A woman in Pakistan recently struck fear among IT executives who
outsource. She had obtained sensitive patient documents from the
University of California, San Francisco, Medical Center through a
medical transcription subcontractor that she worked for, and she
threatened to post the files on the Internet unless she was paid more
money. . . .
A woman in Pakistan recently struck fear among IT executives who
outsource. She had obtained sensitive patient documents from the
University of California, San Francisco, Medical Center through a
medical transcription subcontractor that she worked for, and she
threatened to post the files on the Internet unless she was paid more
money.

The story didn't sit well with John Golden, CIO at CNA Financial
Corp., a $12.3 billion insurance company in Chicago that outsources a
small portion of its billing functions to India. Golden's team
implemented a slew of physical, technical and contractual security
precautions to protect customer data, such as sending only necessary
bits of customer information, backing up files in a centralized server
at the home office and putting tough restrictions on employee turnover
at the outsourcing facility. But there's always a horror story to make
him wonder.

"I wish I could say we have the security issue licked," Golden says.
"We haven't had any security breaches to our knowledge in this space"
since CNA began outsourcing its billing function a year ago. But with
the growing number of sophisticated hackers, terrorist threats and
old-fashioned opportunists, the threat of a security breach looms
daily.

The outsourcing train has left the station with many top financial,
health care, tax reporting and credit reporting companies on board.
The business process outsourcing market in India alone is expected to
grow 54% to $3.6 billion by the end of this quarter, according to the
National Association of Software and Services Companies, a New
Delhi-based organization made up of 800 Indian IT and outsourcing
companies.

Industry observers warn that if outsourcing isn't done thoughtfully,
with proper security controls beyond the encrypted domain level,
companies will have their own horror stories to tell. Here are their
tips on controlling data that's in the hands of a third party:


Ask to See a Security Audit

"If you're handling financial data or health data, you are required by
law to have an information security plan that has administrative,
technical and physical steps taken to safeguard the data -- even less
sensitive customer consumer data," says Becky Burr, an attorney and
member of the International Association of Privacy Professionals in
Philadelphia.

Though the requirement is broad and doesn't point to one particular
standard, Kelly Kavanagh, an analyst at Gartner Inc., says outsourcing
vendors should provide evidence that they have undergone a security
audit by a reputable third party, such as a Big Four accounting firm.

Audits using standards provided by a government agency such as the
National Institute of Standards and Technology or a Statement of
Auditing Standards 70 form also provide protection. But many
outsourcing firms balk at the high cost of those audits -- some run to
six figures -- and choose less expensive documentation.

Some outsourcing vendors conduct audits against vertical industry
standards. Health care companies should see an audit related to Health
Insurance Portability and Accountability Act (HIPAA) regulations. CIOs
in the financial services industry can look for audit guidelines under
the Gramm-Leach-Bliley Act.


Set Up a Clean Room

Some facilities handling sensitive data require a clean-room
environment to keep information from literally walking out the door.

The link for this article located at ComputerWorld.com is no longer available.