Flash Content

Does Outsourcing Pose a Security Risk for your Company?

Security Concerns

In a survey of U.S. senior executives, 91% of respondents were 'somewhat' or 'very concerned' about data theft or misuse in outsourced operations. The survey also states that information security is one of the top three most important factors in selecting an outsourcing partner - higher in ranking than either business stability or reputation.

Furthermore, 85% of executives stated that they may be willing to pay an additional 10% - 15% for extra security.

With security issues being on the forefront of business leaders concerns, how can companies be sure that their outsourcing providers have the necessary safeguards in place?

Security Policy Best Practices

All companies, including outsourcing providers, should have a written security policy which protects the organizations' informational assets against all internal, external, deliberate or accidental threats; which minimizes the risk of damage by preventing security incidents and reducing their potential impact; and includes a business continuity plan.

The security policy should be based on established industry standards. One of the most inclusive standards available today is written and approved by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 17799 provides a comprehensive set of guidelines and controls comprising of best practices in information security.

Internal vs. External Intrusion

Many companies focus on protecting their organization from external intrusion from sources such as viruses and computer hackers, which are becoming increasingly more sophisticated and growing alarmingly in numbers. Although companies need to implement strategies to protect against external intentional threats, this type of protection alone is not enough. Frequently, when there is a security breach, it is due to an external, unintentional threat. For instance, if a box containing customer data is lost in transit during shipping by a mail service provider, or if a laptop that contains customer data is stolen, these are unintentional, yet real security breaches. Outsourcing companies should implement security strategies to protect against accidents within their internal processes - not just against external intentional threats. These include policies to address both paper and electronic processes.

From an internal security perspective, stringent change control standards should be put in place. They should determine the type of change made; identify who authorized the change and who implemented it. There should be a clear separation of duties for all changes. An audit trail should capture all information regarding changes.

SAS 70 Type II - An Independent Test

To provide assurance, companies that have a SAS 70 report have undergone an external review of their security policy. The SAS 70 Type I is a point in time audit and signifies that the security policy has been reviewed and approved by an independent auditor. The SAS 70 Type II provides extra protection - the report states that the controls have also been tested over a six-month period to ensure that in they work both in theory and in practice. According to the Public Company Accounting Oversight Board (PCAOB) which was developed by the Sarbanes Oxley Act, a Type II SAS-70 audit is the only acceptable method of obtaining third-party verification regarding controls at a service organization.

Last Resort - Request an Audit

So how can you determine if your trading partner poses a security risk? To accommodate the security requirements of large corporations, most service providers have stringent controls in place. Faced with adhering to multiple security policies of their clients, often times the security standards are tighter than the clients' internal security controls.

According to the same study of U.S. executives, however, 30% of respondents find security capability claims impossible to verify, while 20% find provider security claims not credible. If in doubt of the claims of a provider, auditing the outsourcing company may be a good option. Many outsourcing providers are audited by multiple clients during the course of a year. Ultimately, the responsibility of security falls to the client. It's up to each company to complete the due diligence needed to ensure that their provider meets their rigorous security requirements.

View PDF Version