INFORMATION SECURITY CHALLENGES IN OUTSOURCING

A best practices study

While outsourcing presents new opportunities for companies, it also presents itself its share of challenges like Information Security and Intellectual Property concerns. As much as availability of content and the ease of use of this content grows, the concerns about protecting this content also grows. This white paper focuses on the information security challenges presented in the outsourcing model and the best practices adopted to mitigate this risk.

Raghuraman Ramamurthy

WHITEPAPER

Information Security Challenges in Outsourcing

BACKGROUND
The outsourced services model is increasingly being adopted by medium to large companies to take advantage of the financial benefits it offers and also enjoy the added advantages it presents like skills enhancement and flexibility of operations. While this presents a multitude of opportunities, it does not come without its share of challenges. The inherent structure of service providers in itself poses multiple challenges to Information Security. Their internal structure, multiple service units, shared infrastructure and shared resourceseach of these contribute to the challenge.

CHALLENGES
When an organization outsources services, it brings in a few challenges as follows.

Data security not part of governance

While any governance framework looks to define the financial, performance and operational outcomes, when it comes to data security, there is very little or no focus at all in defining the same. The absence of a systematic approach to defining the processes to protect data security as opposed to it being treated in an event-driven fashion is missing.

Data security is ITs responsibility

While the IT teams implement and enforce standards, it is the responsibility of the teams that interact with the customer organization to define these standards and practices. The execution of these of data security cannot be assigned to a single team, it is everyones responsibility.

Fe a r o f l o s i n g intellectual property remains the largest deterrent to o u t s o u r c i n g .

Information Security when not addressed properly can turn out to be a significant deterrent to outsourcing. A large number of small and medium enterprises are shying away from outsourcing only for the fear of losing their intellectual property. The large companies that rely heavily on outsourcing have figured out methods to overcome these risks by applying a systematic approach to information security. In this paper, we will attempt to provide a high level overview of the challenges followed by the best practices employed to mitigate these risks.

Data security cannot be assigned to anyone, it is everyones r e s p o n s i b i l i t y.

Interpretation of security requirements
The security requirement with any relationship is defined to be high, without a clear definition of what the high security requirement means

WHITEPAPER

Information Security Challenges in Outsourcing

and how this requirement will be met. The interpretation and implementation is left to the IT teams bias and preferences. This leads to large inconsistencies in practices and lapses in implementation. While there are standards for security that are practiced by IT, customization is imperative based on requirement.

unintended actions rather than malicious attacks. These lapses are mostly caused due to lack of a properly documented security policy and inadequate training on security practices.

BEST PRACTICES
The following are some best practices that have evolved over years of experience that BWIR has acquired in successfully managing outsourced relationships for customers and for BarryWehmiller.

Perception of reduced risk levels

It is common understanding that the risk levels are lower as you go down the pyramid of services. It is perceived that lower value services attract lower information security risk compared to higher value services. While it may be true in a few cases, largely, this is not true. All levels of service present the same level of risk and will need to attract the same level of attention.

Data security is a key part of governance

Data security is regarded as a key part of governance in customer relationships. A topdown approach was adopted with senior management showing commitment to adhere to the highest standards of security.

Distributed operations
With globally distributed operations, the challenge becomes more complex with practices and standards being different in different locations. Also, regulations vary for each country/state and the infrastructure available may also differ from location to location. This makes it very difficult for an organization to coordinate information security globally.

Senior management commitment is imperative for s e c u r i t y.

The coverage is the entire organization rather than pockets of implementation.

Most incidents of data security lapses are unintended a c t i o n s .

Lack of awareness
Most incidents of data security lapses when analyzed point to the fact that they were

Tailored control requirements

Rather than adopting an out of the box control standard, it is important to analyze what suits the organizational practices also keeping in mind the type of services offered. It is also important to keep the customer in mind while designing these standards, so as to not make it an administrative overhead to adhere to these standards, while at the same time not compromising on security.

WHITEPAPER

Information Security Challenges in Outsourcing

Interpretation of security
While BWIR has specific processes and standards laid out for security, we make it a point that every customer is engaged in a discussion on specific security requirements that they may have to customize the models to suit their requirement. Data security policies and standards are then designed to suit the customer policies and standards to ensure that the maximum level of security is maintained. When there are multiple locations involved in delivery of services it becomes all the more important to ensure that policies are standardized and implemented across delivery locations.

Hence, it is important to invest in appropriate training for individuals for adherence.

Training
BWIR adopts a structured training process where training is extended not only to BWIR associates, but to customer stakeholders too to ensure they follow the same practices as their extended engineering teams.

CONCLUSION
The challenges of information security with outsourcing can be overcome to a large extent with the right mindset and approach to security. What is important is a systematic approach to security, a clear understanding of customer needs and ability to customize requirements for each customer within a given framework. This requires marrying the customer processes with that of the service providers and training all relevant stakeholders for adherence. It goes without saying that this requires appropriate infrastructure to enable enforcement.

Appropriate use of technology

With the availability of technology, it is possible to achieve the highest standards of security. It is important to make investments in appropriate technology and implement them correctly. While technology helps enforcement of data security, it is the people who ensure adherence.

About the author Raghuraman Ramamurthy (Raghu) is a Product ManagerEngineering Solutions with extensive experience in operations excellence and process optimization. Raghu carries experience from diverse industries and has spent most part of his career consulting, developing and implementing best practices for large outsourcing initiatives. About BWIR Barry-Wehmiller International Resources (BWIR) is part of the consulting platform of the $1.2 billion Barry -Wehmiller Companies Inc., a market leader in packaging, paper and paper converting capital equipment manufacturing, headquarter in St. Louis, Missouri with global operations. BWIR brings the best of both worldsthe dependability of a global billion dollar company with the benefits of distributed operations. BWIR has been recognized as a pioneer in outsourcing with a distributed global network of resources. ISO 9001:2008 certified, BWIR has validated systems and processes in place to deliver superior services to our customers.
USA 8020, Forsyth Boulevard, St. Louis, MO 63105 Phone: +1 (314) 862 8000 Fax: +1 (314) 862 4154 Toll free: +1 (800) 862 8020 INDIA MPL Silicon Towers, 23-1/B3, Velachery Tambaram Road, Pallikaranai, Chennai600 100 Phone: +91 (44) 4390 9100 Fax: +91 (314) 862 4154

Email: info@bwir.com | Web: www.bwir.com