• United States



by Diann Daniel

Security Secrets of IT Outsourcing

Apr 02, 200714 mins
Data and Information SecurityIT LeadershipOutsourcing

As the IT outsourcing market grows, so do the security risks. What can you do to decrease the threat?

Today, mitigating outsourcing security risks is more important than ever. In an interview with Associate Online Editor Diann Daniel, Burton Group Analyst Diana Kelley offers tips on determining risk levels, monitoring your vendor and negotiating service level agreements. How would you describe the security landscape surrounding outsourcing today?

Kelley: I would say that it’s a landscape that is becoming more defined and is gaining awareness overall. Companies have learned that they need to be security-aware with outsourcing. And, ultimately, one of the most important lessons is that you can’t transfer your reputational risk. If something goes wrong, it’s going to come back to you, not necessarily to your outsourcer. So that fantasy of, “I’m not going to have to worry about it anymore, I just give this problem over to somebody else and they’ll take care of it,” is just not true. Can you give some recommended practices to ensure the highest degree of outsourcing security?

Kelley: The number-one important thing you can do is to understand what it is you’re outsourcing. And that sounds kind of simple, right? It’s like, well, I’m outsourcing my call center; I’m outsourcing the management of my security. But it goes much deeper than that. It’s actually understanding what’s implicated in the outsourcing structure from a risk management perspective. So if you’re outsourcing data—let’s say it is a call center—well, does that have insurance patient data, personal health data in there? Is it some other personally identifiable information that needs to be protected? You’re not just outsourcing a call center, it’s the data and the controls around that data that you’re also outsourcing.

A call center’s also a great example where a company’s being represented by the vendor. If the person who’s answering that call is not helpful or doesn’t have the right information, you associate that with the organization you were trying to reach.

So you’re outsourcing a lot of things—your reputation, the protection of the data, the risks associated with it, the regulatory compliance requirements around the data or even the business processes that are involved. So number one, you really have just got to get a handle on what it is you’re outsourcing and what you need to do to protect that. Which country you’re outsourcing to and the particular risk levels of each country, that’s important as well?

Kelley: Yes, absolutely, because we have different legal jurisdictions in different countries, even different areas in the same country. We have a number of different requirements here in the U.S., but also around the world there are requirements. So in the U.S., we’re used to hearing about the old standards by now—HIPAA and SOX and the privacy disclosure laws that are known under the umbrella of SB 1386. We also have the SEC 17a-4 Rule for brokers and traders. In Canada, for example, they have PIPEDA for privacy; in Japan they’re looking at implementing something that’s being called JSOX; in the European Union there’s the Data Directive. And these different regulations around the world impact what can and can’t be done with data and the storage of that data and the processing of that data.

So you need to be aware of what kind of requirements are extant in the jurisdictions that you’re outsourcing to, as well as what kind of legal recourse you may have. It could be that if someone loses your data in the country you’re used to doing business in, you’re used to the legal system and the kind of recourse that you have within your own legal system. But other legal systems around the world may operate differently, so you want to understand that as well, because you don’t want to be in a situation where they lose your data but you don’t have any legal recourse to either get your data back or have some sort of remuneration for the damage that was potentially done.

Another thing that’s important about different countries in the world is that we have different levels of geographic stability. For example, there are flood zones in certain areas of certain countries or tornado areas. There are different levels where the power grids are more stable or less stable, so you also want to assess those kinds of things. That said, work is being outsourced to China, for example, where intellectual property theft is an issue, and there are issues with each country. How is it that you would protect yourself if you can’t fall back on the legal system in that country?

Kelley: Well, you could, one, just not do business with that country if you don’t feel comfortable with their legal regulations or your recourse there.

You could work off of an SLA, or service level agreement, that specifies explicit constraints. Even if you do that SLA, it really does bear considering. I would also have the lawyer review the SLA, and find out what your true recourse is. If you’re doing business with a country where you don’t like the controls or the legal process, then you might really want to think twice about that, especially if it’s highly sensitive data. With what actions can companies combat the out-of-sight, out-of-mind mentality that outsourcing enables?

Kelley: You really do need to have that transparency into outsourcing, no matter who or where you’re outsourcing to (even in your own country).  Some of the things you can do up front is to get an idea of how this business actually approaches risk. Do they go through regular audits such as a FAS 70 type 2 audit? Do they use a particular risk assessment methodology, and are they certified against using that? So BS 7799 is an example, or ISO 27001 is another option. So you can get a handle on what their procedures are; you can read their processes and procedures that they’ll share with you.

Talk to them about what they’re doing on an ongoing basis. If you do actually go forward and engage with them, you do want to be able to have transparency into what’s happening on a day-to-day basis. If they’re doing, for example, security monitoring of your infrastructure, you’ll probably want to see daily reports of what they’re viewing, see if there are false positives, false negatives coming out, possibly even have remote admin access to get into the systems if you need to change something or assess something that’s going on.

If you’re doing an outsource of software development, for example, which is very popular, then what you’d probably want to do is have access into wherever they’re checking the code in and out, so you could have one of your own external auditors do source code reviews on that code as it’s being written so that you have an idea of what that code looks like and how the development process is moving forward. So it will depend, based on what you specifically outsource, the kind of monitoring you want to do, but definitely transparency and monitoring on an ongoing basis and keeping that communication open with the outsourcer so that you have an idea. Because it’s your data, you do want to keep transparency and monitor it. What about the importance of checking the background of the outsourcing vendor’s personnel?

