Offshore Outsourcing - How Secure?Rewards Outweigh Risks When Deals are Done Right Most companies -- increasingly small to mid-size financial institutions -- outsource work at some point or the other, to some place or another.
Offshore development has traditionally focused on application development and maintenance that does not involve access to live production systems or data. However, on the security side, outsourced services have become popular in the last couple years.
Today corporations are looking to outsource core operations right from managed services including intrusion detection and firewall monitoring to conducting security assessments and handling email security provided management of security, privacy and issues involving risk practices can be adequately addressed. Given the obvious benefits of outsourcing and offshoring, the practice has become a part of business in financial services.
But what about risks and rewards?
"As with any activity there is a certain level of risk associated with taking any segment of organization operations 'out of house,'" says Thomas Festing, a senior executive within Crowe Chizek's Risk & Security management team.
The more obvious risks relate to international issues associated with data privacy, legal/regulatory considerations, and ability to ensure consistent governance, and international mergers / acquisitions. This has created the need for a consistent team that must ensure continuity. As with any market driven business decision, there is the need to increase metrics to monitor for cost, performance and quality. There is also a need which should include both an entrance and exit strategy. Technology and political infrastructure risks associated with connectivity and recoverability must also be evaluated.
The rewards are also multi-faceted," Festing says. A global presence provides greater support to a globalized economy. "Well-planned offshore strategies provide for a continued support structure within the local environment, as well as providing the manufacturing/develop of products closer to the end location," he says. "There is also the cost structure which continues to be a strong consideration for many organizations."
Requirements for selecting an outsourcer for security projects is usually assessed based on standard service level agreements (SLA), key performance indicators (KPI), and enterprise risk assessment processes.
Also, regarding the legal ramifications in terms of employee hiring/ training process, background checks, etc. when a project is outsourced offshore, Festing says "The impact is immense, as it requires a unique understanding of the environment and legal structure (both domestic and internationally). The far-shoring team must include not only the business lines - but also HR, legal, training, and in some situations - a local firm to assist in coordination. These items should be factored in when assessing offshoring alternatives."
Work is underway to examine offshore security, privacy and business continuity issues associated with offshore management of onshore applications. BITS (a non-profit industry consortium whose members are 100 of the largest financial institutions in the United States) have initiated the Financial Institution Shared Assessments Program, which is a new process for financial institutions to evaluate the security controls of their IT service providers. Launched in February 2006, the program today has more than 50 member companies, including 15 major financial institutions.
The Financial Institution Shared Assessments Program:
- Provides major efficiencies and cost savings to financial institutions and service providers.
- Is a more efficient alternative to existing service provider assessment methods.
- Helps financial institutions align service provider testing with industry regulations.
The Financial Institution Shared Assessments Program includes two freely available documents, the Agreed Upon Procedures (AUP) and the Standardized Information Gathering questionnaire (SIG).
Also, the Financial Services Technology Consortium (FSTC) is currently working with other financial services groups to provide guidelines to institutions on overseas production support and means of reducing offshore risks.