Security's Input on Outsourcing
WHEN YOUR COMPANY starts to consider the outsourcing option for a particular function, does the security department get involved in helping management make the right decision? For many security professionals, the answer is that they have no role in the process of selecting External Service Providers (ESPs) unless it involves the outsourcing of a security function. Yet, once you begin exploring the risks that outsourcing could bring to your organization, you will learn that security has an essential role to play even where the outsourced function is not a security service.
Today, the majority of security professionals get involved in due diligence for outsourcing only when invited by managers from other departments such as human resources, IT, and risk management. Through such invitations, security professionals get to work at the same time with their counterparts from the corporate privacy office, information security office, legal department, and other corporate groups.
Each participant in the due diligence process is required to complete a comprehensive review of the potential ESP by applying his or her expertise in a specific field. It is at such critical junctures when the opportunity to establish the framework for all future due diligence projects arises. And if a security professional becomes involved in the process, his or her contribution can help the organization minimize risk and ensure that future outsourcing strategies rely on baseline security standards.
Currently, due diligence for outsourcing is being handled primarily by business and corporate groups. But these groups have limited expertise in evaluating security risks, and cannot, therefore, reliably determine whether an ESP can, for example, be entrusted to protect a company’s customer data as required by new federal regulations.
Adequate due diligence for outsourcing cannot be completed without a comprehensive security assessment of the ESP, from its physical site layout and background screening practices to its emergency management processes and security awareness programs (new-hire and ongoing). It takes a security professional to perform such an assessment.
For example, in one organization clients from around the world contacted a company through its call center. The security manager was asked to review a potential service provider for “over the phone” and document-translation services. During the review, security identified that this service provider would handle sensitive customer information.
The service provider had operations in several countries with limited capabilities to conduct background investigations, and it used staff that worked out of their homes. The company did not have adequate information-protection training programs.
After considering such facts, the security manager was concerned. A company that cannot guarantee the integrity of its international staff due to lack of background screening and that does not have a documented information-protection training program poses a significant risk from both internal and regulatory compliance perspectives.
The security manager knew that if this company were hired and later compromised the information of the organization’s clients, both the ESP and company could be liable for violating federal rules about protecting personal data.
While the security department has a valuable contribution to make, it is only one member of the due diligence team. The team should be headed by a project manager who will coordinate the due diligence activities of everyone on the team. This manager will also be responsible for overseeing everything from project initiation to execution of the contract. Other team members may include the following:
Privacy officer. This person will assess the ESP from the regulatory compliance perspective. The corporate privacy expert will be an invaluable resource throughout the entire project and will explain to all internal participants the corporate approach to various privacy-related issues.
Computer security. The IT security professional will conduct a comprehensive assessment of the ESP’s computer network security, including but not limited to intrusion detection, change control, and electronic data transfer protocols. Often, the duties of the computer security expert and corporate security expert will overlap. For example, they both may get involved in assessment of ESP’s security awareness program and emergency response plans.
Most ESPs still do not understand that they are obligated to have separate plans for both computer and physical emergencies. Oftentimes, security managers find that ESPs do not have a corporate security professional who can intelligently address security issues beyond computer security. Instead, I end up discussing such issues with the ESP’s computer security experts. Sometimes, this is the first sign of the ESP’s poor approach toward security.
Legal counsel. The corporate attorney is responsible for crafting the contract to formalize the outsourcing engagement. Standard ESP contracts typically contain provisions that benefit the ESP and not the client. This is especially the case with indemnity and employee screening clauses. The corporate attorney can make sure that the company’s interests are addressed by drafting a separate contract.
Business continuity. Most companies have someone responsible for business continuity (BC). That person should also be responsible for analyzing the ESP’s BC plans.
It is worth noting that most ESPs still cannot distinguish between emergency plans and business continuation plans. Therefore, they may rely on business continuity plans to address emergency situations. That approach is potentially risky since such plans are not designed to address the emergency itself or the first actions needed to protect personnel, facilities, and other critical assets. Rather, business continuity plans are crafted under the assumption that the safety of personnel and specific assets has been established.
Risk manager. This person advises the company on the overall risk of doing business with the ESP. Such advice will be based on feedback from all team members. This overall picture helps management make use of the team’s work.
Once the due diligence team is established, it should meet periodically, independent of any specific ongoing projects. During these meetings, members can share ideas on the pros and cons of outsourcing any functions that are provided in-house. Such discussions should go beyond financial gains related to outsourcing as such gains often become the only driving factor for selecting an ESP.
