Stay Ahead With Linux Security News

data protectionIT securitydata loss

Examining Outsourcing Risks: Data Loss and Control Challenges

A woman in Pakistan recently struck fear among IT executives who outsource. She had obtained sensitive patient documents from the University of California, San Francisco, Medical Center through a medical transcription subcontractor that she worked for, and she threatened to post the files on the Internet unless she was paid more money. . . .. A woman in Pakistan recently struck fear among IT executives who outsource. She had obtained sensitive patient documents from the University of California, San Francisco, Medical Center through a medical transcription subcontractor that she worked for, and she threatened to post the files on the Internet unless she was paid more money. The story didn't sit well with John Golden, CIO at CNA Financial Corp., a $12.3 billion insurance company in Chicago that outsources a small portion of its billing functions to India. Golden's team implemented a slew of physical, technical and contractual security precautions to protect customer data, such as sending only necessary bits of customer information, backing up files in a centralized server at the home office and putting tough restrictions on employee turnover at the outsourcing facility. But there's always a horror story to make him wonder. "I wish I could say we have the security issue licked," Golden says. "We haven't had any security breaches to our knowledge in this space" since CNA began outsourcing its billing function a year ago. But with the growing number of sophisticated hackers, terrorist threats and old-fashioned opportunists, the threat of a security breach looms daily. The outsourcing train has left the station with many top financial, health care, tax reporting and credit reporting companies on board. The business process outsourcing market in India alone is expected to grow 54% to $3.6 billion by the end of this quarter, according to the National Association of Software and Services Companies, a New Delhi-based organization made up of 800 Indian IT and outsourcing companies. Industry observers warn that ifoutsourcing isn't done thoughtfully, with proper security controls beyond the encrypted domain level, companies will have their own horror stories to tell. Here are their tips on controlling data that's in the hands of a third party: Ask to See a Security Audit "If you're handling financial data or health data, you are required by law to have an information security plan that has administrative, technical and physical steps taken to safeguard the data -- even less sensitive customer consumer data," says Becky Burr, an attorney and member of the International Association of Privacy Professionals in Philadelphia. Though the requirement is broad and doesn't point to one particular standard, Kelly Kavanagh, an analyst at Gartner Inc., says outsourcing vendors should provide evidence that they have undergone a security audit by a reputable third party, such as a Big Four accounting firm. Audits using standards provided by a government agency such as the National Institute of Standards and Technology or a Statement of Auditing Standards 70 form also provide protection. But many outsourcing firms balk at the high cost of those audits -- some run to six figures -- and choose less expensive documentation. Some outsourcing vendors conduct audits against vertical industry standards. Health care companies should see an audit related to Health Insurance Portability and Accountability Act (HIPAA) regulations. CIOs in the financial services industry can look for audit guidelines under the Gramm-Leach-Bliley Act. Set Up a Clean Room Some facilities handling sensitive data require a clean-room environment to keep information from literally walking out the door. The link for this article located at ComputerWorld.com is no longer available. . Worries about offshoring intensify following the exposure of confidential information, underscoring the importance of strong safeguards.. Data Protection,Risk Management,Outsourcing Challenges. . Anthony Pell

Mar 17, 2004 • Anthony Pell Network Security