Infosec
English 繁體版 简体版 Text Only Version

Navigation Menu 1

General UsersYoungsters & StudentsParents and TeachersIT ProfessionalsSME
FAQ Search :
Change text size: Text Size: Default Size (A) Text Size: Larger (A) Text Size: Largest (A)
Infosec

Navigation Menu 2
Home > Securing Your Outsourcing IT Tasks > Best Practices For IT Practitioners PrintPrint
 

Securing Your Outsourcing IT Tasks  

 
 

Best Practices For IT Practitioners

An organisation can outsource its IT systems and processes to external vendors, but no organisation can outsource its responsibilities; in particular, the legal obligations to its customers. Business owners, data owners and end-users all have a role to play in ensuring security when outsourcing.

  • If the outsourcing service involves hosting information systems at a third party data centre, an on-site visit to assess the security environment of the hosting company should be conducted before making any final decision to outsource.

  • If customer data or other sensitive information is to be transferred to servers owned by a service provider,

    • A security risk assessment covering the physical and logical security controls at the premises hosting the servers should be conducted before sensitive data is released to the service provider.

    • The service provider should set up an isolated environment to segregate the organisation's data from that of other clients.

    • Communication paths used to transfer the data must be secure, and sensitive data should also be encrypted using strong encryption algorithms.

    • When the servers involved are based in another country, the impact due to different jurisdictions should also be assessed.

  • Because staff of a third party vendor might need to access the organisation's data after outsourcing has begun, the data owner should always be aware of where the data is actually residing, and who has access to that data.

  • Before approving any access by third party staff, the organisation needs to be fully informed as to why the access is needed, and what are the minimal access rights needed to perform the required task.

  • Regular ID and access right reviews should be conducted to ensure that no excessive access rights are granted.

  • Audit trails should also be regularly reviewed to check whether there are any suspicious activities (e.g. a sudden increase in the number documents downloaded), which might be an indication of a security breach.

  • If there is a need to connect machines from third party service providers to the organisation's internal networks, full system virus scans with the latest virus signatures and detection and repair engines should be conducted regularly.

  
 
     
Back back to topTop
 

Footer Menu

Sitemap | Contact Us | Privacy Policy | Important Notices
 

Copyright 2002. The Government of the Hong Kong Special Administrative Region.
General Users Youngsters & Students Parents & Teachers IT Professionals SME