Monthly newsletter Weekly news roundup Breaking news notification    

Assessing global outsourcing risks

Get free weekly news by e-mailGlobal sourcing is one of the pillars for the future IT services market to support imperatives of growth, cost, speed and business agility, says Gartner. As organisations rush to leverage this exploding trend they often underestimate the scope and impact of the security challenges posed in a global sourcing environment.

There are a significant differences in the issues faced while addressing ‘traditional’ security issues than those faced in a global sourcing environment. These differences range from the legal framework, the financial environment, lack of understanding of regulatory issues in the home market and probably the most difficult and insidious of all, strong cultural differences and perceptions around security, privacy and IP protection.

According to Partha Iyengar, vice president and distinguished analyst at Gartner, a further factor of particular relevance to companies in the UK and Europe is the issue of how to handle security and privacy at in-sourced centres (i.e. their own subsidiaries) in offshore locations. “In such cases companies are often faced with the dilemma of having different policies in place for their ‘in-house’ employees in the local market and different, more stringent policies for their ‘offshore’ employees,” Mr. Iyengar said. “This can eventually lead to morale issues in the offshore location where people can feel like ‘second-class’ employees who are somehow less trusted than those employed closer to home.”

As an increasing number of organisations take the decision to send more and more mission critical work offshore, Gartner has been looking at the long-term issues whilst evaluating best practices and recommending some immediate tactical steps to address security issues in global sourcing. As part of this, Mr. Iyengar has devised a list of key questions to ask a service provider in order to mitigate the manifold risks:

Technical
- Are security or background checks carried out on employees? What is the credibility of the agency doing the checks?
- Code access or changes: is auditing and analysis of logs carried out?
- What are the service levels around provisioning identity management and auditing of activity?
- Security of application development (AD) practices:
* Does the provider deploy vulnerability testing, government-secure code and testing standards, and so on?
* How is the protection of customer-sensitive or employee-sensitive data handled during AD testing?
- How is the encryption of sensitive data in enterprise applications managed when passed to the service provider?

Legal or contractual
Have the following been addressed:
- Confidentiality or trade secret agreements?
- Security breach notification service level agreements?
- Patch management and AV SLAs?
- Indemnity ‘negotiations’?
- Inspection and on-site audit requirements by regulators?
- Contract jurisdiction in the US or the UK and arbitration clauses?
- Third-party contractor disclosure?
- Security enforcement with trading party contracts?
- Track record of working with enterprises to comply with specific data protection or privacy laws?

www.gartner.com

Date: 17th April 2007 • Region: UK/World Type: Article •Topic: BC general
Rate this article or make a comment - click here

BC Journal



Copyright 2008 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help