Given the requirements of regulations such as Sarbanes-Oxley, the Gramm-Leach-Bliley Act and the California data-theft notification laws, most U.S. banks have stringent data security controls in place, observes BearingPoint (McLean, Va.) senior manager Hitesh Anklesaria. But, according to a recent white paper from the consultancy, although there is a strong focus on quality control and processes, a consistent approach to security sometimes is lacking in offshoring relationships.
"Everyone knows data is an asset to them," Anklesaria relates. "If something happens to [customer data], the firm's reputation is at stake." When Anklesaria and BearingPoint examined some India-based offshore firms, however, there were inconsistencies around data security. Often, there was a difference between written documentation and what the offshore provider practiced. "Some good security controls that were being executed were not documented," Anklesaria explains. "In one case, the vendor had good documentation [of security controls], but it was not what they practiced."
According to Anklesaria, many vendors are certified by the International Organization for Standardization (ISO) for security. Of the five he visited for his research, two already were ISO certified and the other three were in the process of earning certification, he notes. Still, a lack of communication between IT and the business can lead to security vulnerabilities. "If you talk to an information security officer, he'll say the company does everything" to protect data, Anklesaria asserts. "But if you ask someone from another area of the company, they just won't know [about security procedures]."
The key to remedying this situation is regular security training for everyone, Anklesaria stresses. "Most companies just do security training at the time of employee on-boarding and that's it," he explains. "They also need to do security refresher courses for people at all levels."
Can't Outsource Responsibility
Ultimately, though, responsibility for ensuring that offshore providers secure data properly rests with the outsourcing firm. "Due diligence required by clients to assess, monitor and remediate vendors must be done regularly," Anklesaria says. "Clients should create a comprehensive risk and compliance framework where they continually assess their offshore vendors. You address this by writing procedures and implementing proper technology."
In fact, it is the lack of specific security parameters in contracts that often leads to security lapses in offshore relationships, according to the BearingPoint research. While there might be some wrangling among the companies' legal departments over the precise language, Anklesaria notes, the pushback from vendors is around the extent of the intrusiveness upon the vendor by the outsourcing partner.
A vital component of this formalized security process is periodic assessment of controls to identify risk, either through random, surprise inspections or in cooperation with the vendor. "You'll try to understand the processes they have, look at the documented procedures of the vendor and then go on site to see physically how they do it," Anklesaria says. **
According to BearingPoint, the most vital part of a proper security assessment of offshore vendors is reviewing security-related controls in the following documents:
• Organizational charts for all job roles, including IT support functions.
• IT strategy, mission and goal statements.
• Information security policy.
• Documentation of compliance department goals and objectives.
• Business continuity/disaster recovery plans for each key function/platform.
• Other relevant records.