Offshore Outsourcing: Don't Forget IT Security

Offshore outsourcing may save you money, but it also creates new risks. Here's a guide to necessary IT security measures

1 2 Page 2
Page 2 of 2

Security due diligence takes time, cautions Sony's Wheatley. "People watch too many cop shows. They think we can find answers to security issues in 12 hours," he says. "It doesn't work that way. Seventy to 80 percent of the time we find something that is bad enough not to do the business or get out of it if we're in it. Then we need time to figure out a solution or have the ability to walk away from the deal. Sometimes two weeks turns into four months when we find problems. It can take time to check these things out."Best Practice Three: Lock Down the Infrastructure From the moment CNA began sending BPO and software development work offshore in 2002, it took full control of the computing infrastructure at its outsourcers. CNA configured servers, laptops and PCs in the United States with all the software that CNA's outsourcers' employees would use. CNA sent staff along with the computers to set them up in India and connect them with CNA's dedicated network connection. Firewalls at the provider location and back in the United States help prevent any viruses on the local network at the provider, or from the network back home, from getting through to the hardware. When the outsourcer's employees log in to the CNA network, software and security updates are automatically loaded onto their machines from CNA after a process of software inventorying and validation has taken place.

New virtualization software from Microsoft and VMware takes this control to a new level. CNA uses VMware's ACE software to create an imagein effect, a working duplicateof a secure CNA desktop on a CD that it sends to the outsourcers, which load the images on their own servers and PCs. Employees working for CNA double click on the image's icon on their machines, the CNA desktop appears, and the image takes control of the PC and its peripherals. Employees cannot copy anything onto the encrypted CNA desktop nor take anything from it. The images can be set to lock out peripherals like USB flash drives. They can also be set to disappear from the computer on a specified datehandy if the employee leaves or the development project ends.

The images also help the offshore provider save money because it can load multiple images onto a single machine. The images give offshore employees more control. They can do CNA work without being connected to the CNA network, and if CNA allows it, they can still use the PCs for their own internal e-mail. "It used to be that employees would have to log out and go to a different computer to enter their time sheets or do e-mail," says CNA's Sysol. "Now they can do it on their own machines."Best Practice Four: Audit Processes and Facilities Regularly An outsourcing contract is like a diplomatic treaty. Trust is present, but it's vital to verify you're getting what your agreement calls for.

BNSF conducts independent audits of its offshore contractors' security processes once per quarter, according to Bonjour. The company also does an independent review of access rights that the offshore employees have to applications on BNSF's and the providers' internal networks to see if the employees are able to go where they shouldn't or if they have moved on to a new project and still have access to the systems they used to work on.

There are standards to help guide the audit process, such as the International Organization for Standardization (ISO) 17799 standard and the Statement on Auditing Standards No. 70, Service Organizations (SAS 70 Type II).

Yet because of the extra effort and expense of external audits, offshore providers may resist them, says Tatum Partners' DeLaCastro. "If each customer has the right to audit, and each demands specific security measures, it becomes a thousand variations on a theme and takes away from the providers' ability to standardize practices and swap people in and out from one customer to the next," says DeLaCastro. It's better to set up audits before a contract is signed; done after the fact could cause the provider's costs to rise.

Auditing should cover physical security too. It's important to tour the building where the work is done and make sure it is secure. "Big-name providers will put you in a modern, secure building, but you have to make sure that the work will actually be done in that building," says DeLaCastro. Old buildings may not be earthquake resistant or have reliable power supplies, fire suppression systems, or alarms tied to police and fire headquarters, he says. The provider should also show you a backup facility where work will carry on if the primary site has a problem.

In addition, your offshore employees should not share space with employees working on other customer accounts. There should be a physical barrier to the work area with pass-card entry and video surveillance of employees and maintenance staff. At the end of each day, any memos containing sensitive information should be destroyed. And devices such as cell phones, pagers and PDAs that can record or send information should be prohibited.

Most countries do not have the kind of information access that the United States enjoys, which means that it can be difficult to do independent background checks on offshore employees, verify past employment, search for criminal records or do the other kinds of checks considered routine in the States. Consider hiring a security consulting firm to check out references independently.

Lastly, look in the mirror. If you demand extraordinary precautions from your offshore vendor, make sure you maintain good security practices at home. "If you run a slovenly shop here, then you will run a slovenly one offshore," says Richard Isaacs, vice president of security consultancy Lubrinco Group.Best Practice Five: Understand Where Your Work Gets DoneWith markets throughout Asia and Europe offering services, the world can seem like one big outsourcing oyster. But it's important to understand the political context of your contractor's work situation.

So while it's hard to conceive of a foreign government stepping in and demanding disclosure of your proprietary software and data, it's important to know it has happened. According to Gartner, in 2000 the Chinese government decreed that any software using encryption had to be registered with the government, along with anyone using it. The government also said that any software used in China must include encryption software manufactured in China. The government eventually rescinded the decree, but if it had remained, foreign companies would have faced the threat of industrial espionage by the government.

Security consultants specialize in tracking offshore political risks. "You want to understand the powers and predilection of the national government to look at your data and the chance that the service provider would comply," says Kelly Kavanaugh, a Gartner analyst. "Some country is always getting caught doing some industrial espionage against U.S. companies. It's nothing new."

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.