IT Security Outsourcing Decisions – Considerations

As already raised the bar of suspicion in the previous two articles, now the
thing to think is – what needs to be done to clear the air of suspicion?
What is the possible way out to clear the ambiguity in the Process of
Outsourcing? Well though there are various ways to deal with the situation,
and one can do what may seem to be appropriate, but the steps that need to
be considered are –

* Think as a Hacker

* Decide on Accessibility?

* Control Data Usage and Handling

* Protect the Information

* Maintain Confidentiality

* Apply the Sixth Sense / Instinct

* Deploy Vigilance for Incidence Reporting

Think as a Hacker

There are few things to be considered and understood before finally handing
over the reigns to a stranger. One needs to view the IT issues from a
hacker’s perspective. One needs to clearly take a good note of the situation
looking for the answer to the questions –

* What if my confidential information gets into the wrong hands?

* Do I have IT assets worth an abuse?

* What negative consequences would occur if they were abused?

* Is my job going to be on the line if my organization makes the
headlines?

Decide on Accessibility?

Most outsourced IT services require one or other person to have full access
to whole or a part of the organization’s IT assets. For instance, IT
Helpdesk support professionals will most likely need administrative rights
to the client machines and probably the respective servers also. This
meaningfully translates into full access to corporate data stored on the
local drives and, potentially, network shares. Consider what an IT auditor
or security consultant may gather during the days, weeks or months while
working onsite at an organization’s IT facility. It at times might translate
into more than what even the best guys of the organization know. Certainly
limitless and it only takes one miscreant to cause the damage.

Control Data Usage and Handling

Outsourced IT service provider might have access to the data as highlighted
in the previous point. But that’s just one of the points identifying the
risks associated with Outsourcing. What is more important to establish is
what are the various outsourced personnel doing with the data. Data
handling by the outsourced agency is another aspect to be understood. If we
look into the matter we might find that the outsourced agency personnel
could be storing the data on their servers, laptops, CDs or USB drives or
might even be printing hard copies? Clients should expect to turn at least
some of their information over and need to be informed of why it’s needed
and how it’s going to be used.

Protect the Information

IT Systems deal, process and store vital data and information that is
sensitive, crucial and confidential for the business. When outsourcing the
security of the IT establishment and the organization wide information
security process, one has to consider how the data and information is being
protected? — if at all. What are they doing with data and/or information?
Are they sharing it with colleagues or competitors? Keeping it to sell on
eBay in a few years? Even if the people you’re outsourcing your IT services
to are bound by contract to protect your information, they may not have your
best interests in mind, or they may be just plain sloppy. Consider what a
person has to lose if he ends up leaving the company or getting out of the
IT business altogether. The probability of sales data, source code or
patient information being used for ill-gotten gains is pretty low, but it
can happen.

Maintain Confidentiality

Call me a pessimist, but I’ve seen too many digital goods mishandled by
careless IT experts with a general disregard for other people’s property.
The root of a lot of this — which continues to amaze me — is when
organizations outsource IT support, but never consider the basics such as
running background checks and examining references on the people they’re
placing trust in. Confidentiality agreements are being used more and more,
but arguably not enough.

Apply the Sixth Sense / Instinct

Strong contracts and clean criminal records are not a perfect indicator of
safe and sound IT services, so don’t rely solely on them. It’s also
unrealistic to attempt to completely control where your sensitive data is
housed and what a third-party does with it. Whether you’re for or against
outsourcing IT services, you’ll have to do it eventually. Do your best to
find good people to do business with – preferably through referrals – and
trust your instincts.


Deploy Vigilance for Incidence Reporting

Don’t stop there though. It’s not a matter of just having the proper
security controls and paperwork in place to take the risk out of outsourcing
IT services. It’s just as important to have watchful employees who can tell
when something’s not right and management that’s willing to listen, support
their employees and create an overall sense of security vigilance in the
organization.