Securing Outsourcing IT Task
IT outsourcing refers to the contracting out of IT services or functions, which have previously been carried out by internal staff. IT Outsourcing can cover a range of different services including application development and maintenance, network management, desktop management, IT helpdesk services and computer data centre management.
When any IT operation of an organisation is contracted out, the external service provider (or the outsourcing vendor) may effectively become an "insider", handling sensitive and important information for the company. While the services provided by an outsourcing vendor may be beneficial and cost-effective, proper security management processes and procedures must be in place to protect sensitive data and customer privacy in outsourced IT projects or service. Data owners need to monitor and review all access rights granted to outsourcing vendors so as to protect key data at all times. The bottom line is: an organisation can outsource its operations, but not its responsibilities.
When a third party service vendor starts providing an outsourcing service, the vendor may be given access to internal information which can pose certain risks to the organisation:
Attackers and those with criminal intent may try to get hold of this internal operation information and use it for malicious social engineering activities. Together with the rapid advancement in technology such as email and the Internet, removable storage devices (e.g. small USB flash drives), and easy remote access to the organisation's information system, the risks associated with misuse of the system and data theft (including intellectual property theft) due to insider infiltration cannot be underestimated.
In fact, untimely termination of systems accounts and revocation of access rights to staff who are leaving the organisation may introduce security loopholes. In the worst case, if the systems in place do not provide for accountability and proper logging procedures, fraud as well as data security and breaches of privacy can occur without any trace being left behind.
When an information system is outsourced to one or more third party service providers, proper security management processes must be in place to protect data, as well as to mitigate any security risks associated with the outsourced IT project and/or service. The following areas should be considered:
The business environment is dynamic and ever-changing, and so is technology. Regular reviews of the security operation and corresponding access controls should be conducted. Before an outsourcing contract begins, it is possible that a service provider might have overlooked some of details in the outsourcing operation. A regular review provides a channel for both parties to evaluate the service and make adjustments as necessary.
An organisation can outsource its IT systems and processes to external vendors, but no organisation can outsource its responsibilities; in particular, the legal obligations to its customers. Business owners, data owners and end-users all have a role to play in ensuring security when outsourcing.
End-users also have a role to play in ensuring security when outsourcing.