In Depth

Offshore Outsourcing: Don't Forget IT Security

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures

By Christopher Koch

Page 6

New virtualization software from Microsoft and VMware takes this control to a new level. CNA uses VMware's ACE software to create an imagein effect, a working duplicateof a secure CNA desktop on a CD that it sends to the outsourcers, which load the images on their own servers and PCs. Employees working for CNA double click on the image's icon on their machines, the CNA desktop appears, and the image takes control of the PC and its peripherals. Employees cannot copy anything onto the encrypted CNA desktop nor take anything from it. The images can be set to lock out peripherals like USB flash drives. They can also be set to disappear from the computer on a specified datehandy if the employee leaves or the development project ends.

The images also help the offshore provider save money because it can load multiple images onto a single machine. The images give offshore employees more control. They can do CNA work without being connected to the CNA network, and if CNA allows it, they can still use the PCs for their own internal e-mail. "It used to be that employees would have to log out and go to a different computer to enter their time sheets or do e-mail," says CNA's Sysol. "Now they can do it on their own machines."Best Practice Four: Audit Processes and Facilities Regularly An outsourcing contract is like a diplomatic treaty. Trust is present, but it's vital to verify you're getting what your agreement calls for.

BNSF conducts independent audits of its offshore contractors' security processes once per quarter, according to Bonjour. The company also does an independent review of access rights that the offshore employees have to applications on BNSF's and the providers' internal networks to see if the employees are able to go where they shouldn't or if they have moved on to a new project and still have access to the systems they used to work on.

There are standards to help guide the audit process, such as the International Organization for Standardization (ISO) 17799 standard and the Statement on Auditing Standards No. 70, Service Organizations (SAS 70 Type II).

Yet because of the extra effort and expense of external audits, offshore providers may resist them, says Tatum Partners' DeLaCastro. "If each customer has the right to audit, and each demands specific security measures, it becomes a thousand variations on a theme and takes away from the providers' ability to standardize practices and swap people in and out from one customer to the next," says DeLaCastro. It's better to set up audits before a contract is signed; done after the fact could cause the provider's costs to rise.