantages. When you outsource IT security, you give contractors access to your environment. Because of that, you need to control the level of access you grant your providers and ensure that their policies for screening their employees meet your standards. Furthermore, when developing your service-level agreements, ensure the necessary language is included so that you receive all the services you request and that your provider's staff understands and abides by your internal security policies. Finally, don't take for granted the importance of monitoring activity; provisions must be made to ensure you get the services you pay for.Q: How can I create a contract that appropriately puts the outsourcing provider on the hook if one of its employees uses our data fraudulently? A: It is important to ensure that your contract protects you from inappropriate data or network use by your outsourcing provider. Make sure your contract contains a "right to audit" clause, and that you have audit processes in place to determine whether best practices are being employed or misuse is occurring. Furthermore, by adding language to your contract that details the action your supplier must take to remedy a situation where inappropriate use occurs, you will raise the provider's accountability and protect your company.Q: If outsourcing presents an increased security risk, how can I consider outsourcing security?A: That may be true. However, depending on a company's overall outsourcing strategy and core competencies, it may be a greater risk to maintain the security services internally than if they were outsourced to a reliable, reputable security service provider.

The key is balance. You don't want to give away the keys to the kingdom, so you need to make sure your networks and data are adequately protected. Your first course of action should be evaluating your options and determining if outsourcing is right for you. If it is, you should consider a number of providers to determine which has the expertise to meet your needs. You also want to make sure you aren't outsourcing governance or an area that would require access to privileged information. Once a provider has been selected, work with the provider's consulting group and see if you are comfortable having your security managed externally. Also, I can't emphasize enough the importance of having audit processes in place so that you can monitor the providers' activities and ensure your security policies are followed.Q: What are the key questions that need to be answered when evaluating whether to outsource security?A: Here are some important questions to ask:

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER