September 1, 2017

Each time senior business executives are thinking about outsourcing many concerns in terms of IT security issues arise. Fortunately, the well-built security process can guarantee the success of the outsourced project. In this article, we’ll explore IT security issues with outsourcing in details.

 

Giving the idea of your new software product or enterprise internal processes details to the external executor is related to some specific risks. In the first place, the IT outsourced services provider should be treated as your trusted ally instead of a menace. In this case, the contractor will be able to help you build a secure development process.

List of Contents

WHAT IS IT SECURITY

The legal problems of handling security issues with outsourcing can be visually demonstrated by drawing an analogy between the mechanisms within the organization and accessing the services of third-party suppliers. From the legal point of view, all processes occurring within the organization can be settled based on local acts (executive orders, collective and individual labor contracts). Local acts of employees may contain the responsibilities to ensure information protection, established measures to control the execution of data (reports, inspections), and actions of responsibility for duties violation.

The situation is different if the functions to ensure certain activities are transferred to third parties, the outsourcing. The outsourcer is a kind of “black box” for those who are looking for them: it is not possible for the customer to control processes within the outsourcer area. The only thing that can be demanded from an outsourcer is compliance with obligations preliminary agreed between him and the customer. The compliance should also include the compensation for losses in case of violation of these obligations or causing harm.

EXAMPLE OF THE IT OUTSOURCING PROVIDER PROTECTING CLIENT’S SENSITIVE INFORMATION

You might as well say that there is no unified standard for the two-way contract signed by the two parties, that every contract is very unique and its details depend on the specialties of the company’s operations. However, there still is some pattern when it concerns information protection. Let’s take a look at the key points that provide the high-level protection of the information and outsourcing security.

The first thing required to be done is signing the Non-Disclosure Agreement.

NDAs are legally binding contracts authorizing the conditions under which one disclosing party discloses information in confidence to the receiving party. Depending on the number of parties disclosing information, NDAs may be “one-way” with one party disclosing information and one party receiving information or “two-way” when there is a bilateral disclosure.

Often, external IT services contractor is being involved in the project for some limited period of the time. Because of that, addition NDA with internal staff is being signed by the outsourced provider. This is necessary to keep secure all the information concerning software development and operations until the information becomes outdated and non-sensitive. Even for some period of time after the employee leaves the outsourced contractor or after the project completion.

According to NDA, there may be some parts of the work that are required to be executed in the customer’s environment instead of doing it remotely. All the sensitive data is also stored at the customer’s side.

The last thing required is the Specific Data Access Policy. Read as follows: the executors involved in the development process have access only to that data cluster, which they are working with. No one outsider can get access to the restricted information or the whole project at once.

This was the actual example of IT outsourcing security measures applied by Existek to ensure the high level of client IPR protection during our custom software development or dedicated development team projects. We use this complex of measures for our outsourced projects to guarantee highest IT protection level without significant impact on overall development process complexity and team performance. With this information technology security model our customers can be sure that protection won’t cause extra expenses because all these measures are already implemented into companies standard operational patterns.

So, now let’s shortlist these measures:

  • Non-Disclosure Agreement and defining the security requirements in a contract
  • Additional NDA with the executive staff
  • Some work is done remotely only on customer servers/computers all sensitive data is stored there.
  • Data Access Policy is signed, so specific data is available only to the limited list of people.

IT OUTSOURCING SECURITY CHECKLIST

The objective of the checklist is to assist program managers, security officers, system owners, and contracting officer representatives to identify areas of increased outsourcing issues and concerns and areas not in compliance with national and agency policy and standards.  The key areas examined in this checklist include:

  • IT, Physical and Personnel Security Policy
  • Organization / Contract General Provisions
  • System, Data and Device Inventory
  • System Certification and Accreditation
  • Contingency Planning
  • Continuous Monitoring / Risk Management
  • Weakness Management
  • Incident Handling and Response
  • Security Configuration Management
  • Security Training

IPR SECURITY: ADVANTAGES AND FLAWS OF OUTSOURCING SECURITY

There are both pluses and minuses in here. On the one hand, the customer no longer needs to control all processes outsourced: once these activities are transferred to professionals, the executors are responsible for their appropriate implementation. In the case of non-fulfillment, the duties by the outsourcer, all losses incurred by the customer will be fully reimbursed. On the other hand, the specific nature of outsourced activities in emergency situations is easier to prevent than to liquidate. For example, in the banking sector protection of outsourcing information systems is very critical, because the loss of control over the stored personal data of customers can lead to the cessation of the bank as a whole. In addition, losses are difficult to prove, especially concerning financial loss. All this demonstrates that losses compensation is not able to fully restore the property of the customer.

