Open IT Forum: How much of your sensitive information can you trust to outside organizations?

6345 pts.
Tags:
Network security
Network Security Management
Network Security Policies
Open IT Forum
Outsourcing
Outsourcing services
What is your limit for how much of your information security program you outsource to contractors? Is it better to develop information security expertise solely in your employees or is it acceptable to outsource to an external expert? Hiring security service providers and contractors to manage portions of your enterprise information security program (incident response, intrusion detection, etc.) makes sense for many organizations, especially those that don't have the ability to develop in-house expertise in these fields. But is there a limit to how much of your sensitive information and access to your critical infrastructure you should allow to outside organizations?

Answer Wiki

Thanks. We'll let you know when a new response is added.

The topic is really very interesting ! Outsourcing involves cross-border transfers of indeterminately large proportions of a client’s proprietary and confidential information assets. There are several companies from developing countries is contracting with financial institutions, hospitals, and insurance companies to do their back office jobs. In most cases these companies deal with sensitive informations, such as medical data, payroll information, financial informations and so on. The outsourcing companies understand that there is a time zone difference and they like to take advantage of this. Also, they provide the services at a comparatively lower cost. There are several advantages, if any company goes for outsourcing….the company will not have to invest any capital in getting the latest technology and talent in the industry and this means a lot of savings for the said company. The company can keep a check on the status of the work and be in touch with the outsourcing companies to ensure that the work will be completed on time. But there are some risks for outsourcing. You can not make a police checks for your work to the outsourcing companies.
One of the most risky thing is, suppose, a person who applied to a company (say ABCD company) for a job and some reasons the company rejected him/her. Now the company contacts to a outsourcing company (say XYZ) for its outsourcing jobs and the deal is done. Up to this fine, But…. if the same person who rejected earlier from ABCD company, now works for the same outsourcing company i.e. XYZ company. Then what will be the situation ! That person may become harmful to ABCD company with its important information. But the companies may take some precautions to avoid risks to the some extent.
Before deal with outsourcing companies, check for criminal background and if possible also for credits. There is lack of information risk if a company doesn’t arrange an interview with outsourcing company, and try to extract information as much as possible and not only that, make arrange for an unscheduled official visit to the outsourcing company to know how of their man power or their infrastructure specially if the outsourcing company is doing a help desk call center then this is a must. Don’t trust on the outsourcing company’s references, try to gather information from the companies which already made a deal with the outsourcing company and if possible check by person. Give priority If the outsourcing company does not have a local call center, try out to find where is it located. This is specially taken care in case of USA jobs to Asia. If this is done, the outsourcing company may send wrong message to the customers and employees of the actual company.

Thanks–

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • jinteik
    at my side i do practically everything that is stated by you Melanie.
    18,085 pointsBadges:
    report
  • ShalomC
    The answer is not simple. If you hire an employee, do you have a higher assurance that he is honest and loyal than if you outsource the same job to a contractor? Maybe you only have a perception of higher security? The answer lies in transparency of the contractor's procedures, adoption of appropriate practices and standards by the contractor, and auditing done by you. These are eventually questions of trust. Other than that, there are legal and regulatory issues that must be addressed. Maybe some data cannot be outsourced to a contractor in another country? This is the case with HR related data in many countries. Can you legally let an outsider have access to personal customer records? Maybe not, and maybe there are legal or technical workarounds. Maybe in order to let a security contractor monitor your network, some data must be tokenized or encrypted everywhere.
    25 pointsBadges:
    report
  • Yeomanie
    There are 2 questions here as I see it: 1. Which sensitive information is mission-critical and should not be released? 2. How much outsourcing is realistic and economical depending on the budget and the size of the organisation? The first question may have to do with the intellectual property or knowledge that an organisation has and does not want to release because it may be critical to the company's business and releasing it to external sources could jeopardise this. The trust factor for an external contractor or outsourcing company may depend on not just the reliability of the external agent but also their sensitivity to what is key and should not be released, and their levels of training and awareness on disclosure of sensitive information. How does an external organisation know what is sensitive to the organisation it is working for? This should be discussed during initial negotiations. 2. It may be both practical and economic to outsource certain functions, where the amount of expertise or level of productivity required does not justify paying market-rate salaries for just that function. An example might be e-mail spam control for the organisation's e-mail domain. Even large companies can tend to outsource this function which is highly specialised and where the hiring of an internal employee to do this - someone with specialist knowledge - and therefore perhaps a high market-rate salary demand - may not be justified. Of course for smaller organisations a number of these functions will quite simply not be practical to have in-house.
    120 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following