Should an organization outsource its IT security?
There are many issues involved with outsourcing. Although it has a number of benefits, there are a lot of risks associated with outsourcing. Thus a company should weigh the benefits over the risk of outsourcing.
The following must be considered when outsourcing IT security:
- Financial – it takes a large portion of budget when a company hires staffs with specialized for IT security rather than hiring someone who can cheaply provide it. That is why outsourcing is cost effective. IT security for some companies need not be present 24/7 so there is no need to hire IT security staff round the clock.
- Hiring & Training – an outsourced IT can hire and train easily because they need more employees.
- Guaranteed service and system availability – they can also create an infrastructure to support them so that they can monitor new hacker tools, new security product, new software releases even new vulnerabilities.
- Broader view of the internet – outsourced companies can learn attacks from one customer and can apply the solution or knowledge to protect its other customers.
- Focus – companies or organizations can focus on in its activities by efficient use of its labor resources while paying the outsourced companies in monitoring IT security.
The following are the risks of outsourcing:
- The outsourcing provider has access to the intimate knowledge of the people, IT infrastructure, procedures, approval channels and the weaknesses and limitations of systems (including both IT and non-IT systems) of the organization being served.
- The provider may be processing and handling critical information, systems and assets, and have access to sensitive or personal information;
- The provider may have valid user IDs and passwords with authorization to access certain highly sensitive systems logically and/or physically.
Issues involved when a company turn over its security to an outside organization
- Sharing computer resources with other clients of the outsourcer – some outsourcers share the outsourcer’s computer resources to other companies. With shared Direct Access Storage Device and shared tape a device, the outsourcer’s other clients may be able to access the company’s data, even if processing is not shared. Security software should be implemented to prevent such exposures.
- Assurance that the company is not paying for another client’s use of resources – A charge-back software product can solve this problem. In addition, information security software should be used to ensure that only authorized log-on IDs use cost centers belonging to the company.
- Information security audit rights of the client company – the outsourcer should give the client’s information security staff the ability to review and update its log-on IDs and access rules.
- Outsourcer’s access to client’s data – to ensure the availability of the client’s data, some of the outsourcer’s staff need to access the company’s data. The challenge is to determine what the outsourcer needs to know and what is the appropriate level of authority for data access.
- Determining who owns the data and programs – although the client owns its business data; the outsourcer is a mere custodian of that data. The client should determine which data actually belongs to the company and which data requiring the company’s access belongs to the outsourcer.
- Data retention, destruction, and backup – Responsibility for data backup should be clearly defined. This decision should take into account the most efficient and cost-effective method of backup.
Security and General Management Issues
- Physical security – It should be verified that the outsourcer has adequate physical security to meet the client company’s needs.
- Change control – the client company should always be informed of any hardware or software changes that could affect it.
- Disaster recovery – the outsourcer should have an adequate disaster recovery plan and a contract with a reputable hot-site vendor that has a configuration that will meet the client company’s needs.
- Regulatory requirements – the outsourcer should be able to handle any special regulatory requirements the client company may have.
- Service-level agreements – the client company and the outsourcer must know exactly, in writing, what to expect from each other.
Stipulations needed to include in service level agreement with an it security outsourcer
- When preparing an outsourcing service contract, the organization should clearly define the security requirements of the information systems to be outsourced, such as how all personal and sensitive data should be handled throughout the contract. These requirements should form the basis of the tendering process and become an integral part of the performance metrics.
- The outsourcing contract should include requirements for all staff of third party service providers and vendors to sign non-disclosure agreements to protect sensitive data in the systems. The contract should also include a set of service level agreements (SLAs). SLAs are used to define the expected performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance. In addition to defining SLAs, the contract should include an escalation process for problem resolution and incident response, so that incidents can be handled according to a pre-defined process to minimize any impact on the organisation.
- When engaging IT service providers, an organization should ensure that the vendor employs adequate security controls in accordance with their own organizational IT security policies, wider regulatory requirements or other industry best practices.
To ensure an effective and comprehensive review, inventory detailing
- a list of servers and systems within the scope of the project, and which servers / systems are storing sensitive or personal information,
- a list of support staff from third party service providers as well as the user ID and access privilege granted to individual support staff,
- a list of data, especially sensitive or personal data, transferred to the third party service providers
the same information security requirements and have the same information security responsibilities as those specified for internal staff.
- The security control compliance of service providers and users should be monitored and reviewed actively and periodically. The organisation must reserve the right to audit responsibilities defined in the service level agreement, and have those audits carried out by an independent third party.
- The organisation should ensure the adequacy of contingency plans and back-up processes provided by the service provider.
- The security roles and responsibilities of the service provider, internal staff and end-users pertaining to the outsourced information system should be clearly defined and documented.
- It is essential to ensure that all data to be handled by the outsourcing party are clearly and properly classified, and security privileges for access should only be assigned on an as-needed basis for the performance of their work or the discharging of contractual obligations.
- Although an information system can be outsourced, the overall responsibility and liability of any breach to sensitive or personal data remains entirely with the organisation.