Ensuring robust Information-Security system while Outsourcing.
Outsourcing has been indispensable to flourish and often outlast, for many organizations due to the promising rewards it offer including cost and efficiency savings, reduced overhead, operational control, peak load accommodation and internal staff development. However from an information security(IS) point of view, the graph has not been without risk.
Does outsourcing mean greater risk? What are the risks involved? What strategies should be regarded?
You have always seen, large IT companies doing secured development zones, access restricted areas, no camera, no pen drives, no access to public forums, no public emails etc. Nevertheless, Smaller companies or startups usually do not enjoy this luxury for the very reason that they work mostly with smaller providers who might even laugh off your security idea.
While for a small/medium sized company, crucial information could be their processes or operation model, vendor information or product/service information; for a startup/an entrepreneur, the most essential and vulnerable information could be the very IDEA behind the business. You never know how huge your startup would grow – how well do you recall the principal conflict on Facebook’s sources revolved around whether Mark had entered into an agreement with the Harvard seniors to develop a similar web site for them and then, in lieu, stalled their project while taking their idea and building up his own. Though the Winklevoss twins managed to walk away with a handsome check, most of the time we witness umpteen ill-omened unheard entrepreneurs never making it to the finish line.
Technically, IS means protecting information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The Basic IS Principles are:
Confidentiality – prevent the disclosure of information to unauthorized individuals or system
Integrity – data cannot be modified undetectably
Availability – the information must be available when it is needed
Authenticity – ensure that the data, transactions, communications or documents (electronic or physical) are genuine
Non-repudiation – implies one’s intention to fulfil their obligations to a contract
Okay, So I’m not a multimillion dollar company. I just have a few hundred bucks in my pocket. Can I also do something to secure my information, concept or idea…? Well, here’s a set of 10 Commandments you can really do:
1) Pre-engagement preparation and security assessment- Do your own research on information security and outsourcing, the pluses and minuses involved.
2) Define the scope of services- Once you have decided to outsource, draw boundary lines to the areas which you would like to outsource. Keep the rest, with yourself. For eg: In a web application development perspective, customizations to a particular component might not require you provide access to the entire code base. In such cases you can limit it to the required component alone.
3) Define roles- As security depends on people more than on technology, defining roles and responsibilities within your organization as well as with the provider is a significant factor. You should demand for profile of resources involved, their designation, and the role they play in your particular project.
4) Control inappropriate access to sensitive information- Only authorized personnel should enter your information environment. The team members involved should be aware of the sensitivity of the information they are handling with.
5) Define acceptable risk tolerance level- In some cases, risks are inevitable. Here, to limit the damage caused, tolerance level should be defined initially, exceeding which should raise the red alert.
6) Select the right Service Provider- Art of finding an army stronger than the kingdom. Evaluate and understand a service provider’s business solutions and practices. Learn the risk mitigation features that automatically come with the service provider like data security, disaster recovery, confidentiality controls, access permissions etc. Beyond everything, find a service provider whom you can trust and leave your empire with.
7) Process Evolution- The entire operation process and information security plans should be evolved through discussions with the provider for optimal results which should involve evaluation, due diligence, and negotiations.
8) Hold on to the ‘Do not copy’ tag- Operate highly data-sensitive processes in read-only environments to prevent data from being printed, written down, or copied onto desktop hard drives or removable drives.
9) Right contract setup- Outsourcing provider’s responsibilities, and all key legal terms should be drafted. It should address the appropriate safeguards over the company’s information and confidentiality, as well as audit rights and regulatory compliance.
10) Continuous Monitoring- Maintain access logs, version control systems and tracking on servers to ensure complete supervision of the system and the provider.
Phew..!! It’s easier said than done. Putting everything together into place is next to impossible. In order to bridge over this gap OptiSol decided to package all these actions as one and offer it to its clients for free, as part of its services and this move led to the introduction of OCISM OptiSol’s Collaborative Info-Security Model™.
In this model, a detailed Info-Security Collaborative Plan (ISCP)™ of operation is designed, covering the commandments discussed above, to ascertain uncompromising information security. The client organization and OptiSol works in collaboration, implementing the designed ISCP for that particular project.
OptiSol Business Solutions has been using OCISM – OptiSol’s Collaborative Info-Security Model, continually and obligatorily in its engagement processes and has helped its numerous clients substantiate uncompromising information security @ OptiSol throughout its engagement and beyond, by exhaustively applying the commandments involved. If you would like to know more about OCISM/ISCP or do a trial please feel free to mail in your request to email@example.com.