How to keep data safe when outsourcing offshore

Determining the cause of poor application performance Leveraging Capabilities in your Existing Cisco Network for Optimized Performance and Troubleshooting What is NetFlow and How Does NetFlow Tracker Help? Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility Backup and Recovery for Microsoft Exchange Server Computerworld Executive Briefing: Automating Network Management Sign up to receive Security Resource Alerts

July 28, 2005 (Computerworld) -- As U.S. businesses, policy-makers and security experts work to stem the tide of data thefts, an equal or greater vulnerability lurks overseas -- the level of network and physical security at outsourced operations of U.S. corporations.
Cheap labor and increased efficiencies continue to drive major U.S. companies to open and expand offshore operations throughout India, Southeast Asia and Europe. India's National Association of Software and Service Companies reported recently that India's outsourcing industry is creating jobs at the rate of nearly 100,000 a year, and its revenue is growing at more than 40% annually. Analyst firm Gartner Inc. estimates that global spending on offshore outsourcing services will top $50 billion by 2007.
Many of these outsourced operations involve handling and processing customer transactions and sensitive personal information, exposing outsourcing facilities to the same risk of data theft occurring domestically. As U.S. companies increase operations abroad, many aren't ramping up IT or physical security measures at these locations to manage that growth.
In order to prevent data breaches on the magnitude of what has occurred in the U.S., companies must implement strategies to ensure that the same security standards that they place on their corporate data are being required of companies they partner with across the globe to process their customers' financial and personal information.
Several factors magnify the risk of data thefts occurring at outsourcing locations. First, when it comes to outsourcing, U.S. privacy legislation is quite lax relative to European Union regulations. Here, U.S. privacy protections effectively end at the border, placing the onus squarely on the shoulders of the U.S. company if a data breach occurs offshore.
In sharp contrast, European consumers are afforded considerably greater protection by an EU law that permits personal data to be sent offshore only to countries whose privacy laws have been deemed to provide equivalent privacy protection and that have been found to have strong enforcement capabilities.
Similarly, some of the leading outsourcing destinations, such as India, China, the Philippines, Malaysia and Pakistan, lack sufficient privacy legislation. For example, the University of California, San Francisco, Medical Center had a contract with an in-state company to transcribe the dictated notes of doctors and other health care providers. The company, Transcription Stat in Sausalito, Calif., subcontracted the work to a Florida firm that then subcontracted it to a Texas outfit that ultimately hired someone in Pakistan to transcribe the notes, according to the university. Last fall, the medical center received an e-mail from the Pakistani transcriber claiming that she had not been paid and threatening to publicize personal medical records. A partial payment was made the following day, and the transcriber never publicized the information.
India also comes up short with regulations on personal privacy and data. India's Information Technology Act 2000 remains silent on the issues of privacy, protection and regulated use of data. The act in its existing form covers only unauthorized access and data theft from computers and networks with a maximum penalty of about $220,000 and doesn't have specific provisions relating to data privacy. Indian law doesn't cover data interception and computer forgery at all. Thus, data-protection issues primarily remain in an unregulated Indian environment.
In view of the lower wages in outsourcing, one must also consider that the cost to potentially compromise an individual's integrity is also proportionally lower with that same outsourcing partner. In light of this consideration, clearly the security controls set for an outsourcing firm must be more stringent than those that would have been in place had the organization kept the task in-house.
There are several steps U.S. companies can take to secure their outsourcing operations abroad and protect customer data.
First, as we recommend to companies across the globe, a strong security policy must be put in place and followed vigorously. This goes beyond perimeter security to include physical security as well as access and application controls. In addition:

• Companies that outsource their data to call centers should ensure that the security policies, procedures and technical safeguards used by their outsourcing partners are equal to or better then their own.


• Both regular and random risk assessments should be carried out at the call or outsourcing center, especially if it's in a commercial high-risk location where bribery and corruption are endemic. Risk assessments should cover all 10 domains of network security and shouldn't be limited to gateway security.

At the outsourcing facility, the following should be done:

• Encrypt all data in storage and in transit.


• Physical security controls should be in place to mitigate the risk of data leaving the facility via magnetic or optical media, recording devices, cameras and hard copies.


• Ensure that sending any data in or out is monitored or even prevented for e-mail, Web mail, FTP, and data- and file-transfer Web sites (by controlling Web site access). Only essential Internet communications should be allowed.


• At the desktop, prevent any unauthorized data from entering or leaving the network via Universal Serial Bus (such as USB sticks) and FireWire devices (such as iPods), CD, DVD, floppy drive, SCSI, parallel or any of the other ports.


• Each employee should be vetted for criminal records and credit history to see if he poses a high security risk. Simply put, if you can't manage your own finances, you shouldn't be entrusted to manage the financial records of others.

A chain is only as strong as its weakest link, and unless U.S. companies shore up security at outsourcing locations, operations across the entire company will be put at risk.
Paul Henry is senior vice president of CyberGuard Corp. a global provider of security solutions based in Boca Raton, Fla. He has more than 20 years' experience with security and safety controls for high-risk environments. In addition to his CISSP certification, Henry holds many other security certifications, including MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISM, CISA and CIFI.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Mozilla's successful attempt to set a world record for downloads of a single program, Firefox 3 was dumb...." Read more... "It's the early 1990s when this pilot fish is challenged to find a better way to support telecommuting — and..." Read more... Read more Networking posts or See all Blogs

Microsoft promises four patches next week Google gives away home-cooked Web application security scanner Storm botnet stages Fourth of July attacks More top stories...

Microsoft trumpets security additions in upcoming IE8 Apple cuts price of high-end SSD MacBook Air by $500 Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Advance your BlackBerry(R) solution management know-how this July Advance your BlackBerry(R) solution management know-how this July BlackBerry Technical Seminar, register today! Go to the webcast  Accelerate Your Pursuit of Perfection. Download this white paper, free, compliments of Kodak! (Source: Kodak) For almost 80 years, Kodak has been helping banks, insurance companies, healthcare providers, government agencies and other businesses produce billions of document images. So Kodak is uniquely positioned to know - and deliver-what customers want: easy-to-use scanners that output the best possible image quality. Download this white paper  Computerworld Executive Briefing: Automating Network Management Download this Executive Briefing now (a $195.00 value), compliments of ProCurve Networking by HP. (Source: Computerworld) This briefing looks at the basics of network management, which tend to get lost in the dizzying array of products and processes. It also examines new tools that are on the way to help IT executives deal with management in the new era of automation. Download this Executive Briefing now (a $195.00 value), compliments of ProCurve Networking by HP. Download this executive briefing  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Microsoft promises four patches next week
• Google gives away home-cooked Web application security scanner
• Storm botnet stages Fourth of July attacks
• More top stories 

XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. Request free trial now

Who needs Mrs. Doubtfire? When it comes to spot-on "advice," we've got Aunt Donna. Watch the video Send in your question

Accelerate your pursuit of perfection For almost 80 years, Kodak has been helping banks, insurance companies, healthcare providers, government agencies and other businesses produce billions of document images. So Kodak is uniquely positioned to know and deliver–what customers want: easy-to-use scanners that output the best possible image quality. Download this white paper now!

Networking Know-How For tips and best practices on building anything in the network, see Sandra Gittlen's regular column. Click here to read the latest column by Sandra Gittlen