Security Manager's Journal: Indian Audit Comes With a Silver Lining

Computerworld - Trouble Ticket
Issue: Audits of offshore partners are expensive but necessary.
Action plan: Give a tryout to an India-based auditor.

As my company increases its partnerships with offshore providers, the need for security audits rises. Ive just conducted one whose results could have been better, but theres a silver lining.

For some time, our offshore partners have helped with source-code production and design documentation, as well as the manufacture of some of our products. More recently, the IT department has outsourced portions of our help desk, systems administration and application development functions.

One of my main concerns is that our partners comply with certain requirements before they can connect to our network. The policy mandates patches, virus protection, network segmentation and intellectual property protection. Such policies are necessary, but issuing them doesnt guarantee compliance. Thats why audits are necessary.

I audit most of our partners once a year and high-risk partners every six months. It can get expensive, so I decided to follow my companys example this time and do some offshore outsourcing. I started with India.

I recently hired a consultant in the U.S. to perform a three-day assessment. He charged $8,000. A similar assignment in India using a local consultant would cost $1,000. The savings are obvious, even before travel costs are factored in. The question was whether the work would be of comparable quality.

I collected several résumés and conducted telephone interviews, finally settling on a consultant willing to travel all over India. He could perform not just the pending audit but those of our many Indian partners.

The assessment was of a partner with about 25 engineers doing design documentation. We havent worked with this partner for very long and had yet to audit it. Since this partner is fairly small, an audit of its operations seemed like a low-risk way to evaluate the consultants performance. He performed flawlessly, preparing a meaningful report.

As for the partner, its failings were the result of a catch-22. The partners only permissible access is via a VPN tunnel to our corporate offices so the engineers can communicate with the design documentation server. The engineers check out design documents, work on them and then check them in when theyre done. According to our policy, the partner cant back-connect to its own company network.

Heres the catch: One of my requirements is that partners keep their systems current with antivirus updates and patches. The security audit discovered that the 25 desktops hadnt been patched in almost a year. That sounds bad, but weve seen this problem before. Windows Update and Symantec anti­virus definition updates require Internet access.