OUTSOURCING IT-BASED SERVICES FOR SMALL AND MEDIUM ENTERPRISES: SECURITY ISSUES



Similar documents
M&LE17 Outsource business processes 1

Department of Health PFU & PPP Forum. Benchmarking and market testing in NHS PFI projects. Code of Best Practice

Information security policy. Information security awareness and training

Management and Leadership. Level 5 NVQ Diploma in Management and Leadership (QCF)

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

A GOOD PRACTICE GUIDE FOR EMPLOYERS

REFORM OF STATUTORY AUDIT

ISO27001 Controls and Objectives

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

The integrated leadership system. ILS support tools. Leadership pathway: Individual profile APS6

Offshore Outsourcing. A Practical Guide

The integrated leadership system. ILS support tools. Leadership pathway: Individual profile EL1

A director s guide How to prepare an RFI for an HR & payroll software system

Schedule 13 - NHS Counter Fraud and Security

Statement of Guidance: Outsourcing All Regulated Entities

ICMA Private Wealth Management Charter of Quality

Life Insurance Charter of Quality

Life Insurance Charter of Quality

Information Governance Policy

ISO Controls and Objectives

Recorded Crime in Scotland. Scottish Government

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

THE DEPARTMENT OF EDUCATION AND CHILDREN S SERVICES JOB AND PERSON SPECIFICATION

Your Guide to the HSE s Comments and Complaints Policy

We released this document in response to a Freedom of Information request. Over time it may become out of date. Department for Work and Pensions

Discussion Paper. Issues Impacting the Accounting Industry from Outsourcing

Guide for Clinical Audit Leads

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction

Business Continuity Planning in IT

Who s next after TalkTalk?

Case study on asset tracing

Information Security: Business Assurance Guidelines

EA-ISP-004-Outsourcing and Third Party Access

Queensland Government Human Services Quality Framework. Quality Pathway Kit for Service Providers

WHITE PAPER. Mitigate BPO Security Issues

DRAFT. Anti-Bribery and Anti-Corruption Policy. Introduction. Scope. 1. Definitions

Procurement Policy. 2.1 Mosaic and all its North American subsidiary companies.

Human Services Quality Framework. User Guide

Compliance Management Systems

LGRF. Procurement Probity Plan. July 2012

Data and Information Security Policy

Business Interruption Factsheet

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

e-colt Services Recruitment Process Outsourcing (RPO)

Customer-Facing Information Security Policy

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Achieving Data Privacy in the Cloud

Stellenbosch University. Information Security Regulations

1.2 Evidence-based practice 1.3 Environment 1.4 Multi-professional working 2. Enhance the patient/client experience 2.1 Person-centred care

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Newcastle University Information Security Procedures Version 3

Office 365 Data Processing Agreement with Model Clauses

ID number system - Recent revisions to guidelines for protection of personal information -

A PRACTICAL GUIDE TO SUCCESSFUL CONTRACT MANAGEMENT

QUALITY MANAGEMENT SYSTEM MANUAL

Cyber Security - What Would a Breach Really Mean for your Business?

PROPOSAL FOR RECRUITMENT PROCESS OUTSOURCING

Threat Intelligence. Benefits for the enterprise

OUTSOURCING POLICY

SECURITY TESTING IS NOT ALL THE SAME: A REFERENCE TAXONOMY

GUIDANCE FOR MANAGING THIRD-PARTY RISK

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Central and Eastern European Data Theft Survey 2012

Lexcel England and Wales v6 Guidance notes for legal practices Excellence in practice management and client care The Law Society.

VICTIMS SUPPORT PROGRAMME. Guidance Note on the Recruitment of Staff G3/VSP

Top Tips for Successful Tendering

An Approach to Records Management Audit

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

ISSA-UK Information Security for Small and Medium Sized Enterprises

Data controllers and data processors: what the difference is and what the governance implications are

building and sustaining productive working relationships p u b l i c r e l a t i o n s a n d p r o c u r e m e n t

LEGAL GUIDE TO RECOVERING A TRADE DEBT

Managing data security and privacy risk of third-party vendors

Closed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV

Management of Outsourcing Contracts

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

EA IAF/ILAC Guidance. on the Application of ISO/IEC 17020:1998

DATA PROTECTION AND DATA STORAGE POLICY

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

The EU portal and database

Guidance on the template contract for social impact bonds and payment by results

Managing Outsourcing Arrangements

University of Liverpool

ACC AUDIT GUIDELINES - INJURY MANAGEMENT PRACTICES

APES GN 30 Outsourced Services

MHA Service Level Agreement for Managed Outlook

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

King Fahd University of Petroleum and Minerals

Communicating and influencing

Securing Critical Information Assets: A Business Case for Managed Security Services

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Basic principles of Accounting

WHEN YOU CONSULT A STATISTICIAN... WHAT TO EXPECT

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

BEST PRACTICE GUIDE 6: ESTABLISHING CONTRACTS. RDTL MINISTRY OF FINANCE Procurement Service

JOB DESCRIPTION. Emergency Department Sister / Charge Nurse

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ Ã

Data Protection Act Guidance on the use of cloud computing

Release 3.2 Oct 2009.

Transcription:

OUTSOURCING IT-BASED SERVICES FOR SMALL AND MEDIUM ENTERPRISES: SECURITY ISSUES This section is intended to provide guidance on outsourcing. Some of the information contained here is particularly detailed and complex and may not, therefore, be relevant for all companies. We have, however, tried to ensure that there is advice for all organisations, irrespective of their size or experience. INTRODUCTION Outsourcing is often seen as a practice performed by large companies, about 66% of which (Source: 2002 Outsourcing World Summit Michael F. Corbett & Associates, Ltd) wish to either make cost savings or concentrate on their core business. For example, a manufacturing company could use a third-party organisation to run its IT systems, this service being governed by an outsourcing contract. Small and medium enterprises (SMEs) are beginning to anticipate benefits from outsourcing, and many already use such facilities. Some services have always been outsourced, e.g. most companies outsource the provision of webbased services to an Internet Service Provider (ISP). This document is intended to act as a guide for companies which are considering outsourcing their IT-based services. In such circumstances, cost savings are possible (in theory at least) in that a client (i.e. you) does not need to recruit specialists and/or retain expensive non-core skills. Outsourcing service providers can exhibit economies of scale, both through manpower and skills as well as hardware and network infrastructure. Other savings can be made if the operation is relocated to a cheaper environment. There is currently a tendency to relocate to India and other low-cost countries. India has an articulate, educated, English-speaking workforce, which costs very much less than the UK-based equivalent. The theory is sound, but there are issues that cannot be ignored and security is one of them. Many outsourcing deals have failed, resulting in acrimony, loss and even bankruptcy (for both clients and outsourcing providers). If you fail to understand your own requirements for outsourcing, so will any service provider you ask to run a part of your operation. This is the root cause of most outsourcing failures with security being one of the prime areas of potential misunderstanding. What has been learned from previous outsourcing work is that whilst the responsibility for implementing security controls may be delegated, the accountability for such security cannot be outsourced. The contract has to be managed with the client organisation retaining ultimate responsibility. The implementation of control via a contract is different from implementation via a chain of internal command and, as such, requires a different approach. This notwithstanding, your organisation remains accountable and ultimately responsible for the security of the assets being outsourced. After all, it s your company which will suffer the impact and consequences if something goes wrong. Outsourcing is a complex issue and information security is only one of a number of areas for consideration when investigating the possibility of outsourcing. There are significant Human Resources (HR) risks. For example, many staff will become concerned about job security. This will have an impact on productivity. Some may even actively seek to thwart any plans for outsourcing. The following sections outline a road map for successfully implementing an outsourcing contract. REQUIREMENTS Your requirements are the most important guide you will have to outsourcing any part of your business operation. These therefore have to be made intelligible to your chosen service provider and set out in a