Consequently, IT outsourcing issues are critically important. Optimization of business processes by transferring non-core activities to offshore improves the costs efficiency. However, the appeal to outsourcers requires the security measures in relations with them, as well as the costs of these measures. The security issues with outsourcing are within the optimal balance between outsourcing (and the savings for it) and information protection (and the costs of its provision).

From a legal point of view, the question is – who will determine this balance. As a rule, the customer makes the decision here. He defines the list of activities for which the services of a third-party organization and the budget for outsourcing and IT security will be used. However, in some cases, the search for resources can be assigned to the performer, who unlike the customer is a professional and can suggest the best solution based on his knowledge and skills. But at the same time, problems with outsourcing software development like controlling the outsourcer arise with all severity.

The search for the optimal balance between the interests of information protection and the use of outsourcing in some cases can be simplified by means of ensuring that the outsourcing of its obligations. Although damages are not able to restore property interests in all cases, however, as a rule, this is sufficient to maintain the viability of the company-customer if the losses are repaid in full and on time.

EXAMPLE OF HOW TO HANDLE SECURITY ISSUES WITH OUTSOURCING

The following case can be an interesting example. The customer commissioned an organization to create and maintain a corporate information system. The system was created and put into operation. However, later it became clear that the program code of the system was debugged and compiled using a demo version of the software development environment. The license for the development environment stipulated that software products created during its free use cannot be commercial that means spread for money. Thus, the software product created for the customer was counterfeit, and counterfeiting here is practically “incurable” – as the legal use of the created system is possible only by the special permission of the copyright holder of the development environment.

In spite of the fact obligations of the outsourcer were not fulfilled, the customer could not use the information system, damages were extremely problematic, as they were extremely difficult to assess and prove. In addition, the termination of the outsourcing contract unilaterally by the customer, in this case, is hardly possible, since it is impossible to say in advance whether the violation by the outsourcer of its obligations will be recognized as significant – in fact, the software product was created.

On the one hand, among other things, the proper provision of IT security in safe outsourcing is compliance with all legislative requirements, and respect for the rights of others. In particular, it is necessary to make sure that the company-outsourcer complies with the requirements of the legislation on licensing, certification, the requirements of labor and tax legislation. On the other hand, the interests of handling IT outsourcing security issues should not become a basis for violating or limiting the rights and legitimate interests of others. In this regard, it is necessary to use very carefully the technical means of information protection, hidden surveillance, traffic control, etc. If it is possible to apply this kind of protection to own employees, when it is stipulated in the local acts of the organization, then in respect of third parties Including employees of the outsourced organization, it is unacceptable.

INSURANCE AS A MEASURE FOR SAFE OUTSOURCING

Insurance is still not widely used as a means of managing security issues with outsourcing. The wide spread of this means is hampered, in addition to organizational ones, by a number of legal problems.

Type of insurance, which can be used as the ensuring compensation for losses during outsourcing, is insurance of the risk of liability for causing harm. However, the restriction for using this type of insurance is that only extra-contractual risks are insured, which means outsourcing security issues and concerns are not related to the performance of contractual obligations between the parties. Such IT outsourcing issues can be insured only in cases stipulated by the law.

In many cases, the damage related to security issues with outsourcing can not be calculated in monetary terms at all. This concern not only cases of disclosure of confidential information or use of inauthentic or outdated information received from the outsourcer. Addressing the outsourcer’s services in a new way to raise issues related to copyright observance. The fact is when using outsourcing, copyrights must be respected in both companies, and not in only one of them: licenses for the software products should be obtained by both the customer and the outsourcer, the use of products created by the outsourcer is possible only after the “cleaning” of copyrights to them.

IN CONCLUSION

Dealing with security issues with outsourcing only by the legal measures is extremely difficult, but it is also impossible to manage without the use of legal means. Relations with attracted outsourced organizations should be of a confidential nature. The non-legal component of confidence will be expressed in that the outsourcer allows the customer to control its internal processes and takes measures to prevent problem situations, as directed by the customer. From the point of view of the same legal measures, confidence will mean the possibility of terminating the contract with the outsourcer unilaterally. This will avoid the occurrence of damage in cases where the activity of this outsourcer ceases to meet the interests of the IT security of the customer.

In addition, the use of outsourcing is possible only insofar as the purposes of its use are in the same plane with the interests of information protection. IT security as the orderliness and organization of information processes and information storage like outsourcing is aimed to increase the efficiency and sustainability of the business.

Any of the outsourced providers who are operating in the market for quite some time are taking client’s confidentiality very seriously. Reputation and building long-lasting business relations are the driving force behind any actions of the IT outsourced services provider. This statement is also true for Existek as we care about the safety of any sensitive information of our partners. Contact Us directly or visit our Dedicated Development Team Service Page to let us know about your requirements and we’ll be glad to help you build a highly secure and efficient IT outsourcing process.