How To Assess Offshore Data Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // IT Strategy
06:45 PM

How To Assess Offshore Data Security

Secure offshore outsourcing takes similar strategic thinking as in-house work.

The global IT outsourcing trend shows every sign of continuing, with two-thirds of the 2007 InformationWeek 500 tapping offshore outsourcing. With experience, companies get confident in moving ever-more-sensitive IT or business processing work abroad. One of the foremost concerns for business technology managers is exposing data, so here we provide a broad overview of key areas to watch and delve deeper with offshore partners.

For starters, don't lose perspective. Data sent offshore faces the same basic risks as data kept in-house, including theft by employees, compromise by intruder, exposure by error or loss, and corporate espionage. Yet given the sensitivity to offshore data and likely resulting backlash, plus the different legal standards companies may face, the problems caused by data loss abroad could be amplified. Use the heightened sensitivity around offshoring as a reason to thoroughly test partners--and assess in-house operations.

InformationWeek Reports

Security concerns surrounding offshoring aren't all xenophobia, since legal recourse around data and intellectual property can vary greatly country to country. Gartner, for example, gave India a "good" rating for data and IP protection, China "poor," Brazil "fair," and Mexico "very good" in a series of reports in November. And the gap between the letter and reality of law as it's enforced can be vast. Brad Peterson, a lawyer at Mayer Brown, whose 1,800 lawyers include 300 in Asia, shares the story of a U.S. company, which he declines to name, that spent more than $2 million in India fighting intellectual property theft by a competitor. It won at all levels of the legal system, but the rival continued to operate with the stolen property. Any country offers benefits and drawbacks to be weighed case by case. In all, contracts should spell out security standards and recourse, but technical and physical controls are the front-line defenses to rely upon.


chart: What global strategies are in place in your company?
The larger, better-known names in outsourcing will have all their certifications, such as ISO 27001, to boast of, but that doesn't mean they should get the benefit of the doubt on information security. A small firm may offer even more specialized attention and experience.

ISO 27001 is certification that a company documents and follows information security practices and controls. Take note of the auditor's findings to ensure that the controls you most value are part of the certification. Review the firm that conducted the audit. Also make sure the outsourcer follows your industry's best practices and the compliance guidelines of your home country, and that it has a real understanding of them. Does the company live and breathe U.S. HIPAA or Payment Card Industry standards, which apply to health care and credit card data, respectively?

Under PCI, a company must ensure that third parties it hires adhere to the requirements. Often overlooked areas when using offshore companies are enforcing proper access controls and network segmentation. With offshore firms servicing multiple clients, a company must fully ensure that no administrative networks span clients and jeopardize data privacy.

With 802.11n, wireless becomes viable for critical network connectivity. Better get prepared.

When planning a controls strategy, a company must take the time to assess the data type and where it originated. Bridget Treacy, a London-based lawyer with the U.S. firm Hunton & Williams, routinely advises clients on the European Union's data privacy requirements, which are among the toughest. U.S. companies may opt into a Safe Harbor program to meet EU requirements, which can carry over to data being offshored.

Subcontractors present another operational risk to data privacy and compliance. If an offshore partner is using a third-party firm, it should be audited with the same vigor as the primary offshore company.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll