Outsourcing part 1 of 2 - Services

Outsourcing is a very common practice today - whether outsourcing a specific facet of your business, or a fringe business need. However, have you done enough to protect your business and your customers data? How much is enough? This article will help answer these questions. This article is part 1 of 2 on outsourcing practices.

Service Outsourcing

Cybersecurity, or information security is a large topic with many facets.

In this article, I would like to focus on the practice of outsourcing and the risks that it introduces. Many of us are aware of the benefits of outsourcing:

• Outsourcing can significantly reduce the operating and development expenses of a company.
• It’s also a great way to reuse someone else’s expertise without having to make an investment in your own staff or product.

However, in today’s environment where data breaches and associated liabilities are rampant, you need to be aware of the risks that come with outsourcing in order to mitigate that risk. I will cover one aspect of outsourcing: Service/Product outsourcing. This is the outsourcing involved in utilizing a company to fulfill a product or a service - for instance an e-commerce supplier for your products.

Companies may enter into an outsourcing arrangement with a provider with the expectation that all the risk is transferred to the outsourcer, but this is incorrect. While contracting with an outsourcer, you may have moved some of the technical mitigations to the outsourcer, but you always own the ultimate liability of any breach, and need to manage accordingly.

As with any risk management program, an organization needs to understand what is priority to be protected and what it’s relative worth is, in order to determine how best to protect it. Legal frameworks (if they apply) may add requirements for your jurisdiction (ie/ GDPR, PIPEDA, HIPAA/HITECH, etc), or your customers jurisdictions, need to be considered. Once this exercise is complete, we can move forward to determining risk and the value of the assets at risk. This discussion about priority and value of assets should be undertaken before any discussion is made to outsourcing companies, as it may add to or drive some of the requirements for the outsourcer.

In many cases, regulations such as the GDPR, PIPEDA, and HIPAA/HITECH provide guidance to understanding how best to protect and handle the information that end consumers entrust to us.

For service/product outsourcing, the biggest effort occurs before entering into a formal agreement with the outsourcer, where due diligence should occur. This effort can be intensive, as the intent is to discover poor practices, and poor protection in both your direct supplier and their downstream providers. In some cases, it may lead to additional contract provisions. It is worth noting however, that the requirement to keep your customers information private is with you, and it is your obligation to ensure that data is appropriately protected regardless of where it happens to be.

Here are some sample considerations:

• How compliant are your suppliers relative to your obligations?
• What geography do they operate in? Is this permissible based on your obligations?
• What systems and data will they need access to?
• Assuming the suppliers employees will have access to privileged data, how does the supplier manage and control it’s employees accesses? What are its human resources and hiring policies?
• What suppliers does your supplier subcontract to? What is the state of their information practices? What are their policies?
• How is change managed? How is change notification and managed integrated into your awareness and processes?
• Diligence to ensure that the outsourced company will have best practice protections
• Diligence to ensure that the outsourced company will not share the information with their information supply chain, or if it is, it’s clear what is shared, when and you agree to it.
• Diligence to ensure that the outsourced company has a clear breach notification process
• Diligence to ensure that you can request and remove your information from the outsourcer

These are not small questions, but the answers (and timeliness of the answers) will tell a considerable amount about how the supplier has prepared for their information security, and an indicator of how they will safeguard your information.

After having made a decision to choose a supplier and the appropriate vetting has been done, information integration needs to be considered, and as a best practice - recorded:

• What information will the supplier have access to?
• Which roles/departments at the supplier will have this access?
• How will the suppliers change management process be integrated?

These issues I’ve mentioned can be complex, but they can be managed by having a managed information security program, which will ensure that your security stance is defined, kept intact, and maintained - whether you are outsourcing or not.

As I mentioned in my first paragraph, cybersecurity is a large topic and a cybersecurity practitioner has to be invested and kept current. Organizations need to either have an in-house resource owning an information security program, or need to engage an outsourced cybersecurity resource. In the latter case, all of the above points still apply. Do your diligence!