As organizations pursue cost savings and operational efficiencies with their existing business processes, they often turn to service providers either in their home countries or abroad to reap additional cost savings associated with factors such as lower wages, lower operating costs and workers with experience that may not be available in-house. Alternatively, some organizations choose to move their operations to off-shore locations but retain control over their infrastructure, staff and processes. In either case, organizations need to manage the risks associated with safeguarding their assets and their information while complying with the various regulations and laws that govern their industry.

All business initiatives have an associated degree of risk. The risk associated with safeguarding the confidentiality, integrity and availability of information assets is a component of the overall business risk picture for all organizations worldwide. Ensuring that people, processes and technology are properly managed to address this risk is a challenge faced by information security professionals. There are, however, some unique risks associated with outsourcing that need to be addressed by various organizational stakeholders to avoid pitfalls. These risks include:

Political and country risk: if the outsourcing is going to be done in a country other than the country in which the sourcing organization is located, it may be necessary to examine the political environment of the service provider’s country.

Cultural risk is introduced with language differences, varying communication protocols, differing work ethics and cultural norms. Organizations may be vulnerable to different types of ethics associated with information sharing.

Contractual risk: if contracts are not specific or flexible enough to accommodate changes in the business environment, the organization may face risks. In addition, the viability of enforcing the contracts if the service provider is in a location other than their home country may be difficult.

Operations risk: organizations face the risk of sub-par level service quality, cost overruns or business interruptions. Information security risk and compliance risks are often subsumed under operational risk.

Compliance risk: the sanctions and/or material loss of any kind that any organization may experience if it fails to comply with the set of laws, industry standards and internal requirements that govern its environment/sector. For the purpose of this definition, reputational risk is considered part of material risk. (Source: Basel Committee on Banking Supervision – April 2005)

Business Continuity Risk: the risk associated with an organization’s ability to recover and/or restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption.

Organizations need to develop a strategy for understanding and managing these risks, which are dynamic and fluid. There is an inverse relationship between the degree of control and ownership and the amount of risk; the risk associated with outsourcing increases as the degree of ownership and control over business processes is diminished. That said, risks can be effectively managed with governance programs and with program management offices that provide oversight and management of all elements of the outsourcing initiative. Whether outsourcing a specific function or a range of operations, attention must be paid to ensure that all aspects of the decision are analyzed and documented. Various outsourcing lifecycles to manage outsourcing initiatives have emerged as organizations increasingly participate in outsourcing activities. N early all of them share a common theme: information security controls need to be part of any and all outsourcing activities.

Information security professionals often speak of an “information security outsourcing lifecycle.” This approach to outsourcing, that is, examining the lifecycle from an information security practitioner’s perspective, typically is not adopted by most organizations, as the decision to outsource is a business decision driven by a focus on cost savings not necessarily risk management. Instead a more effective approach to ensure that information security risk is addressed is one where information security practitioners integrate their requirements and recommendations into the “business” outsourcing life cycle process.

The likelihood of an organization following a methodical and logical process to manage its outsourcing/off-shoring efforts depends on the organization’s maturity in this space. Most organizations do not have a formal, documented process for managing outsourcing/ off-shoring. And generally, information security professionals are not engaged, if they are engaged at all, until well into the process.

Best Practices

In an effort to manage the extremely high cost to organizations associated with retro-fitting information security controls into an outsourced/off-shored agreement, organizations are increasingly searching for best practices and adopting an outsourcing/ off-shoring life cycle that is a series of methodical steps which, if followed, can streamline the process of engaging a third party to provide services for an organization.

The lifecycle outlined below represents a common sense view to help manage the complexities associated with outsourcing. Although there is no “one size fits all” solution for effectively managing outsourcing initiatives, following the steps while customizing them to suit the organization’s particular culture, may lead to effective outsourcing.

The Outsourcing Lifecycle has four overarching stages each with its own series of actions. These include: Preparation, Implementation, Operation and Review.

Preparation

The journey begins with strategy development. During this step, senior and business management evaluate and determine whether it may be profitable for the organization to outsource, off-shore outsource or create an off-shore captive centre. The business then creates a strategic steering committee to manage the exploratory initiative, develop an outsourcing Project Management Office (PMO) governance office to operate the exploratory initiative and determine which business/IT functions may be profitably outsourced, off-shore outsourced or managed by an off-shore captive centre.

