How To

Outsourcing Physical Security

Marene Allison, director of global security for Avaya, answers readers' questions about outsourcing physical security.

By Marene Allison, CSO, Avaya

July 01, 2004 — CSO — Q: What security concerns does outsourcing present?

A: Outsourcing primarily takes away your personal span of responsibility around the activities you are outsourcing. However, you now have to rely on a third party to take the same care and due diligence that you would take. For example, if you hire a guard company, you have to ensure that the post orders are maintained to your standards; you have to ensure that they complete the background checks with the same due diligence that you would; their training program must meet your needs. The same goes for the installation of security devices: Are they wired properly? If you have an enterprise system, is your outsourcer doing the virus updates? Is there a firewall? You must consider all the security risks that you might have if you did all the activities in-house, but you have to rely on others to ensure that the work gets done.

Q: What is the number-one reason outsourced physical security fails? And what measures should you utilize for improvements?

A: I think the number-one reason is that it is not properly managed. That spans from how the contract is written to the eventual evaluation and assessment. Outsourcing does not mean that the security department's responsibility ends. Sometimes that is just the beginning. Right from the initial contract, all expectations and service levels should be agreed upon and the consequences should be clearly defined. Then the arrangement must be inspected to ensure those service levels are met. If outsourcers tell you they have worldwide installation capabilities and that capability is in your contract with them, and they then turn around and tell you that you need to pay for a technician to fly from Australia to Hong Kong for an installation, question them on it. Don't accept the cost. Hold your outsourced companies accountable.

Q: What contractual precautions can you take with your outsourcers?

A: Your legal department should be able to draft a document called a nondisclosure agreement, or an NDA. Both parties should sign it. You are entering into a contractual relationship. The NDA should have consequences that are clearly defined and agreed to.

Q: Do I still do my own background checks on the employees of an outsourced security team?

A: You could, but with the Fair Credit Reporting Act, it would be cleaner and easier for the hiring company to maintain that information. Have standards, make the requirements a part of the contract, and put in an audit provision if you have any doubts. Most of the highly regarded security companies will want to be sure that they hire only fully qualified staff that meet your contract requirements. It's their business and reputation on the line.