Requirements of engagement
It is important that each expert on the due diligence team develop specific baseline requirements that can be shared with every ESP. It is also important to recognize what functions are being outsourced more often and to create operational standards for such functions. Doing so makes it easier to hold the ESP accountable for any aspects of their operation that do not meet the company’s standards for a specific function.
For example, IT outsourcing often involves data center operations. Since this type of operation is at the heart of the company’s computer infrastructure, it is crucial that the ESP’s data center operation meet all the standards of the company. Particularly, physical security of the data center is essential for mitigating foreseeable risks.
Call center operations also require a unique due diligence approach. Most call centers employ an open-space model, where the call center staff occupies a large open floor and may handle calls for several clients at the same time. Protecting your company’s proprietary and customer information may be difficult at best.
Your due diligence team can set restrictions on access to your proprietary and customer information. Having a set of security standards for call center operations (from physical access control to incident reporting) will guide the ESP to enhance security within its operation and limit your company’s exposure to risk.
Similarly, a separate set of security and operational standards is required for ESPs who provide check-processing services. By setting specific standards for check processing, the due diligence team can make sure that the risk of financial and reputation loss is limited.
Another critical function is human resources. Since this function is responsible for processing most personal information, a full due diligence process must be undertaken to carefully assess all the risks involved in outsourcing these tasks.
Regardless of the function the company is looking to outsource, the due diligence team will have to ascertain whether the ESP’s service package includes the use of subcontractors. If so, due diligence must be performed not only for the ESP but also for its subcontractors.
For example, one security manager was asked to evaluate a potential ESP that offered a Web-based tool to enhance certain corporate functions. It became apparent that the ESP was a small company with few employees and a limited policy framework. This company used a colocation provider to house its servers. The colocation provider then outsourced its facility security to another local provider.
While conducting his initial review, the security manager realized that neither the ESP nor the subcontractors had adequate background screening policies and procedures. Additionally, there were no documented procedures for physical access to the servers housing client information.
What struck the security manager most was that the ESP did not understand the need for strict access control procedures to the server equipment. The ESP relied on the colocation service to protect this equipment without any formal documentation behind it. The security manager convinced the ESP that it was in its own best interest to protect such critical equipment from unauthorized access attempts and to keep detailed access logs at the colocation facility in addition to other physical and electronic access controls.
The manager also found that the background screening practices in use at the ESP and its subcontractors were substandard. Companies should establish strict requirements for these checks that the ESP and its subcontractors will have to meet.
These issues are important even if the liability clause in the contract ostensibly protects your company by holding the ESP responsible and accountable for its subcontractors. Just remember that the ESP may indemnify your organization financially, but your company’s reputation and customers’ trust are still on the line.
The due diligence team should also perform some benchmarking to determine what other comparable businesses are doing with regard to assessments of ESPs. This study may turn up some best practices, or it may show that the company is ahead of the curve with its comprehensive due diligence process—perhaps a good selling point that the company can use with its own client base.
Out-of-country outsourcing (often called “offshoring”) presents many due diligence challenges. For example, India, one of the marquee players in outsourcing, has almost no legal or cultural structure for thorough background screening. The risks associated with outsourcing functions to India came to life with the fraud committed by former employees of an Indian company that serviced a major U.S. bank. The criminals used their former employer’s records for bank customers and transferred more than $300,000 from customer accounts.
In the world of international business, $300,000 may be a drop in the bucket, but it is not the amount that is of importance here. The risk lies in the loss of reputation for the client. The problem is that Indian companies have not generally established programs where background screening (both before and during employment) plays a major role.
All countries have their own sets of risks. Outsourcing check processing and production to a company in Nigeria (a hotspot for international fraud) would probably bring more harm than positive results. Corporations should employ attorneys who are well versed in matters of international law and arbitration to identify such potential liability issues.
In addition, it is important to build strong liaisons with international organizations that specialize in geopolitical research and intelligence. Without geopolitical analysis, luck is your organization’s only option for success with offshoring.
As this discussion shows, outsourcing carries many risks that companies must carefully examine before they enter into any agreements. Security professionals can play an important role in this process by bringing their risk assessment expertise to the table.
Ilya A. Umanskiy, PSP, is an associate with Kroll Inc., in New York City. Umanskiy has conducted hundreds of due diligence assessments and helped establish and write guidelines for a corporate due diligence program at a Fortune 100 company in the financial services field.