Key security considerations when outsourcing your ICT
ICT outsourcing is a growing trend globally, as many organisations choose to focus their efforts and resources on their key competencies. Outsourcing enables businesses to access the appropriate level of skills at a reduced cost and human resource investment. However, there are a number of security risks to consider when outsourcing.
These range from the exposure of sensitive information and processes, to a cultural mismatch between you and your service provider:
- Information leakage – Ensure that your agreement with your service provider covers access to sensitive information and processes. The service provider’s staff should feel committed to protecting your organisation and its brand reputation.
- Rigid and standard service offerings – Ensure that the agreement includes clauses for customisation and innovation that align to your company’s culture and business objectives.
- Lack of awareness/visibility – An organisation’s security posture prior to, during, or when terminating an outsourcing agreement isn’t always clear. Ensure systems and processes are in place to enable you to gain this understanding.
- No secure information handling – Ensure your service provider handles your information and systems securely when both on and off site.
- Uncontrolled remote access – Implement systems and processes to ensure that you’re aware of who, when, why, and how your service provider connects to your environment.
By addressing the following key controls, you’ll be better equipped to address these risks and enjoy a successful outsourcing experience:
- Own your security strategy, policies, and functional standards.
- Know your security posture (have the ability to determine the security posture at any time).
- Build security-focused agreements.
- Vet your service provider and its personnel.
- Define access governance.
- Determine and set information handling standards.
- Centralise and limit access to system audit logs.
- Have a defined authorisation matrix for sensitive systems.