FRAMINGHAM (03/15/2004) - Theresa Grant, director of information security for The Dow Chemical Co., answers readers' outsourcing questions.
Q: What do you consider to be the top three benefits and pitfalls for outsourcing IT security?
A: There are a number of benefits when it comes to outsourcing IT security. Security service providers deal with a wide range of clients and, as such, have a wide range of expertise. Outsourcing information security allows companies to leverage the best practices the provider has gained from other clients. Additionally, economies of scale can be leveraged, reducing costs while providing a variety of resources. Finally, for routine activities such as password resets, security monitoring, security management and others, outsourcing information security requires less resources.
However, there are disadvantages. When you outsource IT security, you give contractors access to your environment. Because of that, you need to control the level of access you grant your providers and ensure that their policies for screening their employees meet your standards. Furthermore, when developing your service-level agreements, ensure the necessary language is included so that you receive all the services you request and that your provider's staff understands and abides by your internal security policies. Finally, don't take for granted the importance of monitoring activity; provisions must be made to ensure you get the services you pay for.
Q: How can I create a contract that appropriately puts the outsourcing provider on the hook if one of its employees uses our data fraudulently?
A: It is important to ensure that your contract protects you from inappropriate data or network use by your outsourcing provider. Make sure your contract contains a "right to audit" clause, and that you have audit processes in place to determine whether best practices are being employed or misuse is occurring. Furthermore, by adding language to your contract that details the action your supplier must take to remedy a situation where inappropriate use occurs, you will raise the provider's accountability and protect your company.
Q: If outsourcing presents an increased security risk, how can I consider outsourcing security?
A: That may be true. However, depending on a company's overall outsourcing strategy and core competencies, it may be a greater risk to maintain the security services internally than if they were outsourced to a reliable, reputable security service provider.
The key is balance. You don't want to give away the keys to the kingdom, so you need to make sure your networks and data are adequately protected. Your first course of action should be evaluating your options and determining if outsourcing is right for you. If it is, you should consider a number of providers to determine which has the expertise to meet your needs. You also want to make sure you aren't outsourcing governance or an area that would require access to privileged information. Once a provider has been selected, work with the provider's consulting group and see if you are comfortable having your security managed externally. Also, I can't emphasize enough the importance of having audit processes in place so that you can monitor the providers' activities and ensure your security policies are followed.
Q: What are the key questions that need to be answered when evaluating whether to outsource security?
A: Here are some important questions to ask:
What is your company's risk tolerance?
What is the cost versus the benefit?
Are the greatest economy of scale benefits internal or with a security service provider?
What is the outsourcing strategy of the organization?
Does your internal audit organization have the tools or capacity to manage the outsourcing relationship?
Do you have the necessary internal security expertise and resources, or will you benefit more from looking outside the organization?
Q: Which functions of IT security could be effectively outsourced and which should be retained?
A: Infosecurity functions that could be effectively outsourced include administrative tasks, server administration and security monitoring. Companies should retain any activities that relate to their governance framework or that are driven by risk assessments -- security policies, requirements, strategy and others -- and functions that require privileged access.