An organization should outsource IT security to minimize cost or expenses. Some of the issues involved when you turnover IT security to an outside organization are: (1.)Total dependence/exit barriers wherein the complete reliance of an organization has on an outsourcing firm and the problems arise when the outsourcing relationship ends; (2.) Physical information system security concerns the organization’s loss of control over physical security, since security is now the responsibility of the outsourcing firm. By outsourcing, the organization gives up control over physical access to its system, location of the system, and the frequency and location of the system backups; (3.) Legal consequences involve the lack of fiduciary relationship between the organization and the outsourcing firm and the increase in liability that may arise during the creation of an outsourcing relationship; (4.) Logical information security/confidentiality/privacy risks take into account the loss of confidentiality and privacy organization experiences when it hires an outsourcing firm; (5.) human resource issues result from the change in employee skill sets that an organization experiences when it chooses to outsource and the possible negative consequences caused by this shift in employee skill sets.
When outsourcing, some of the stipulations include in a service level agreement with an IT security outsourcer to ensure that it did not exploit the openness of company’s systems and steal the strategic and sensitive information are: 1.) Data security program which maintain a comprehensive program with appropriate safeguards, procedures and controls for the protection of customer data. 2.) Legal/Regulatory compliance which comply with all existing and future data privacy and security laws applicable to the services. 3.) Customer policies - To comply with the customer’s written policies and procedures relating to the data privacy and security, as they may evolve and change over time. 4.) Industry standards – To comply with the standards and practices as they evolve and change over time. 5.) Location of customer data which process, store and transmit customer data only in jurisdiction authorized by the customer. Lastly, 6.) Access/ Use of customer data – To use customer data solely to provide the services under the agreement and limit access to customer data to supplier personnel and subcontractors on a “need to know” basis.
No comments:
Post a Comment