Companies see data loss risk as 'afterthought' with outsourcing
Despite awareness of the security risks for enterprise data associated with outsourcing, many companies persist in ignoring potential problems until it is too late, a report from the Information Security Forum (ISF) has warned.
'Information Risk Management in Outsoursing and Offshoring' declares that information risk management is often integrated as an afterthought, and information security professionals become involved "too late in the lifecycle". This can be explained by "a lack of awareness at the highest levels", and a failure to understand the importance of information risk management through all stages of an outsourcing project.
“Failure to involve information risk managers at the start of a project and through its lifecycle increases the enterprise’s exposure to risk; whether it’s data theft, information leakage or disputes that may arise from questions of ownership of intellectual property,” says the report’s author Simone Seth. “Information mangers need to identify all outsourced processes, operations and technology and agree business criticality levels through all four steps that comprise an outsourcing lifecycle.”
Seth identifies these as 'prepare', 'implement', 'operate' and 'review': “Information risk managers are also able to add contractual clauses that relate to information security regulatory requirements and offer additional protection from a legal standpoint,” she says. Also important is a full understanding of regional compliance requirements and regulations, as well as the wording of contractual terms to prevent future disputes over the ownership of intellectual property and the transfer of data.
“Typical risks at implementation and operational stages that can occur if the right controls are not effective, include fraud, data theft or hacking that can lead to data loss and confidentiality breaches,” Seth adds.
Further information: www.securityforum.org