Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Monday 22 June 2009, 10:56 AM
Does offshoring or outsourcing increase the data privacy challenge?
Last week’s IDG Research Services survey commissioned by RSA highlighted the lack of strategy in place in most organisations for outsourcing business services and information to the cloud. It is a reminder that offshoring and outsourcing present a real challenge to data privacy and data protection but is the risk any more than the risk of data that is not outsourced or offshored?
There are many risks associated with offshoring and outsourcing. The information security risk combined with operational risks including the risk of vendor concentration should determine the direction and pace of the offshoring strategy. Information security professionals must apply industry standard confidentiality (integrity, availability) principles in a risk assessment to ensure that corporate data is not exposed to unnecessary and unforeseen risk. For those professionals working in multi-national organisations, the topic of cross border data movement and data protection zones are not new. However, if data is made accessible to third party vendors or other combined legal entities (captives), the involvement of Legal professionals is paramount to understand processing and disclosure principles and policy.
The offshoring and outsourcing risk assessment may then reveal that existing cross border and service provider policies and standards are inadequate even for existing business processes. Thus confirming that outsourcing does not increase risk, but can actually reduce risk, by improving internal controls.
For Firms and organisations with a complex mix of environments and vendors, control “edge” solutions can be developed for the handling of data, based on “need to know” and “least privilege” principles, delivering sensitive data at the very last minute in the process, and linked to pre-defined and agreed data disclosure rules.
Offshoring and outsourcing programmes may increase the complexity of the environment, and can also increase the burden of supervision but do not increase information security risk. There is no hype with offshoring and outsourcing, rather basic control principles apply.
Alessandro Moretti, CISSP, Member of the ISC)2European Advisory Board and Executive Director, UBS Investment Bank, IT Security Risk Management.
There are many risks associated with offshoring and outsourcing. The information security risk combined with operational risks including the risk of vendor concentration should determine the direction and pace of the offshoring strategy. Information security professionals must apply industry standard confidentiality (integrity, availability) principles in a risk assessment to ensure that corporate data is not exposed to unnecessary and unforeseen risk. For those professionals working in multi-national organisations, the topic of cross border data movement and data protection zones are not new. However, if data is made accessible to third party vendors or other combined legal entities (captives), the involvement of Legal professionals is paramount to understand processing and disclosure principles and policy.
The offshoring and outsourcing risk assessment may then reveal that existing cross border and service provider policies and standards are inadequate even for existing business processes. Thus confirming that outsourcing does not increase risk, but can actually reduce risk, by improving internal controls.
For Firms and organisations with a complex mix of environments and vendors, control “edge” solutions can be developed for the handling of data, based on “need to know” and “least privilege” principles, delivering sensitive data at the very last minute in the process, and linked to pre-defined and agreed data disclosure rules.
Offshoring and outsourcing programmes may increase the complexity of the environment, and can also increase the burden of supervision but do not increase information security risk. There is no hype with offshoring and outsourcing, rather basic control principles apply.
Alessandro Moretti, CISSP, Member of the ISC)2European Advisory Board and Executive Director, UBS Investment Bank, IT Security Risk Management.
