In Brief
IT Offshore Outsourcing Security: Put It in the Contract
The outsourcing contract spells out security requirements and sets up regular audits and costly penalties for noncompliance
By Christopher Koch
May 01, 2005 — CSO — With legal recourse limited in many countries, the contract with the provider becomes critically important for outlining security responsibilities and penalties for breaches.
Leave plenty of time for negotiation, says Scott Sysol, director of infrastructure and security architecture for CNA. "It is a strenuous process with multilevel reviews inside both companies," he says. There are also certain levels of sanctions that can be built into the contract. "You need to get something in the contract that says if someone steals something, the contractor will take responsibility," says Sysol. "We've built some [financial] sanctions into our contracts. But you can't go overboard because the providers will walk away from the deal." Other contract recommendations:
- Demand nondisclosure and noncompete agreements. With offshore providers growing so rapidly and turnover high
as high as 30 percent in some companies it's important to understand what your offshore vendor is doing with your intellectual property and to do what you can to keep people from taking information about you with them, says Vinnie Mirchandani, principal of consultancy Deal Architect. - Bring legal disputes to U.S. courts. Require that the offshore vendor agree to handle legal disputes in the United States.
- Require insurance. Top offshore vendors have insurance to protect customers against losses caused by the vendor or its contractors, says Forrester Research.
- Keep discussions private. Insist on a separate meeting room near the work area.
- Look for certifications. Though they do not guarantee good performance, the Certified Information Systems Security Professional, or CISSP, certification program and Global Information Assurance Certification at least demonstrate that employees have had exposure to security issues and best practices.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- A Security Blueprint Delivered From within the Network
- Comparing Research In Motion and Microsoft Mobile Solutions
- The Total Economic Impact of Network Security Intrusion Prevention
- Protecting Your Intellectual Property White Paper
- Seven Technologies for Advanced Mail Protection
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
