In Depth

Offshore Outsourcing: Don't Forget IT Security

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures

By Christopher Koch

Page 7

Auditing should cover physical security too. It's important to tour the building where the work is done and make sure it is secure. "Big-name providers will put you in a modern, secure building, but you have to make sure that the work will actually be done in that building," says DeLaCastro. Old buildings may not be earthquake resistant or have reliable power supplies, fire suppression systems, or alarms tied to police and fire headquarters, he says. The provider should also show you a backup facility where work will carry on if the primary site has a problem.

In addition, your offshore employees should not share space with employees working on other customer accounts. There should be a physical barrier to the work area with pass-card entry and video surveillance of employees and maintenance staff. At the end of each day, any memos containing sensitive information should be destroyed. And devices such as cell phones, pagers and PDAs that can record or send information should be prohibited.

Most countries do not have the kind of information access that the United States enjoys, which means that it can be difficult to do independent background checks on offshore employees, verify past employment, search for criminal records or do the other kinds of checks considered routine in the States. Consider hiring a security consulting firm to check out references independently.

Lastly, look in the mirror. If you demand extraordinary precautions from your offshore vendor, make sure you maintain good security practices at home. "If you run a slovenly shop here, then you will run a slovenly one offshore," says Richard Isaacs, vice president of security consultancy Lubrinco Group.Best Practice Five: Understand Where Your Work Gets DoneWith markets throughout Asia and Europe offering services, the world can seem like one big outsourcing oyster. But it's important to understand the political context of your contractor's work situation.

So while it's hard to conceive of a foreign government stepping in and demanding disclosure of your proprietary software and data, it's important to know it has happened. According to Gartner, in 2000 the Chinese government decreed that any software using encryption had to be registered with the government, along with anyone using it. The government also said that any software used in China must include encryption software manufactured in China. The government eventually rescinded the decree, but if it had remained, foreign companies would have faced the threat of industrial espionage by the government.