Web Security

• Identify specific configuration files and architecture (e.g. Java, Active X) for Web servers
• Conduct vulnerability assessment of server and supply most recent results and remediation. Also conduct security quality assurance test.

Network Security
It must be ensured that firewalls, virtual private networks, intrusion detection system and wireless are properly configured and administered.

Host Security

• Server specifications and hardening procedures
• Software maintenance policy
• Authentication policy
• Information on account-management process of all the accounts the service provider is responsible for.

Crisis-management Plan
This should be triggered if sensitive employee or customer data is lost, stolen, or acquired electronically. It should include instructions to prevent identity theft if social security numbers and/or financial account numbers are obtained illegitimately.

Termination Clauses
Maintain strong termination clauses and incorporate liability provisions into the security agreement for not meeting security standards and lack of due diligence. Customers and service provider's responsibility and accountability should be clearly documented.

Consistent Policies
Organizations should specify rules that outsourcing providers must comply with, for example, passwords and access codes. Ensuring that the provider works in the same style is paramount for making the process seamless. As per the section SA-9 of NIST 800–53, “Third-party providers are subject to the same information system security policies and procedures of the supported organization, and must conform to the same security control and documentation requirements as would apply to the organizations internal systems.”

Workplace checks

Background Checks
One way to prevent misuse of sensitive data is to perform background checks. Companies must verify employee's educational background, employment history or criminal record, if any.

Nasscom, the Indian association of software and services companies, for instance, has created a National Skills Registry where all employee information is captured. Interestingly, while this data will be owned by the employee, Nasscom will be responsible for maintaining and authenticating the information by conducting its own due diligence. Employee information can be released to a customer on the consent from an employee.

At the same time, it is important to adhere to local privacy laws while conducting background checks or collecting employee information.

Disable Local Access
The damage caused by data theft can be considerable with the ability to transmit very large files via e-mail, Web pages, and other hand-held devices.

As soon as a user logs in to a secured network one has to make sure that he is “not” able to save information on local C: or USB drives. Also, no file attachments should be sent outside the secured networks. All mail sent outside the network should be scanned.

Disable Instant Messaging (IM)
While IM delivers tremendous gains in productivity by enabling real-time communication between co-workers and business partners, it also brings significant risks:

• Inbound threats: IM-ing creates new vectors for the distribution of malware (viruses, worms, etc.) and spam over IM
• Outbound threats: It opens new holes through which information can leak or be leaked
• Legal, financial threats: It also creates invisible communication channels that operate below the radar of conventional information security measures, exposing the organization to regulatory compliance breaches.

Raj Chaturvedi is an IT Manager at a global retail company. He has also consulted companies like Caterpillar and EDS on business-process optimization.