clear, unambiguous and mutually beneficial contract. Many outsourcing providers make the mistake of trying to shoe-horn an operation into their generic offering. This may have the advantage of reducing your costs, but could result in loss of service capability. One of the best ways to set out your requirements is to assemble a team from across the organisation. Each person will have different responsibilities, but members should include appropriately empowered representatives from each of the following key business areas: Human Resources Information Technology Information Security Legal. The team should be a decision-making body but also provide a channel through which issues can be passed to the most senior decision-makers. The team should analyse each business process that will be affected by the proposed outsourcing and establish the various risks that could impact on it. Examples of such risks include: exposure of a company s sensitive and critical information to another party exposure of personal information relocation of IT equipment from a known, safe environment to an unknown environment no direct control over the recruitment process. The risks need to be identified and evaluated to determine what controls are required to manage them. In the case of outsourcing, most of these take the form of a statement in a contract. They also form part of the client requirements. Note that not all requirements are directly related to information security. Many, if not most, are more concerned with service levels and cost. However, all these requirements have to be collated into a meaningful form that can be used as the basis for an Invitation To Tender (ITT). They can also be used to assemble a Request For Information (RFI), usually sent to identified prospective service providers prior to the full ITT being issued. The ITT should include a clear set of requirements. Some people recommend that these should be set out in a formal requirements specification at this stage. How far to go in setting requirements depends very much on the nature and scale of the process or processes that are to be outsourced. Security requirements Security requirements normally include the following: the information security policy to be used (normally directly based on the client s own policy and standards) roles and responsibilities (both client and outsourcing provider) mandatory practices, e.g. access control processes, back-up and recovery the various service levels for providing confidentiality, information quality and recovery from incidents rights of inspection and audit.

ISO/IEC 17799 contains a clause dealing with security requirements in outsourcing contracts. In addition, BS 15000 has some useful advice on IT service management (for more information please visit http://www.bsi-global.com). SELECTING AN OUTSOURCING PROVIDER Selection is best managed as follows. The first stage is to identify potential service providers. This can be done though a mixture of research (web searches, advice from Chambers of Commerce and through recommendation) and active RFIs. You should seek out those providers who seem best placed to meet your initial requirements and then select a shortlist. The chosen service providers should then receive a full set of your requirements, set out in an ITT. Outsourcing providers will normally respond with a proposal and after discussions with the outsource team, a suitable provider can be chosen and contracts drawn up. CONTRACT CONTENT The box below outlines the types of issues that need to be considered as part of the security requirements. They are set out here because these requirements often overlap with other areas within an organisation (such as HR and facilities management) and need to be discussed within the internal outsourcing team. The statements could eventually form the basis of the agreed contract. Not all the statements in the box will work in all cases. They are provided as an example to show how they might be worded. It is likely that your own contracts will require ratification by legal experts before issue. Non-disclosure agreements and technical resumés The outsourcing provider will name all staff assigned to work on the client account and pass these names to the client. They will all sign a Non-Disclosure Agreement (NDA) supplied by the client prior to starting work on the account. The technical Curricula Vitae (CVs) of named staff working for the outsourcing provider will be supplied to the client for approval. This approval must be sought and obtained before the members of staff start work on the client account. If, for emergency reasons, it becomes difficult to implement these practices, outsourcing staff can commence work without taking the above steps providing explicit signed permission is granted from the client outsource contract manager or the client information security manager. The NDA must be signed at the earliest available opportunity thereafter. The CVs must also be supplied as soon as possible. Staff awareness All outsourcing staff will be given training in information security as agreed with the client and will be given a pack outlining: this agreement the client information security policy and standard their roles and responsibilities. All outsourcing staff will be made aware of the potential consequences of a breach of this contract.

