Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Strategies

IT Outsourcing and Information Security

From the Editors of CIOSC

A U.S. company announced last month that an insider at its research and development center in India stole portions of the source code and confidential design documents relating to one of its key products. As a result, the company halted all development at the center.

We assume risk when we hand over the control of key corporate systems to others. Here are several security issues that financial institutions must address upfront before they decide to outsource.

Outsourcing gathers momentum

Most of the top global financial institutions are already outsourcing some parts of their IT to offshore destinations, many through specialized offshore vendors. In addition, many leading firms now own and operate their own "captive" sites in countries like India or China. While outsourcing has emerged as one of the most polarizing issues in our society, recent research indicates that the practice is only going to increase. Indeed, research and advisory firm TowerGroup estimates that the top 15 global financial institutions will increase IT spending on offshore outsourcing by 34 percent annually -- representing an increase from $1.6 billion in 2004 to $3.89 billion in 2008.

This rise in outsourcing has not been accompanied by a similar rise in security awareness. As Rich Mogull, research director for information security and risk at Gartner Inc., has observed, "caveat emptor" needs to be the guiding principle when it comes to securing outsourced IT operations. Add, too: let the buyer beware especially before the contract is signed. Horror stories abound of financial institutions that have insufficiently assessed the control environment of their service providers. Financial institutions and their service providers must come to an explicit understanding about security and embed that understanding in the contract.

On this score, the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information" of Gramm-Leach-Bliley are very clear:

"Disclosing information to a person or entity that provides services to a financial institution creates additional risks to the security and confidentiality of the information disclosed. In order to protect against these risks, a financial institution must take appropriate steps to protect information that it provides to a service provider, regardless of who the service provider is or how the service provider obtains access."

Some institutions labor under the belief that an outsourcing arrangement that is backed up by a robust Service Level Agreement puts an end to their worries. Not so. Increasingly, financial services regulators are stating that "you can outsource the function but not the management responsibility," regardless of what is contained in the SLA.

Choosing a service provider

So if security isn't something that can be relegated to an SLA, what should financial institutions do to ensure that a service provider has implemented a solid set of security controls? The short answer is: they have to do their homework.

Fortunately, much good work is being done in this area, and all financial institutions would do well to leverage it. For example, earlier this year, the Banking Industry Technology Secretariat (BITS) published a set of industry guidelines to use in evaluating the security risks of IT outsourcing deals. The guidelines are based on the International Standards Organization's ISO 17799 code of practice for information security management, which covers categories such as documenting corporate security policies and classifying assets. They also include best practices gathered from BITS members and input from vendors, government agencies, and third-party IT auditors. The guidelines, which are embodied in a 33-page spreadsheet, include questions to ask IT services vendors during each stage of the outsourcing process, including risk management, planning, testing, and governance. (BITS released the security guidelines as an addendum to an existing framework for managing business relationships with IT service providers.)

Gartner too has dug deep to get at the critical security questions to be asked of any potential service provider. Here's a representative sampling:

Network Layer: Does the service provider require the use of two-factor authentication for administrative control of all routers and firewalls? Does the service provider support 128-bit encryption and two-factor authentication for the connection from the customer LAN to the service provider's production backbone? Does the service provider offer redundancy and load-balancing services for firewalls and other security-critical elements?

Platform: Can the service provider provide a documented policy for hardening the operating system under Web and other servers? If the service provider co-locates customer applications on physical servers, does it have a documented set of controls it uses to ensure separation of data and security information between customer applications?

Applications: How does the service provider review the security of scripts and integration code that are added to the commercial applications it provides? Does the service provider provide application or transaction-based intrusion detection services?

Operations: Does the service provider perform background checks on personnel who will have administrative access to servers and applications? Can the service provider show a documented process for evaluating OS and application vendor security alerts and installing security patches and service packs?

Finally, make sure that the service provider partner behaves like a financial institution. When shopping for a service provider, look for one that shares the same standards regarding security as your own institution. Look for one that has gone up the learning curve, so to speak. In the end, look for one that doesn't cut corners on security as a way to save money.

Conclusion

It's no surprise that outsourcing continues to gain momentum. Today's global economics practically dictate it. But as financial institutions entrust more of their IT operations to service providers, they must be more vigilant than ever about security. Anything less is certain to attract the swift attention of regulators.

In the end, there's no good reason why the security surrounding outsourced IT shouldn't be as strong as that which applies to our internal systems. But guaranteeing that requires time, effort, and money.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"15 global financial institutions will increase IT spending on offshore outsourcing by 34 percent annually -- to $3.89 billion in 2008."

--TowerGroup
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Risks of Wireless Email
Playtime: 8 min 23 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.

© MMVIII Sacramento Television Stations Inc. All rights reserved.