Founding Member of FormIGA – the global Industry for Good Alliance

Security in Outsourcing

1 Dec 2006 12:00 AM | Anonymous

Channel 4’s recent Dispatches programme highlighted problems that Indian companies have had with data security. The sting operation managed to buy personal data on British citizens from Indian call centre workers. Data security in outsourcing arrangements has long been an issue that troubles many in the financial community; this high-profile failing of data security won’t allay fears. There are no easy solutions to data security, and it is only by being extremely thorough that firms can ensure that data is kept safe from fraud and theft.

Data security is at the heart of any outsourcing agreement. When financial companies outsource their IT, more often than not the data transferred to the supplier will contain confidential information. Outsourcing agreements are built on trust between end user and supplier. It’s crucial that the end user has to trust the supplier with this information and equally the supplier returns the favour by guarding this data in a suitable manner.

Undefined boundaries relating to the division of responsibility of security protocol are often the reason behind security lapses. When working with a supplier, the issue of responsibility is always a potential problem. This can often be exacerbated by an ‘out of sight out of mind’ attitude - this is not an approach that any organisation can afford to take, particularly with security. Suppliers need to be allowed to work with the data, but it helps if end users build the security policy, in conjunction with suppliers. If not, the left hand might not know what the right hand is doing and this may result in misaligned security objectives and achievements. It helps if throughout an outsourcing agreement the users visit the supplier location every 6 months or every year to make sure that all processes are up to scratch.

Companies need a wide range of procedures, covering physical security, IT security and the security of intellectual property in order to formulate a security policy and then a complete security programme. All these factors need to be considered and integrated into a security plan in order to safeguard data effectively.

Physical security

In the last month, three laptops containing Metropolitan Police payroll data were stolen from LogicaCMG, the UK IT services firm, demonstrating that breeches to physical security do occur. The first barrier to data theft has to be physical security. Customers’ data, particularly bank details, must be entirely protected from thieves. It is advisable to have a rigorous security structure that includes: card access control; employee badges; security guards; 24/7 video surveillance; dedicated, client approved and physically secured development centres; electronic motion censors (during non-business hours); mantrap-controlled entrances and exits; coded door locks and PIN cards. Vendors must cater to the needs of all of their customers, and some financial companies might require further physical security, and flexibility is the key on the part of the supplier.

IT / Data security

Other activities that companies should always practice include firewalls, anti-virus software and automatic patch updates. These are the basics. Businesses must be careful to ensure separate back-up and IT infrastructures exist for each client, and all data is backed up.

It helps if suppliers have further measures in place, to keep the data secure and to ensure the financial client retains full confidence in the security standards. Businesses must have a central monitoring system to monitor in-coming and out-going correspondences, as well as dedicated channels with encryption between customer and vendor.

Intellectual Property

Recent research has shown that banks should fear insiders more than hackers. Because of the potential for corruptibility it is imperative that processes are implemented to retain firms’ intellectual property.

The HR team, when hiring, should be thinking about defending the firm’s intellectual property. Strenuous screening and background checks should ensure that unscrupulous applicants never become employees. Employees should be educated about the legal requirements and responsibilities of working for the particular organisation. Staff should be made to sign non-disclosure agreements and not be allowed to use USB ports / sticks, as this is an easy way to take data (physically) outside of the organisation.

Complying with local area regulation is vital, and India, following the aforementioned security breeches, is in the process of formalising an equivalent of the Data Protection Act. However, in its absence, suppliers are falling over themselves to demonstrate data security compliance.

In Eastern Europe, strict laws defend the intellectual property of companies. If an employee has signed appropriate documents (as they should do when they join), then they could end up in prison for breaches of data security. Coupled with this, IT employees, especially those from Russia, have a scientific mentality that dates back to the times of the USSR, whereby attention to detail means that people are very sensitive to the threat of security breaches.

Security in financial IT outsourcing is imperative. It is the glue that creates a positive outsourcing bond. The whole outsourcing deal is built on trust at the heart of the relationship and if trust is present, it is a good stepping stone to build a healthy relationship. On the flip side, if a vendor demonstrates poor security, this can undermine the whole relationship, even if the actual work is going well. The message to vendors and customers in the financial industry is this: a security system, properly integrated between end user and supplier can be the base on which to build a long and healthy outsourcing relationship.

Ivan Gavrilyuk is CIO of Luxoft. For more information on Luxoft www.luxoft.com.

Powered by Wild Apricot Membership Software