SEARCH 
Global Services » Strategy » Detailed Story
Sunday, May 27, 2007
Defining Security Expectations
Service providers have different security thresholds, legal setups and compliance laws than customers. Moreover, providers service multiple customers at a time, each with their own security expectations. Given this, documenting and sign offs on security expectations are an essential part of any sourcing deal.
Raj Chaturvedi, IT Manager
RELATED CONTENT
ARTICLES
Defining Security Expectations
Lessons From the March Madness
The U.S. Presidential Race: Impact on Global Services-II
Outsourcing Managed Security: Risk and Rewards
U.S. Legislative Developments Affecting Global Services
BLOGS
The changing landscape – opportunities and challenges
Shootout at a BPO
Managed Security Services Providers and the BPO / ITO Providers
Surprise! Surprise! U.S. is No. 3 Outsourcing Destination
Secure 'em to Secure Your Future

In this fast globalizing economy both customers and service providers are increasingly being challenged to effectively protect business-critical information assets. Interestingly, data security is as much a challenge for the Western customers as it is for offshoring providers. However, in the context of this new global order, it has many new dimensions:

  • Complexity of data protection increases as the customer has to factor in security procedures of multiple service providers who are responsible for managing its different business functions.
  • Service providers often have different security thresholds, legal setups and compliance laws from that of companies in the Western economies.
  • Outsourcing is still a political hot button, and generates negative emotions not only among the work force but also in the Western media. Any negative news of security breach becomes bad news not only for the service provider but also for the industry in general. It also negatively impacts the brand image of the country as an outsourcing destination.
  • Companies often do not perform due diligence in performing background checks.
  • Online frauds 83 times higher than traditional frauds; nine out of 10 businesses effected by cyber crime in 2006; $67.2 billion loss to cyber crime in the U.S. (FBI 2005), 100 million Americans in jeopardy of ID theft due to data breaches (New York Times).
  • Financial motives are making attackers more sophisticated. Attacks are much more targeted than before. User workstations are the easiest path into the network. Identity theft has become the preferred route for criminals.

PUT LIMITS ON DATA COLLECTION. FOR EXAMPLE, IS SSN REALLY REQUIRED? IS COMPLETE DATE OF BIRTH NEEDED, OR WOULD YEAR AND MONTH BE SUFFICIENT?

Secure outsourcing agreement
Given this background, documenting and sign offs on security expectations should be one of the most essential components of any outsourcing contract. Below are some essential components of a secure outsourcing agreement.

Penetration Tests and Audits
Periodic independent security audits and the right to review the results should be a part of a customer company's risk-management strategy. It is important to clearly set the scope, methodologies and tools to be used for these tests. In the event that audit results are not satisfactory, the re-mediation period and efforts should be clearly spelled out.

Some penetration testing scenarios could be:

  • Act as an external attacker
  • Perform internal attacks (disgruntled employee/attacker with physical access)
  • Exploit vulnerabilities in provider's software (browsers, e-mails, etc.).

Physical Security

  • Cameras should be placed near all sensitive areas
  • Facilities should be equipped with alarms to notify of any suspicious intrusions. They should be locked and controlled through biometrics or smartcards
  • Service provider must regularly check the audit trail of the key-card access systems, in particular noting how many failed logs have occurred.

Data Security

  • Data should be transmitted in encrypted format
  • Storage of sensitive customer data falling in PII category (Social Security Numbers (SSN), data of birth, credit card numbers, etc.) should be in encrypted format
  • Corporate data of the service provider and its multiple customers should be logically separated
  • Access to data should always follow two factor authorization rules
  • Sensitive data should only be available to qualified persons
  • Once the contract is terminated, data must be destroyed.

Disaster Recovery
Disaster Recovery is the process of regaining access to data, hardware and software necessary to resume critical business operations after a natural or human-caused disaster. It is important to lay down in the service-level agreement, the expectations and requirements of each business-critical application. Following ground could be covered in it:

  • Uptime and downtime requirements of each application being serviced by the service provider
  • Mutually agreed data backup and protection methodology for each business application
  • Frequency of disaster-recovery tests. Methodology, scope and verification process of the test should be defined
  • Publication of test results and time period to take corrective actions
  • Process to access disaster-recovery documentation
  • Contacts of technical and administrative resources who will participate in a simulated test scenario or in the recovery efforts after an actual disaster.
Digg Del.icio.us E-mail 
   [1] 2 
TALK BACK
     Name:  *  Email:  *
  Subject:   
Comment:  *
  
PRINT EDITION
View Digital Magazine
Back Issues
Subscribe

About Global Services  |  Contact Us  |  Advertise with Us  |  Privacy Policy  |  RSS  |  Write for Global Services
PCQuest | Dataquest | Voice&Data | Living Digital | DQ Channels | DQ Week | CIOL | CyberMedia Events
Cyber Astro | CyberMedia Digital | CyberMedia Dice | CyberMedia | BioSpectrum | BioSpectrum Asia
Copyright © 2008 GLOBAL SERVICES all rights reserved