While outsourcing presents new opportunities for companies, it also presents

itself its share of challenges like Information Security and Intellectual Property

concerns. As much as availability of content and the ease of use of this content

grows, the concerns about protecting this content also grows. This white paper

focuses on the information security challenges presented in the outsourcing

model and the best practices adopted to mitigate this risk.

INFORMATION SECURITY CHALLENGES IN OUTSOURCING

A best practices study

Raghuraman Ramamurthy

2

WHITEPAPER

Information Security Challenges in Outsourcing

The outsourced services model is increasingly

being adopted by medium to large companies to

take advantage of the financial benefits it offers

and also enjoy the added advantages it presents

like skills enhancement and flexibility of

operations. While this presents a multitude of

opportunities, it does not come without its share

of challenges.

The inherent structure of service providers in

itself poses multiple challenges to Information

Security. Their internal structure, multiple

service units, shared infrastructure and shared

resources—each of these contribute to the

challenge.

Information Security when not addressed

properly can turn out to be a significant deterrent

to outsourcing. A large number of small and

medium enterprises are shying away from

outsourcing only for the fear of losing their

intellectual property. The large companies that

rely heavily on outsourcing have figured out

methods to overcome these risks by applying a

systematic approach to information security.

In this paper, we will attempt to provide a high

level overview of the challenges followed by the

best practices employed to mitigate these risks.

When an organization outsources services, it

brings in a few challenges as follows.

Data security not part of governance

While any governance framework looks to define

the financial, performance and operational

outcomes, when it comes to data security, there

is very little or no focus at all in defining the

same.

The absence of a systematic approach to defining

the processes to protect data security as opposed

to it being treated in an event-driven fashion is

missing.

Data security is IT’s responsibility

While the IT teams implement and enforce

standards, it is the responsibility of the teams

that interact with the customer organization to

define these standards and practices. The

execution of these of data security cannot be

assigned to a single team, it is everyone’s

responsibility.

Interpretation of security requirements

The security requirement with any relationship is

defined to be “high”, without a clear definition of

“what” the “high” security requirement means

BACKGROUND

“ Fe a r o f l o s i n g

i n t e l l e c t u a l p r o p e r t y

r e m a i n s t h e l a r g e s t

d e t e r r e n t t o

o u t s o u r c i n g .”

CHALLENGES

“ D a t a s e c u r i t y

c a n n o t b e a s s i g n e d

t o a n y o n e , i t i s

e v e r y o n e ’ s

r e s p o n s i b i l i t y.”

3

WHITEPAPER

Information Security Challenges in Outsourcing

and “how” this requirement will be met.

The interpretation and implementation is left to

the IT teams’ bias and preferences. This leads to

large inconsistencies in practices and lapses in

implementation. While there are standards for

security that are practiced by IT, customization is

imperative based on requirement.

Perception of reduced risk levels

It is common understanding that the risk levels

are lower as you go down the pyramid of

services. It is perceived that lower value services

attract lower information security risk compared

to higher value services. While it may be true in a

few cases, largely, this is not true. All levels of

service present the same level of risk and will

need to attract the same level of attention.

Distributed operations

With globally distributed operations, the

challenge becomes more complex with practices

and standards being different in different

locations. Also, regulations vary for each

country/state and the infrastructure available

may also differ from location to location. This

makes it very difficult for an organization to

coordinate information security globally.

Lack of awareness

Most incidents of data security lapses when

analyzed point to the fact that they were

unintended actions rather than malicious attacks.

These lapses are mostly caused due to lack of a

properly documented security policy and

inadequate training on security practices.

The following are some best practices that have

evolved over years of experience that BWIR has

acquired in successfully managing outsourced

relationships for customers and for Barry-

Wehmiller.

Data security is a key part of governance

Data security is regarded as a key part of

governance in customer relationships. A top-

down approach was adopted with senior

management showing commitment to adhere to

the highest standards of security.

The coverage is the entire organization rather

than pockets of implementation.

Tailored control requirements

Rather than adopting an out of the box control

standard, it is important to analyze what suits the

organizational practices also keeping in mind the

type of services offered. It is also important to

keep the customer in mind while designing these

standards, so as to not make it an administrative

overhead to adhere to these standards, while at

the same time not compromising on security.

“ M o s t i n c i d e n t s o f

d a t a s e c u r i t y l a p s e s

a r e u n i n t e n d e d

a c t i o n s .”

BEST PRACTICES

“ S e n i o r m a n a g e m e n t

c o m m i t m e n t i s

i m p e r a t i v e f o r

s e c u r i t y.”

4

WHITEPAPER

Information Security Challenges in Outsourcing

Interpretation of security

While BWIR has specific processes and standards

laid out for security, we make it a point that

every customer is engaged in a discussion on

specific security requirements that they may have

to customize the models to suit their

requirement. Data security policies and

standards are then designed to suit the customer

policies and standards to ensure that the

maximum level of security is maintained.

When there are multiple locations involved in

delivery of services it becomes all the more

important to ensure that policies are

standardized and implemented across delivery

locations.

Appropriate use of technology

With the availability of technology, it is possible

to achieve the highest standards of security. It is

important to make investments in appropriate

technology and implement them correctly.

While technology helps enforcement of data

security, it is the people who ensure adherence.

Hence, it is important to invest in appropriate

training for individuals for adherence.

Training

BWIR adopts a structured training process where

training is extended not only to BWIR associates,

but to customer stakeholders too to ensure they

follow the same practices as their extended

engineering teams.

The challenges of information security with

outsourcing can be overcome to a large extent

with the right mindset and approach to security.

What is important is a systematic approach to

security, a clear understanding of customer

needs and ability to customize requirements for

each customer within a given framework. This

requires marrying the customer processes with

that of the service providers and training all

relevant stakeholders for adherence. It goes

without saying that this requires appropriate

infrastructure to enable enforcement.

CONCLUSION

About the author

Raghuraman Ramamurthy (Raghu) is a Product Manager—Engineering Solutions with extensive experience in operations excellence and process optimization. Raghu carries experience from diverse industries and has spent most part of his career consulting, developing and implementing best practices for large outsourcing initiatives.

About BWIR

Barry-Wehmiller International Resources (BWIR) is part of the consulting platform of the $1.2 billion Barry-Wehmiller Companies Inc., a market leader in packaging, paper and paper converting capital equipment manufacturing, headquarter in St. Louis, Missouri with global operations. BWIR brings the best of both worlds—the dependability of a global billion dollar company with the benefits of distributed operations. BWIR has been recognized as a pioneer in outsourcing with a distributed global network of resources. ISO 9001:2008 certified, BWIR has validated systems and processes in place to deliver superior services to our customers.

USA 8020, Forsyth Boulevard, St. Louis, MO 63105 Phone: +1 (314) 862 8000 Fax: +1 (314) 862 4154 Toll free: +1 (800) 862 8020

INDIA MPL Silicon Towers, 23-1/B3, Velachery Tambaram Road, Pallikaranai, Chennai—600 100 Phone: +91 (44) 4390 9100 Fax: +91 (314) 862 4154

Email: info@bwir.com | Web: www.bwir.com