In this fast globalizing economy both customers and service providers are increasingly being challenged to effectively protect business-critical information assets. Interestingly, data security is as much a challenge for the Western customers as it is for offshoring providers. However, in the context of this new global order, it has many new dimensions:

• Complexity of data protection increases as the customer has to factor in security procedures of multiple service providers who are responsible for managing its different business functions. 
•  Service providers often have different security thresholds, legal setups and compliance laws from that of companies in the Western economies.
• Outsourcing is still a political hot button, and generates negative emotions not only among the work force but also in the Western media. Any negative news of security breach becomes bad news not only for the service provider but also for the industry in general. It also negatively impacts the brand image of the country as an outsourcing destination. 
• Companies often do not perform due diligence in performing background checks.
• Online frauds 83 times higher than traditional frauds; nine out of 10 businesses effected by cyber crime in 2006; $67.2 billion loss to cyber crime in the U.S. (FBI 2005), 100 million Americans in jeopardy of ID theft due to data breaches (New York Times).
• Financial motives are making attackers more sophisticated. Attacks are much more targeted than before. User workstations are the easiest path into the network. Identity theft has become the preferred route for criminals.

Penetration Tests and Audits
Periodic independent security audits and the right to review the results should be a part of a customer company’s risk-management strategy. It is important to clearly set the scope, methodologies and tools to be used for these tests. In the event that audit results are not satisfactory, the re-mediation period and efforts should be clearly spelled out.
Some penetration testing scenarios could be:

• Act as an external attacker
• Perform internal attacks (disgruntled employee/attacker with physical access)
• Exploit vulnerabilities in provider’s software (browsers, e-mails, etc.).

Physical Security

• Cameras should be placed near all sensitive areas
• Facilities should be equipped with alarms to notify of any suspicious intrusions. They should be locked and controlled through biometrics or smartcards
• Service provider must regularly check the audit trail of the key-card access systems, in particular noting how many failed logs have occurred. 

Data Security 

• Data should be transmitted in encrypted format
• Storage of sensitive customer data falling in PII category (Social Security Numbers (SSN), data of birth, credit card numbers, etc.) should be in encrypted format
• Corporate data of the service provider and its multiple customers should be logically separated
• Access to data should always follow two factor authorization rules
• Sensitive data should only be available to qualified persons
• Once the contract is terminated, data must be destroyed.

Disaster Recovery
Disaster Recovery is the process of regaining access to data, hardware and software necessary to resume critical business operations after a natural or human-caused disaster. It is important to lay down in the service-level agreement, the expectations and requirements of each business-critical application. Following ground could be covered in it:

• Uptime and downtime requirements of each application being serviced by the service provider
• Mutually agreed data backup and protection methodology for each business application
• Frequency of disaster-recovery tests. Methodology, scope and verification process of the test should be defined
• Publication of test results and time period to take corrective actions
• Process to access disaster-recovery documentation
• Contacts of technical and administrative resources who will participate in a simulated test scenario or in the recovery efforts after an actual disaster.

Web Security

• Identify specific configuration files and architecture (e.g. Java, Active X) for Web servers
• Conduct vulnerability assessment of server and supply most recent results and remediation. Also conduct security quality assurance test.

Network Security
It must be ensured that firewalls, virtual private networks, intrusion detection system and wireless are properly configured and administered.

Host Security

• Server specifications and hardening procedures
• Software maintenance policy
• Authentication policy
• Information on account-management process of all the accounts the service provider is responsible for.
     

Crisis-management Plan
This should be triggered if sensitive employee or customer data is lost, stolen, or acquired electronically. It should include instructions to prevent identity theft if social security numbers and/or financial account numbers are obtained illegitimately.

Termination Clauses
Maintain strong termination clauses and incorporate liability provisions into the security agreement for not meeting security standards and lack of due diligence. Customers and service provider’s responsibility and accountability should be clearly documented.
 
Consistent Policies
Organizations should specify rules that outsourcing providers must comply with, for example, passwords and access codes. Ensuring that the provider works in the same style is paramount for making the process seamless. As per the section SA-9 of NIST 800–53, “Third-party providers are subject to the same information system security policies and procedures of the supported organization, and must conform to the same security control and documentation requirements as would apply to the organizations internal systems.”
 
WORKPLACE CHECKS
Background Checks
One way to prevent misuse of sensitive data is to perform background checks. Companies must verify employee’s educational background, employment history or criminal record, if any.
Nasscom, the Indian association of software and services companies, for instance, has created a National Skills Registry where all employee information is captured. Interestingly, while this data will be owned by the employee, Nasscom will be responsible for maintaining and authenticating the information by conducting its own due diligence. Employee information can be released to a customer on the consent from an employee.
At the same time, it is important to adhere to local privacy laws while conducting background checks or collecting employee information.   

Disable Local Access
The damage caused by data theft can be considerable with the ability to transmit very large files via e-mail, Web pages, and other hand-held devices.

As soon as a user logs in to a secured network one has to make sure that he is “not” able to save information on local C: or USB drives. Also, no file attachments should be sent outside the secured networks. All mail sent outside the network should be scanned.

Disable Instant Messaging (IM)
While IM delivers tremendous gains in productivity by enabling real-time communication between co-workers and business partners, it also brings significant risks:

• Inbound threats: IM-ing creates new vectors for the distribution of malware (viruses, worms, etc.) and spam over IM
• Outbound threats: It opens new holes through which information can leak or be leaked
• Legal, financial threats: It also creates invisible communication channels that operate below the radar of conventional information security measures, exposing the organization to regulatory compliance breaches. 

Raj Chaturvedi is an IT Manager at a global retail company. He has also consulted companies like Caterpillar and EDS on business-process optimization.