Staff vetting All outsourcing staff named as working on the client account must be subject to checks (preferably as part of the outsourcing provider s recruitment process) prior to being accepted to work on the client account. Screening must include: taking up at least two references (one personal, the other relating to previous employment) a criminal record check proactively checking the accuracy and completeness of CVs the positive confirmation of academic and professional qualifications a positive identity check (e.g. sight of passport or identity card) a credit check The outsourcing provider will inform the client immediately if they intend to use sub-contractors to fulfil the contract. The client reserves the right to refuse such a service. If any sub-contract is agreed, the sub-contracted body will be required to sign a formal agreement and an addendum to this contract and abide by all the conditions set out therein. Physical security The outsourcing provider s staff should access client systems only from specific, named premises. These premises should normally be subject to a risk review to determine their security status as part of any risk analysis procedure required by the client. The review should assess the premises against the client s physical security policy. IMPLEMENTATION AND OPERATION The timing of the handover of an operation to an outsourced service is complex and risky. As many as one-fifth of contracts are terminated during transition due to unexpected problems. Handover has to be planned and a range of measures, such as acceptance criteria, has to be put in place. If discussions prior to the contract being signed have been sensible and realistic, problems can be reduced. Security issues are very important at this stage as the complexity and unfamiliarity of such situations can result in security incidents (deliberate or otherwise). Such a situation provides opportunities for fraud, vandalism and theft. Basic security controls have to be monitored and concerns actively investigated. Much of this vigilance will not produce results but the security ethic has to be applied. To help avoid confusion, a strict timetable should be set up. Everyone should know exactly when responsibilities will transfer. This will reduce some uncertainty and ensure legal responsibility is understood and accepted. One essential element is a get-out plan (or exit strategy) in case the handover fails. A return to the original service may be a last resort, but should be borne in mind. Remember that the purpose of the process is to support the business. Operationally, things will take time to settle down. There are some simple routines that can reduce negative security impacts as this happens: Keep to formally agreed roles. If informal routines become commonplace, it is possible that they will become contentious issues over time. You have to manage expectations for both the outsourcing provider and the client staff.

Client staff have to understand that the outsourcing provider s staff will sometimes change. The value of personal relationships needs to be weighed against the provider s requirements for making best use of its own staff. Regular, formal meetings need to be held to assess and agree the status of the service. These should be specified in the contract. Incident reporting, as well as status reporting, has to be established. Reporting lines and procedures have to be transparent and agreed. Change is inevitable, in both requirements and operations. The contract has to be flexible and a workable routine for managing change is essential. Change can come from either the outsourcing provider or the client side and has to be seen as part of the operation. Nothing stands still and this has to be built into the contract and the relationship. CONTRACT TERMINATION As part of the get-out plan (or exit strategy), there must be mutually agreed provision for contract termination at any stage. Safeguards must, of course, be built in to prevent either party being unfairly penalised through termination, but just as contracts have to be operationally flexible, the terms have to be sensible. OTHER ISSUES It is not the purpose of this document to provide advice outside the domain of information security, but the issue that dominates most outsourcing projects is that of people. Individuals dislike change, especially when they feel powerless, and outsourcing can bring about very fundamental changes. The key to ensuring as smooth a change as possible is to keep people informed, seek their opinions and take these on board as far as possible. If there are negative impacts (redundancy, relocation, etc.) then HR involvement is essential. This involvement will make the outsourcing process more transparent and acceptable. CONCLUSIONS Remember that outsourcing requires a multilateral approach. An internal team approach to gathering requirements is essential. You cannot outsource responsibility. Garbage in, garbage out (GIGO): if you have a poor system, outsourcing will not make the problem go away. It will merely cause you expense, suffering and loss. Ensure that the system is right first. If you take advantage of your outsourcing provider in terms of price, they will respond with an equivalent drop in goodwill and service levels. Keep roles and responsibilities clear and concise and stick to them, especially during the early stages of hand-over and operation. Keep the people whom the outsourcing will affect involved; understandably they can sometimes feel threatened if they are left out of the process. Have a get-out plan (or exit strategy).

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information