Traditionally, information security has no involvement at this stage of the process as well as the next step the organization takes which is the development of the business case. Multiple stakeholders are involved during this step. The PMO identifies all relevant stakeholders, all aspects of risk to be managed if functions are outsourced, and performs a detailed cost benefit analysis to determine what option makes the most sense. In addition, there needs to be legal analyses of the regulatory compliance implications for outsourcing, off-shore outsourcing and off-shore captive centre operations. Senior management then makes the final decision about what business/IT functions to outsource, off-shore outsource or develop a captive centre off-shore.

In a mature organization, information security begins to get involved at the next stage – Scope Definition. Multiple stakeholders participate in defining the scope of activities to be undertaken. The PMO identifies all processes, operations and technology associated with the functions to be outsourced, applications associated with the functions to be outsourced and retained processes, operations, technology, applications, etc. Information security performs risk assessments to address confidentiality, integrity and availability of information assets to be outsourced.

Partner selection and negotiation of the contract make up the next step in the journey – structuring the deal. Multiple stakeholders are involved during this step which involves the selection process, crafting the Request for Proposal (RFP) to outline requirements and identify metrics to measure success. Legal then ensures all relevant terms and conditions clauses are in the contract. Once a provider is identified, negotiation happens and the contract is eventually signed.

Implementation

After the decision is made to outsource, the organization begins the transition of the functions to be delivered by the service provider. The PMO plans and manages the transition schedule, begins to transition the function to the service provider and creates a process to do ongoing cost benefit analysis. Information security builds security into processes, builds an incident reporting/management process and builds a process for ongoing monitoring (security and compliance). Information security should be heavily involved at this stage of the process.

Operation

Ongoing management and maintenance of the outsourced services is performed by several stakeholders, although overall coordination is done by the PMO who implements an ongoing cost benefit analysis process, updates exiting processes and operations to manage the retained organization, and manages the partnership relationship thru meetings and reporting structure. Information security performs an in-depth site audit of the selected service provider’s security control environment, performs annual (or more frequent) audits of the service provider, implements an incident reporting / management process, implements ongoing monitoring processes and manages the relationship with authorities.

Review

As the contract draws to a close, an organization may choose to renew or exit the contract. If the organization chooses to renew the contract and continue its relationship with the service provider, the PMO must evaluate the success of the outsourcing initiative (financial, operational, regulatory, etc.); legal must re-negotiate terms as needed; and senior management must determine whether to renew the contract.

If an organization decides to terminate the relationship with the service provider and re-acquire the functions, it is necessary to manage the transition process. The PMO must plan the transition process; legal must validate IP ownership as defined in the contract; and information security must perform a risk analysis of the functions and processes to be re-integrated into the organization and audit the service provider to ensure all data is retrieved.

Conclusion

Information security has a significant contribution to make to this outsourcing/off-shoring lifecycle. The contributions include but are not limited to performing risk assessments to address confidentiality, integrity and availability of information assets to be outsourced, analyzing the security controls of the short list of service providers and performing in-depth site audits of the selected service provider’s security control environment. On an ongoing basis, information security practitioners need to create processes for incident reporting, management and ongoing monitoring for security and compliance purposes.

Failure to involve information security at various points in the outsourcing/off-shoring lifecycle may result in a negative outcome which includes but is not limited to higher costs for retroactive controls implementation, insufficient and non-empirical metrics and performance standards, dispute over intellectual property ownership, not knowing that the service provider had subcontracted the function to another provider, difficulty managing cross border data flow issues and inadequate security of intellectual property.

Organizations need to be prudent in their pursuit of cost savings and efficiencies. The strategies that maximize profit must include risk management and compliance components. Senior management needs to ensure that the potential benefits associated with outsourcing are balanced with the costs associated with risk management. Including security and compliance considerations into the outsourcing lifecycle will ensure that the pitfalls outlined above are avoided.

Simone Seth is a director at Pricewaterhouse Coopers, serving as an industry analyst for the Information Security Forum (ISF). The ISF is an association dedicated to researching leading information risk management and information security business practices in today’s global marketplace. Simone is responsible for creating a business presence in North America for the ISF and providing thought leadership and expert consulting services, including forecasting trends in security, privacy, governance and compliance.

Formerly the director for IT Governance & Compliance at Citigroup, Simone was responsible for developing and deploying an IT Governance, Risk Management and Controls Compliance Program to support the Citigroup Technology Services Group (CTSG). Prior to joining Citigroup, Simone was a director at Deutsche Bank, where she served in two capacities concurrently – as the Chief Privacy Officer (CPO) and the Chief Operating Officer (COO) for the global Information Risk Management Program.