In Brief
IT Offshore Outsourcing Security: Put It in the Contract
The outsourcing contract spells out security requirements and sets up regular audits and costly penalties for noncompliance
By Christopher Koch
May 01, 2005 — CSO — With legal recourse limited in many countries, the contract with the provider becomes critically important for outlining security responsibilities and penalties for breaches.
Leave plenty of time for negotiation, says Scott Sysol, director of infrastructure and security architecture for CNA. "It is a strenuous process with multilevel reviews inside both companies," he says. There are also certain levels of sanctions that can be built into the contract. "You need to get something in the contract that says if someone steals something, the contractor will take responsibility," says Sysol. "We've built some [financial] sanctions into our contracts. But you can't go overboard because the providers will walk away from the deal." Other contract recommendations:
- Demand nondisclosure and noncompete agreements. With offshore providers growing so rapidly and turnover high
as high as 30 percent in some companies it's important to understand what your offshore vendor is doing with your intellectual property and to do what you can to keep people from taking information about you with them, says Vinnie Mirchandani, principal of consultancy Deal Architect. - Bring legal disputes to U.S. courts. Require that the offshore vendor agree to handle legal disputes in the United States.
- Require insurance. Top offshore vendors have insurance to protect customers against losses caused by the vendor or its contractors, says Forrester Research.
- Keep discussions private. Insist on a separate meeting room near the work area.
- Look for certifications. Though they do not guarantee good performance, the Certified Information Systems Security Professional, or CISSP, certification program and Global Information Assurance Certification at least demonstrate that employees have had exposure to security issues and best practices.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Discover whether hosting is your smartest choice for enterprise messaging.
To host or not to host? Thats the question for many CIOs as the volume and complexity of enterprise messaging continues to skyrocket.
- Enterprise Management Associates: Taking the Botnet Threat Seriously
- Understanding Data Location is Imperative for Data Loss Prevention
- Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
- 5 Strategies for Reducing the High Cost of Online Consumer Authentication
- Guide: 5 Steps to Secure Outsourced Application Development
- Fact or Fiction Security Survival Guide: Clearing up Misconceptions, Myths and Mistruths about Security
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
7th Annual Digital ID World
-
September 8 - 10, 2008Hilton AnaheimRegister now »
Anaheim, California
(ISC)2 members can earn up to 20 CPE Credits
Reference priority code ONLINE and save $800 off the full registration price — attend the program for $995
