Monthly newsletter Weekly news roundup Breaking news notification      

Gartner highlights the importance of risk assessment in outsourcing contracts

Get free weekly news by e-mailEnterprises must evaluate the security risks involved in outsourcing deals before signing an agreement.

While there may be benefits for enterprises that implement an outsourcing strategy, companies must identify and manage the security risks before they sign any agreement, according to Gartner, Inc.

"The key to successful and secure outsourcing agreements is understanding the security and privacy risks for a business process, application or technology function early in the outsourcing decision process," said Kelly Kavanagh, senior analyst at Gartner. "An enterprise's security staff should be at the table from the start of the process and throughout the life cycle of the outsourcing deal. The security staff should be included in the operations management functions, working with the vendor's delivery management staff, as well as the strategic planning function where standards, architecture and integration decisions are made."

Gartner analysts recommend that large enterprises audit prospective enterprise service providers (ESPs) to ensure that the policy and controls around the outsourced functions or systems meet the enterprise's security standards. Enterprises that can't take on the task of conducting a security audit should require ESPs to provide evidence of an audit by an independent third party.

"When audits aren't available, enterprises should use scanning tools or services to ensure that the ESP does not have vulnerabilities in the applications and network gateways facing the Internet," Kavanagh said. "Even when audits are available, periodic scanning of the ESP is necessary to ensure baseline profile is maintained."

Security and privacy-related issues come from several directions. Enterprise security groups establish security frameworks, industry-specific regulations, requirements for additional processes, controls and reporting. Customers and partners bring additional requirements for confidentiality, availability and access controls.

"Outsourcing decisions require careful analysis of what requirements must be extended beyond the enterprise, and planning to verify and monitor the ESP's ability to meet them," Kavanagh said. "Offshore outsourcing requires even greater care in several areas, such as the degree of governmental access to, or control over, the service provider, as well as over the customer's data."

Gartner analysts will provide additional analysis on outsourcing issues at the Gartner Outsourcing Summit 2004, to be held May 17-19 at the Rio All-Suites Hotel in Las Vegas.

www.gartner.com/us/itsourcing

Date: 11th May 2004 •Region: N.America/World •Type: Article •Topic: ISM
Rate this article or make a comment - click here


Copyright 2004 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help