Computerworld - I'll be traveling again in the next few weeks, this time to Vietnam. We've been outsourcing some of our operations to low-cost nations for years: Russia for source-code development, India for help desk services and China for manufacturing, among others. Vietnam is new to the list, but as I stressed during the meetings about this engagement, there are no special security considerations. We follow the same procedures wherever our partners are located. From my perspective, the only difference is in the local cuisine.
To enhance security as my company works with third parties, I wrote a policy and had it ratified by my CIO. It sets the security requirements for all partner connections, including physical security. It also lays out audit requirements and contains some contractual verbiage specifying the partners' responsibilities. The policy is actually quite simple: Any partner connection to our company's internal network requires my approval, and my approval hinges on successful compliance with our partner connectivity policy.
At Issue: The firm is outsourcing operations to Vietnam for the first time.
Action Plan: Policies that have worked with other partners around the world are already in place, so just follow the routine.
A first visit to a partner is crucial, since it sets the stage for the relationship. It's my opportunity to demonstrate the importance my company places on the protection of its intellectual property and the integrity of its network. After all, visiting a country on the other side of the world isn't as easy as driving across town.
So here's my agenda for my first visit with any new partner. My company's policy states that a secure connection must be established between the partner and our company. We typically accomplish this via a small Juniper firewall on the partner's premises and a VPN tunnel between it, and a much larger firewall at our headquarters or a closer regional office. This allows us to maintain control of all the IP addresses, ports and protocols involved in data traffic between the partner and our internal network.
We also require that all Internet connections be routed through our gateways, not the partner's. We learned about the need to do this the hard way, after various partners' employees used their companies' Internet connections to steal our intellectual property.
We mandate that the partner's systems be logically separated from its company network and that all systems have all the latest patches and employ the leading antivirus software. What's more, no unnecessary security software (such as sniffing, scanning or password-cracking utilities) can be installed on any of the systems.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
