Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Offshore Outsourcing: Don't Forget IT Security

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures

By Christopher Koch

May 01, 2005CSO — This is what it's like to be an employee for Tata Consultancy Services (TCS), an Indian IT services vendor, when working for a big American insurance company (in this case CNA):

When you come to work, your bag is searched. You may be too. You hand in your cell phone to the security guard, to be picked up when you go home.

When you arrive at your desk, there are no traces of the papers you worked on yesterdaythey got shredded last night. Don't bother trying to copy a digital picture of your kids onto your work screen (you can't copy or move files). There's nothing but a phone (which can't call anyone but the insurance company's help desk) and a computer with CD-ROM and floppy drives that work fine but are locked to you, as are the Internet and e-mail. And taking home a copy of CNA's confidential business process manual to bone up on in your spare time will get you fired, as one employee recently learned.

"The data and our processes are too sensitive. We can't afford to be lax," says Scott Sysol, director of infrastructure and security architecture for CNA.

While experts disagree wildly about the degree of extra risk involved in offshore outsourcing, companies such as CNA, an insurance giant that entrusts TCS with its sensitive financial and health-care information, are not taking chances with security when they send IT and business process work overseas. They are setting up rigid control processes with high levels of IT security. These initiatives cost money and cause disruption for outsourcers everywhere, but they are also the best ways to limit risks associated with sending such work offshore. (For its part, TCS declined to discuss its work with clients.)

And while practices such as forcing contractors to wall off work areas, slice up server farms and keep employees exclusive to one customer do not serve the basic economic tenets of outsourcingscale, sharing and repeatabilitythey are the kinds of risk-mitigating actions that customers and their contractors must take when working with sensitive business data and processes. Risk Is in the Eye of the BeholderNot all companies need the kinds of security measures that CNA has in place. It is up to CSOs and CIOs in the companies sending work offshore to define what's an acceptable risk, outline security measures (in the contract wherever possible) and monitor their enforcement with the cooperation and support of the offshore provider. That sounds like a no-brainer. But it turns out that few companies take an active role in what experts say is a classic case of out of sight, out of mind.

RESOURCE CENTER