I have received an offer for a job from Wipro, an Indian based company that specializes in BPO or Business Process Outsourcing and IT services.  I would be an account manager.  As I was reading my Info security information, I started thinking about the security issues that could be concerns that management must face down before outsourcing their IT services.  Since my job would be acting as the go-between for the client and the development team, as well as working with the client to strengthen our relationship, it is important that I know the concerns that services such as outsourcing or offshoring bring.

Principles and Practice of Information Security by Linda Volonino only mentions outsourcing very briefly.  The book touches on the risk that outsourcing brings.  When a company outsources, they are placing their information security in the hands of the outsourcing company and trusting them.  Control is transfered outside the company and with this comes added risk that the company that they entrust their information does not have the correct security.  However, management should take into account the current security of information within their company.  It may be quite lax if the IT department is understaffed or underfunded or mismanaged.  Placing information security in a specialized company’s hands like Wipro can actually lead to much higher standards at lower costs  since the company works with large corporations where ISO standards and Six Sigma are key.   Trust is KEY in these relationships.

Another aspect that must be addressed is confidentiality.  If sensitive data is being handled by the outsourcing company, precautions should be taken and an agreement about correct usage of information should be specified in the contract.  HRO Today had a great article written by Thomas C. Greble about security risks that companies that are outsourcing should be aware of.  The following list is a number of issues that should be discussed and specified withing an outsourcing agreement.

  • Identify confidential information and specify the types of security mechanisms the employer expects of the provider.
  • List applicable privacy laws and regulations.
  • Require the provider to limit access to authorized personnel; keep security patches current; install, maintain, and monitor computer systems that require passwords, use encryption technology, and contain firewalls and similar intrusion detection systems.
  • Specify that the provider shall be liable for complying with applicable laws and regulations and the breach of its confidentiality or security obligations.
  • Provide employer access to and control over the information; impose restrictions on how information may be used, transferred, or shared; and grant employer audit rights over the provider’s security procedures.

Another issue that might carry some risk for the company outsourcing is cultural differences. According to a 2004 post on the Outsourcing Times website,  standards of privacy are much looser in India.  However, this IS a 2004 post, and I’m sure that in order for Indian outsourcing firms like Wipro to survive, they have had to meet very strict privacy standards.  Wipro has been one of the leading companies in achieving ISO standards in many different aspects of business.  Information security was one of the most important ISO standards for an IT based company. The article Offshore Outsourcing: Is Your Data Safe?   written in April 2004 details that the large offshoring companies such as Wipro and InfoSys already had very stringent information security policies.  This article was also very interesting and went into some more indepth security issues as well.   I also think it is a very good sign that all articles being displayed in my Google search are 2003-2004.  This leads me to believe that security has become more of a company risk and less of a culture different.