How to mitigate the security risks of outsourcing - ...

http://www.computerweekly.com/Articles/2007/12/...

You are here IT Management IT Services and Outsourcing

How to mitigate the security risks of outsourcing

Ron Condon Wednesday 05 December 2007 17:04

Outsourcing any part of your business is a risky step, as it means handing over control to another company. The outsourcing supplier may do a better job of the outsourced process than you could, and for a lower cost, but there is also a chance it will get things wrong. And if something goes wrong, it is your company's name that will feature in the headlines. So, anyone looking at outsourcing needs to think carefully. It is essential to understand the risks, and to take all reasonable steps to keep them to a minimum. It is also worth keeping the risks in perspective. Since the days of the computer bureaux in the 1970s, companies have given payroll processing to outside suppliers to handle, and for the most part those specialist companies carried out their task without a problem. But IT is now much more than payroll and accounts. It is intrinsic to the running of the business. Everyone has a screen on their desk, and IT supports virtually all business activities and provides vital links to customers and suppliers. Handing all that over to an outsourcing supplier needs careful thought and planning. The lure of outsourcing The attraction of outsourcing, whether locally or overseas, is that it can help cut costs and make them easier to manage and predict. In some cases, outsourcing may also be seen as a last resort to solve an intractable problem - in other words, leaving someone else to sort out the mess. Outsourcing can be effective, but the people who do it successfully all agree that thorough preparation is essential. Rushing into an outsourcing deal to solve a problem is likely to lead to more trouble. Paul Simmonds, global information security director at chemical supplier ICI, says outsourcing should not be an excuse to walk away from a task. "The biggest mistake people make is not managing the outsourcing supplier properly," he says. When Simmonds joined ICI, it had outsourced most of its IT to a range of suppliers around the world, with the majority going to IBM Global Services and Atos Origin. Simmonds has continued the trend by outsourcing the majority of ICI's security processes. For example, he uses IT security supplier Qualys to check that ICI's desktop systems are being properly patched, thereby getting one outsourcing supplier to monitor what another is doing. He also outsources e-mail management to MessageLabs, and is on the verge of going to another supplier for web filtering. Outsourcing security might seem a bridge too far, but he says the move raised no eyebrows among senior management. "The corporate culture is to outsource key non-essential services. It is all a question of assessing the risk, and asking if an outsider can do it better than we can," he says. He says outsourcing works best when you can ring-fence the task and have a clear interface with the outsourcing supplier. "You have to know the boundaries. It fails if the company does not define its interface. If they do not understand the problem, then they will not be able to manage the process. If you have an understanding of the problem and plan the outsourcing properly, then your chances of success are greatly increased," says Simmonds. The planning process should involve spending time to get to know the outsourcing supplier and making sure you are compatible, says Donal Casey, a principal consultant with IT consultancy the Morse Group. "It is almost like a marriage," he says , adding that it is essential to get an understanding of how the supplier works, rather than accepting its marketing messages at face value. Recognised working standards, such as ISO 27001 for information security, are a good indicator that the outsourcing supplier takes security seriously, but they are not a guarantee. Marcus Alldrick, a principal advisor with consultancy KPMG, says some certifications are less reliable than others. "There are some fast-track certifications, so it is worth checking who did the accreditation," he says. It is also crucial to check what part of the business the certification covers. If it covers HR and you are looking to outsource firewall monitoring, it is not much use, he says. Conduct a risk assessment So begin with a risk assessment, look at the potential business impact if the process in question goes wrong, and assess whether outsourcing would make you more vulnerable. The higher the risk, the more checking you will need to do with the prospective supplier. In all circumstances you need to get to know them and how they work. It is essential to carry out due diligence on site, says Alldrick. Work with the outsourcing supplier's people to gain an understanding of their processes, and check the company's controls are embedded in its processes, whether procedural or technical. For example, check to see if staff try to bypass controls, such as by sharing passwords. Also, check how the company manages starters and leavers, and how quickly the process happens. "When someone leaves, is their user ID reallocated, and what controls lie behind it? Can you gain accountability for any user ID for any given time, because that is what it is there for," says Alldrick. Get to know your supplier Depending on the level of risk, this process of getting to know the supplier may take weeks or months. "You are relying on the outsourcing provider to manage aspects of risk on your behalf. You need to recognise that, and so does the outsourcing supplier. You need to engage with them and take time to perform due diligence. "You need to make sure they practise what they preach. Just because you outsource, it does not mean the problem has gone away. So you must build a proper relationship," he says. Alldrick suggests assigning people in your company to work with their counterparts in the outsourcing supplier, so that a proper relationship can be built and maintained over time. "Relationships are important, because if and when things go wrong, you need to work together. A close working relationship is essential when it comes to incident management," says Alldrick. The dangers of poorly managed risk are particularly evident in the energy industry. Ian Campbell, chief information officer for British Energy and chairman of the Corporate IT Forum, lives with the risks all the time, and so any outsourcing has to be done with caution. "We have to go through all the checks. We vet the outsiders in the same way as we vet ourselves, and that includes penetration testing," he says.

1 of 2

Thursday 05,August,2010 05:06 PM

As with many industries, most of these measures are prescribed by industry regulators, which will view the outsourcing supplier as part of the wider virtual organisation and subject to the same standards.

How to mitigate the security risks of outsourcing - ...

http://www.computerweekly.com/Articles/2007/12/...

2 of 2

Thursday 05,August,2010 05:06 PM