Review
As the contract draws to a close, an organization may choose to renew or exit the contract. If the organization chooses to renew the contract and continue its relationship with the service provider, the PMO must evaluate the success of the outsourcing initiative (financial, operational, regulatory, etc.); legal must re-negotiate terms as needed; and senior management must determine whether to renew the contract.
If an organization decides to terminate the relationship with the service provider and re-acquire the functions, it is necessary to manage the transition process. The PMO must plan the transition process; legal must validate IP ownership as defined in the contract; and information security must perform a risk analysis of the functions and processes to be re-integrated into the organization and audit the service provider to ensure all data is retrieved.
Conclusion
Information security has a significant contribution to make to this outsourcing/off-shoring lifecycle. The contributions include but are not limited to performing risk assessments to address confidentiality, integrity and availability of information assets to be outsourced, analyzing the security controls of the short list of service providers and performing in-depth site audits of the selected service provider's security control environment. On an ongoing basis, information security practitioners need to create processes for incident reporting, management and ongoing monitoring for security and compliance purposes.
Failure to involve information security at various points in the outsourcing/off-shoring lifecycle may result in a negative outcome which includes but is not limited to higher costs for retroactive controls implementation, insufficient and non-empirical metrics and performance standards, dispute over intellectual property ownership, not knowing that the service provider had subcontracted the function to another provider, difficulty managing cross border data flow issues and inadequate security of intellectual property.
Organizations need to be prudent in their pursuit of cost savings and efficiencies. The strategies that maximize profit must include risk management and compliance components. Senior management needs to ensure that the potential benefits associated with outsourcing are balanced with the costs associated with risk management. Including security and compliance considerations into the outsourcing lifecycle will ensure that the pitfalls outlined above are avoided.
Simone Seth is a director at Pricewaterhouse Coopers, serving as an industry analyst for the Information Security Forum (ISF). The ISF is an association dedicated to researching leading information risk management and information security business practices in today's global marketplace. Simone is responsible for creating a business presence in North America for the ISF and providing thought leadership and expert consulting services, including forecasting trends in security, privacy, governance and compliance.
Formerly the director for IT Governance & Compliance at Citigroup, Simone was responsible for developing and deploying an IT Governance, Risk Management and Controls Compliance Program to support the Citigroup Technology Services Group (CTSG). Prior to joining Citigroup, Simone was a director at Deutsche Bank, where she served in two capacities concurrently - as the Chief Privacy Officer (CPO) and the Chief Operating Officer (COO) for the global Information Risk Management Program.
Ad Choices
Comments