Kelley: Understanding what kind of background checks the personnel at your vendor go through is critical. You want to know, for example, if they check to see if there’s any criminal background. If they’re going to have any data about your company that’s sensitive, you want to have an idea if this person has been put in jail for stealing data before or for selling credit card information, for example.

So what do they do about that background check, and how do they make sure? And how do they monitor those employees every day to make sure that they’re not necessarily walking off with a good portion of your business on a USB stick? Any thoughts on that particularly, the day-to-day sort of monitoring, because it isn’t right in sight, you don’t necessarily know what’s going on?

Kelley: Yes, and again, that transparency into the audit, that control layer for monitoring. Some things specifically to check on: How are they keeping data away from people that shouldn’t have access to it? What kind of access control, authorization and authentication are they using to make sure that only the eyes that are supposed to see data or are supposed to transact particular processes are actually able to do that?

You’d want to also check on what they’re doing in terms of control within their data center itself from either a physical or a logical perspective. Very often it’s cheaper to have multiple instantiations of a server on one box, for example, so you might do it in a virtualized environment or something like that. But what if they’re housing your competitors’ information on the same server where your information is being housed? You’d want to make sure that they’ve got data separation, not just to make sure their employees are authorized, only the right ones, to see it, but also that anybody else who may have access to that data center, such as another remote client, is also going to be separated from your data and you’ve got them zoned properly with correct data control.

Encryption is another big piece that can be helpful here. You’d want to ask them what their data protection and lifecycle management is for the data when it’s transmitted, when it’s at rest and when it’s stored long-term. Any thoughts on negotiating a service level agreement? What sorts of things should be in there?

Kelley: Definitely think about it up front, because it’s very hard to go back in and negotiate after the fact if it’s something that the provider doesn’t necessarily want to give you. Sometimes technical people may think they don’t want to bring the lawyers in because it’s going to slow things down, they always find weird problems with the wording. But this is actually a very, very good thing, because before you go into this long-term contract with an outsourcer, you do want to make sure that you’ve explicitly spelled out what is and isn’t acceptable.

And one thing to look for very specifically is the right to audit clause. So if you want to be able to go in, if you want to have your own team of auditors go in for a FAS 70 or you want to have a pen test—and of course you’ll have to pay for that—or you want to perform a pen test or even a physical audit on site, you have to make sure that you’ve cleared that with that outsourcer up front. If you don’t, there’s every chance that they could say, “We never told you you could come. Our systems are private; you might expose information from other clients.” So be specific with them about what kind of audit control you want to have.

Another good thing to be specific about with them is how they’re going to deal with any problems that might occur. No matter what you’re doing, if it’s a call center or if it’s development, there will be problems at some point. And especially if they’re doing some monitoring of your network or infrastructure, you want to know that you’ve got an alert path in place and that that actual problem is going to be escalated up to the right person at the right time. So, for example, if they’re doing network infrastructure monitoring and a patch needs to be applied or a service has been tampered with, what should they do? Do they shut the service down? You need to know that someone from that vendor can contact somebody within your organization, get a resolution, get accountability, rather than it happening after the fact. For example, it’s a month later and you say, “Why was this system never patched?”

“We don’t know, we thought somebody knew about it.”

You don’t want these kinds of things to fall on the floor, so that accountability path is really important.

Another thing is quantifying what kind of remuneration they’re going to give you if there is a down time, if there is data loss. I said earlier that it’s very hard to outsource your reputational risk or to transfer your reputational risk, which is true. Something that is fixed in a lot of people’s minds is last August, when the Veterans Administration lost a lot of patient insurance claim data, but it wasn’t directly the Veterans Administration that did it—it was their subcontractor, Unisys. But we associate that breach with the Veterans Administration. So you can’t quantify necessarily the cost of reputational risk, but you could start to put some kind of a number on it.

What you might be able to quantify more easily is, what’s the cost of down time? What if your users can’t use that system? What if it’s a call center for reservations, but those reservations can’t be made. What would that cost your business? And put that into the SLA. We want to have that amount of money come back to us in the event of data loss or in the event of a service not being available. Is there anything that someone might not know, might not even think to ask about?

Kelley: The number one thing is that very often companies have not sat down and thought about what the real risk is associated with the information that they’re outsourcing. Your vendor could be very, very adept at what they’re doing. They could actually have better processes and better security than you do, but you can’t just trust that blindly. You still have to get a handle on the level of risk management you require, and then make sure that that outsourcer’s up to it.

You may find that they’re actually doing a better job of it than you were doing inside, but you still have to get a handle on it because it’s not something that you just say, “Well, I trust that they’re going to understand.” They can’t understand your processes; they can’t understand what your business value is, so you need to really help them understand. And understand it first yourself as you’re outsourcing whatever process it is that you’re putting out there.

You also need to specifically assign somebody within your organization to be the liaison with the vendor, to be the point person, whether it’s the accountability person or the one that’s checking the audit logs, or just talking to the outsourcer periodically to make sure that things are okay. The idea that you’re going to just wipe out all internal headcount associated with these processes is a myth. You still need people to work with the outsourcer to make sure that things work smoothly.

Associate Online Editor Diann Daniel can be reached at

More information: