Whitepaper - Data Security while outsourcing
Click here to load reader
-
Upload
raghuraman-ramamurthy -
Category
Technology
-
view
197 -
download
1
description
Transcript of Whitepaper - Data Security while outsourcing
While outsourcing presents new opportunities for companies, it also presents
itself its share of challenges like Information Security and Intellectual Property
concerns. As much as availability of content and the ease of use of this content
grows, the concerns about protecting this content also grows. This white paper
focuses on the information security challenges presented in the outsourcing
model and the best practices adopted to mitigate this risk.
INFORMATION SECURITY CHALLENGES IN OUTSOURCING
A best practices study
Raghuraman Ramamurthy
2
WHITEPAPER
Information Security Challenges in Outsourcing
The outsourced services model is increasingly
being adopted by medium to large companies to
take advantage of the financial benefits it offers
and also enjoy the added advantages it presents
like skills enhancement and flexibility of
operations. While this presents a multitude of
opportunities, it does not come without its share
of challenges.
The inherent structure of service providers in
itself poses multiple challenges to Information
Security. Their internal structure, multiple
service units, shared infrastructure and shared
resources—each of these contribute to the
challenge.
Information Security when not addressed
properly can turn out to be a significant deterrent
to outsourcing. A large number of small and
medium enterprises are shying away from
outsourcing only for the fear of losing their
intellectual property. The large companies that
rely heavily on outsourcing have figured out
methods to overcome these risks by applying a
systematic approach to information security.
In this paper, we will attempt to provide a high
level overview of the challenges followed by the
best practices employed to mitigate these risks.
When an organization outsources services, it
brings in a few challenges as follows.
Data security not part of governance
While any governance framework looks to define
the financial, performance and operational
outcomes, when it comes to data security, there
is very little or no focus at all in defining the
same.
The absence of a systematic approach to defining
the processes to protect data security as opposed
to it being treated in an event-driven fashion is
missing.
Data security is IT’s responsibility
While the IT teams implement and enforce
standards, it is the responsibility of the teams
that interact with the customer organization to
define these standards and practices. The
execution of these of data security cannot be
assigned to a single team, it is everyone’s
responsibility.
Interpretation of security requirements
The security requirement with any relationship is
defined to be “high”, without a clear definition of
“what” the “high” security requirement means
BACKGROUND
“ Fe a r o f l o s i n g
i n t e l l e c t u a l p r o p e r t y
r e m a i n s t h e l a r g e s t
d e t e r r e n t t o
o u t s o u r c i n g .”
CHALLENGES
“ D a t a s e c u r i t y
c a n n o t b e a s s i g n e d
t o a n y o n e , i t i s
e v e r y o n e ’ s
r e s p o n s i b i l i t y.”
3
WHITEPAPER
Information Security Challenges in Outsourcing
and “how” this requirement will be met.
The interpretation and implementation is left to
the IT teams’ bias and preferences. This leads to
large inconsistencies in practices and lapses in
implementation. While there are standards for
security that are practiced by IT, customization is
imperative based on requirement.
Perception of reduced risk levels
It is common understanding that the risk levels
are lower as you go down the pyramid of
services. It is perceived that lower value services
attract lower information security risk compared
to higher value services. While it may be true in a
few cases, largely, this is not true. All levels of
service present the same level of risk and will
need to attract the same level of attention.
Distributed operations
With globally distributed operations, the
challenge becomes more complex with practices
and standards being different in different
locations. Also, regulations vary for each
country/state and the infrastructure available
may also differ from location to location. This
makes it very difficult for an organization to
coordinate information security globally.
Lack of awareness
Most incidents of data security lapses when
analyzed point to the fact that they were
unintended actions rather than malicious attacks.
These lapses are mostly caused due to lack of a
properly documented security policy and
inadequate training on security practices.
The following are some best practices that have
evolved over years of experience that BWIR has
acquired in successfully managing outsourced
relationships for customers and for Barry-
Wehmiller.
Data security is a key part of governance
Data security is regarded as a key part of
governance in customer relationships. A top-
down approach was adopted with senior
management showing commitment to adhere to
the highest standards of security.
The coverage is the entire organization rather
than pockets of implementation.
Tailored control requirements
Rather than adopting an out of the box control
standard, it is important to analyze what suits the
organizational practices also keeping in mind the
type of services offered. It is also important to
keep the customer in mind while designing these
standards, so as to not make it an administrative
overhead to adhere to these standards, while at
the same time not compromising on security.
“ M o s t i n c i d e n t s o f
d a t a s e c u r i t y l a p s e s
a r e u n i n t e n d e d
a c t i o n s .”
BEST PRACTICES
“ S e n i o r m a n a g e m e n t
c o m m i t m e n t i s
i m p e r a t i v e f o r
s e c u r i t y.”
4
WHITEPAPER
Information Security Challenges in Outsourcing
Interpretation of security
While BWIR has specific processes and standards
laid out for security, we make it a point that
every customer is engaged in a discussion on
specific security requirements that they may have
to customize the models to suit their
requirement. Data security policies and
standards are then designed to suit the customer
policies and standards to ensure that the
maximum level of security is maintained.
When there are multiple locations involved in
delivery of services it becomes all the more
important to ensure that policies are
standardized and implemented across delivery
locations.
Appropriate use of technology
With the availability of technology, it is possible
to achieve the highest standards of security. It is
important to make investments in appropriate
technology and implement them correctly.
While technology helps enforcement of data
security, it is the people who ensure adherence.
Hence, it is important to invest in appropriate
training for individuals for adherence.
Training
BWIR adopts a structured training process where
training is extended not only to BWIR associates,
but to customer stakeholders too to ensure they
follow the same practices as their extended
engineering teams.
The challenges of information security with
outsourcing can be overcome to a large extent
with the right mindset and approach to security.
What is important is a systematic approach to
security, a clear understanding of customer
needs and ability to customize requirements for
each customer within a given framework. This
requires marrying the customer processes with
that of the service providers and training all
relevant stakeholders for adherence. It goes
without saying that this requires appropriate
infrastructure to enable enforcement.
CONCLUSION
About the author
Raghuraman Ramamurthy (Raghu) is a Product Manager—Engineering Solutions with extensive experience in operations excellence and process optimization. Raghu carries experience from diverse industries and has spent most part of his career consulting, developing and implementing best practices for large outsourcing initiatives.
About BWIR
Barry-Wehmiller International Resources (BWIR) is part of the consulting platform of the $1.2 billion Barry-Wehmiller Companies Inc., a market leader in packaging, paper and paper converting capital equipment manufacturing, headquarter in St. Louis, Missouri with global operations. BWIR brings the best of both worlds—the dependability of a global billion dollar company with the benefits of distributed operations. BWIR has been recognized as a pioneer in outsourcing with a distributed global network of resources. ISO 9001:2008 certified, BWIR has validated systems and processes in place to deliver superior services to our customers.
USA 8020, Forsyth Boulevard, St. Louis, MO 63105 Phone: +1 (314) 862 8000 Fax: +1 (314) 862 4154 Toll free: +1 (800) 862 8020
INDIA MPL Silicon Towers, 23-1/B3, Velachery Tambaram Road, Pallikaranai, Chennai—600 100 Phone: +91 (44) 4390 9100 Fax: +91 (314) 862 4154
Email: [email protected] | Web: www.bwir.com