Security Manager's Journal: Indian Audit Comes With a Silver Lining
An assessment of a partner in India turns up some problems, but they're small, and the auditor's a keeper.
Computerworld - Trouble Ticket
Issue: Audits of offshore partners are expensive but necessary.
Action plan: Give a tryout to an India-based auditor.
As my company increases its partnerships with offshore providers, the need for security audits rises. Ive just conducted one whose results could have been better, but theres a silver lining.
For some time, our offshore partners have helped with source-code production and design documentation, as well as the manufacture of some of our products. More recently, the IT department has outsourced portions of our help desk, systems administration and application development functions.
One of my main concerns is that our partners comply with certain requirements before they can connect to our network. The policy mandates patches, virus protection, network segmentation and intellectual property protection. Such policies are necessary, but issuing them doesnt guarantee compliance. Thats why audits are necessary.
I audit most of our partners once a year and high-risk partners every six months. It can get expensive, so I decided to follow my companys example this time and do some offshore outsourcing. I started with India.
I recently hired a consultant in the U.S. to perform a three-day assessment. He charged $8,000. A similar assignment in India using a local consultant would cost $1,000. The savings are obvious, even before travel costs are factored in. The question was whether the work would be of comparable quality.
I collected several résumés and conducted telephone interviews, finally settling on a consultant willing to travel all over India. He could perform not just the pending audit but those of our many Indian partners.
The assessment was of a partner with about 25 engineers doing design documentation. We havent worked with this partner for very long and had yet to audit it. Since this partner is fairly small, an audit of its operations seemed like a low-risk way to evaluate the consultants performance. He performed flawlessly, preparing a meaningful report.
As for the partner, its failings were the result of a catch-22. The partners only permissible access is via a VPN tunnel to our corporate offices so the engineers can communicate with the design documentation server. The engineers check out design documents, work on them and then check them in when theyre done. According to our policy, the partner cant back-connect to its own company network.
Heres the catch: One of my requirements is that partners keep their systems current with antivirus updates and patches. The security audit discovered that the 25 desktops hadnt been patched in almost a year. That sounds bad, but weve seen this problem before. Windows Update and Symantec antivirus definition updates require Internet access.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- X-Ray of the PCI Process-4 Proactive Steps
- This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts