• United States



by Christopher Koch

IT Offshore Outsourcing Security: Put It in the Contract

May 01, 20052 mins
ComplianceData and Information SecurityIT Leadership

The outsourcing contract spells out security requirements and sets up regular audits and costly penalties for noncompliance

With legal recourse limited in many countries, the contract with the provider becomes critically important for outlining security responsibilities and penalties for breaches.

Leave plenty of time for negotiation, says Scott Sysol, director of infrastructure and security architecture for CNA. “It is a strenuous process with multilevel reviews inside both companies,” he says. There are also certain levels of sanctions that can be built into the contract. “You need to get something in the contract that says if someone steals something, the contractor will take responsibility,” says Sysol. “We’ve built some [financial] sanctions into our contracts. But you can’t go overboard because the providers will walk away from the deal.” Other contract recommendations:

  • Demand nondisclosure and noncompete agreements. With offshore providers growing so rapidly and turnover highas high as 30 percent in some companiesit’s important to understand what your offshore vendor is doing with your intellectual property and to do what you can to keep people from taking information about you with them, says Vinnie Mirchandani, principal of consultancy Deal Architect.
  • Bring legal disputes to U.S. courts. Require that the offshore vendor agree to handle legal disputes in the United States.
  • Require insurance. Top offshore vendors have insurance to protect customers against losses caused by the vendor or its contractors, says Forrester Research.
  • Keep discussions private. Insist on a separate meeting room near the work area.
  • Look for certifications. Though they do not guarantee good performance, the Certified Information Systems Security Professional, or CISSP, certification program and Global Information Assurance Certification at least demonstrate that employees have had exposure to security issues and best practices.