Best Practice Three:Lock Down the Infrastructure
From the moment CNA began sending BPO and software development work offshore in 2002, it took full control of the computing infrastructure at its outsourcers. CNA configured servers, laptops and PCs in the United States with all the software that CNA's outsourcers' employees would use. CNA sent staff along with the computers to set them up in India and connect them with CNA's dedicated network connection. Firewalls at the provider location and back in the US help prevent any viruses on the local network at the provider, or from the network back home, from getting through to the hardware. When the outsourcer's employees log in to the CNA network, software and security updates are automatically loaded onto their machines from CNA after a process of software inventorying and validation has taken place.
New virtualization software from Microsoft and VMware takes this control to a new level. CNA uses VMware's ACE software to create an image - in effect, a working duplicate - of a secure CNA desktop on a CD that it sends to the outsourcers, which load the images on their own servers and PCs. Employees working for CNA double click on the image's icon on their machines, the CNA desktop appears, and the image takes control of the PC and its peripherals. Employees cannot copy anything onto the encrypted CNA desktop nor take anything from it. The images can be set to lock out peripherals like USB flash drives. They can also be set to disappear from the computer on a specified date - handy if the employee leaves or the development project ends.
The images also help the offshore provider save money because it can load multiple images onto a single machine. The images give offshore employees more control. They can do CNA work without being connected to the CNA network, and if CNA allows it, they can still use the PCs for their own internal e-mail. "It used to be that employees would have to log out and go to a different computer to enter their time sheets or do e-mail," says CNA's Sysol. "Now they can do it on their own machines."
Best Practice Four:Audit Processes and Facilities Regularly
An outsourcing contract is like a diplomatic treaty. Trust is present, but it's vital to verify you're getting what your agreement calls for.
BNSF conducts independent audits of its offshore contractors' security processes once per quarter, according to Bonjour. The company also does an independent review of access rights that the offshore employees have to applications on BNSF's and the providers' internal networks to see if the employees are able to go where they shouldn't or if they have moved on to a new project and still have access to the systems they used to work on.
There are standards to help guide the audit process, such as the International Organization for Standardization (ISO) 17799 standard and the Statement on Auditing Standards Number 70, Service Organizations (SAS 70 Type II).
Yet because of the extra effort and expense of external audits, offshore providers may resist them, says Tatum Partners' DeLaCastro. "If each customer has the right to audit, and each demands specific security measures, it becomes a thousand variations on a theme and takes away from the providers' ability to standardize practices and swap people in and out from one customer to the next," says DeLaCastro. It's better to set up audits before a contract is signed; done after the fact could cause the provider's costs to rise.
Auditing should cover physical security too. It's important to tour the building where the work is done and make sure it is secure. "Big-name providers will put you in a modern, secure building, but you have to make sure that the work will actually be done in that building," says DeLaCastro. Old buildings may not be earthquake resistant or have reliable power supplies, fire suppression systems, or alarms tied to police and fire headquarters, he says. The provider should also show you a backup facility where work will carry on if the primary site has a problem.
In addition, your offshore employees should not share space with employees working on other customer accounts. There should be a physical barrier to the work area with pass-card entry and video surveillance of employees and maintenance staff. At the end of each day, any memos containing sensitive information should be destroyed. And devices such as mobile phones, pagers and PDAs that can record or send information should be prohibited.
Most countries do not have easily obtainable information access, which means that it can be difficult to do independent background checks on offshore employees, verify past employment, search for criminal records or do the other kinds of checks considered routine. Consider hiring a security consulting firm to check out references independently.
Lastly, look in the mirror. If you demand extraordinary precautions from your offshore vendor, make sure you maintain good security practices at home. "If you run a slovenly shop here, then you will run a slovenly one offshore," says Richard Isaacs, vice president of security consultancy Lubrinco Group.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.