Out-sourcing and Risk

Recently we have been reminded frequently about the growth in outsourced services; Computer Weeklys recent report showed the continued growing appetite for outsourcing across the globe http://www.computerweekly.com/news/2240151385/Shared-services-take-up-fastest-ingrowing-market) and both PwC (http://www.pwc.com/gx/en/information-securitysurvey/giss.jhtml) and CIF (http://www.cloudindustryforum.org/) have lately demonstrated the growth in these markets. If you are entrusting someone else with your information and information processing facilities clearly this has some implications for your security. But what are they? Well, first of all not all arrangements with external parties are equal. Clearly the persons hosting your hotel reservation and train fare booking systems are important, but probably not as important as those hosting your critical business systems and client information. Security is a risk based discipline and before you start making decisions about what security controls you should and should not put in place you should risk assess the third party. Examples of things you should consider include the type and sensitivity of the data, the extent and maturity of their existing security controls, any legal and regulatory requirements you or your clients are required to meet and the impact of not having access to your information and information processing facilities would have. Any agreement with a third party involving their access to your information and information processing facilities should be comprehensive and (as a minimum) include the physical and logical controls you expect to be maintained around your assets, the requirements you expect of their personnel (if you vet your staff then you might think it pertinent to make sure they do theirs?), incident and weakness reporting procedures to you, their procedures for access to and segregation of your assets, applicable SLAs and your right to audit them. And once you have entered in to agreement with them make sure you enforce your right to audit!
Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

If your outsourcing strategy does or may include the use of Cloud based services read our short guide to Cloud security you can find it on our Scribd channel or on our blog www.adventim.wordpress.com

Ellie www.advent-im.co.uk

www.advent-im.co.uk Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
www.adventim.wordpress.com www.adventimforarchitects.wordpress.com www.adventimforuklegal.wordpress.com www.adventimforgambling.wordpress.com

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM