Most businesses have a significant amount of sensitive information, including trade secrets, business plans, and proprietary business knowledge.
Safeguarding critical business information is a concern, even in the United States. Threats to information security, such as theft by company insiders, former employees, and computer hackers, abound.
Offshore outsourcing presents different and in some cases more potent threats than the domestic variety.
Legal standards and business practices governing whether and how sensitive information should be guarded vary around the world.
Some industry groups, such as banks and financial services firms, have developed stringent guidelines for organizations to follow to secure their proprietary information.
The Bank Industry Technology Secretariat (BITS), for instance, released security guidelines as an addendum to an existing framework for managing business relationships with IT service providers.
The BITS goal is to help financial services firms streamline the outsourcing evaluation process and better manage the risks of handing over control of key corporate systems to vendors.
The BITS IT Service Providers Working Group developed the BITS Framework for Managing Technology Risk for IT Service Provider Relationships (Framework) in 2001.
Although the original Framework provides an industry approach to outsourcing, additional regulatory and industry pressures and issues have emerged.
To address these changes, the Working Group updated the Framework with further considerations for disaster recovery, security audits and assessments, vendor management, and cross-border considerations.
The Framework is intended to be used as part of, and in supplement to, the financial services company’s due diligence process associated with defining, assessing, establishing, supporting, and managing a business relationship for outsourced IT services.
The U.S. Federal Trade Commission (FTC) has developed so-called Safeguard Rules to govern the security of customer information as it is used and managed by domestic firms.
These rules implement the provisions of the Gramm-Leach-Bliley Act that requires the FTC to establish standards of information security for financial institutions.
Penalties for failure to comply with FTC rules are up to $11,000 pen violation (which may be assessed daily) and exposure to lawsuits claiming any harm to customers as a result of noncompliance.
The Health Insurance Portability and Accountability Act (HIPAA) has led to a host of security risk management concerns for health care institutions that outsource processes that require electronic transmission of patient information.
Passed in 1996, HIPAA is designed to protect confidential health care information through improved security standards and federal privacy legislation.
It defines requirements for storing patient information before, during, and after electronic transmission.
It also identifies compliance guidelines for critical business tasks such as risk analysis, awareness training, audit trail, disaster recovery plans, and information access control and encryption.
There are 18 information security standards in three areas that must be met to ensure compliance with the HIPAA Security Rule. The three areas are as follows:
1. Administrative safeguards. Documented policies and procedures for day-to-day operations; managing the conduct of employees with electronic protected health information (EPHI); and managing the selection, development, and use of security controls.
2. Physical safeguards. Security measures meant to protect an organization’s electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion.
3. Technical safeguards. Security measures that specify how to use technology to protect EPHI, particularly controlling access to it.
The most effective information security risk management strategy is to adopt and comply with best practices and standards.
Tort law in the United States includes four possible means by which a firm may be found liable for information security lapses: duty, negligence, damage, and cause.
Duty refers to whether the organization has a responsibility to safeguard information. That duty is not in doubt in today’s security-conscious environment.
Negligence refers to an outright breach of the duty to safeguard information. It asks: “Is there evidence that the organization did not fulfill its duty of care?”
Damage refers to whether there is harm to someone (the plaintiff) as a result of negligence. Cause refers to the question of whether the negligence led to or was the primary cause of the damage.
To manage the information security risk, business process outsourcing (BPO) vendor organizations should adopt and be able to prove compliance with global best practices and standards.
Many firms turn to managed-security providers (MSPs) to assist them in managing this risk. Good MSPs provide valuable analysis and reporting of threat events, supplementing the efforts of in-house security personnel.
They do this by sifting through vast amounts of data with the goal of uncovering, identifying, and prioritizing security vulnerabilities that must be addressed. The best MSPs provide BPO buyers with the following:
• The ability to compare and correlate multiple monitoring points and to distinguish between false positives and actual threats
• Skilled experts on duty around the clock to assess and react to each threat in real time
• The ability to combine existing technology with expert analysis to look for anomalous behavior
• The ability to develop custom monitoring for specific networks on systems, including the development of an “attack signature” for each new vulnerability threat.
Using a third party to manage information security helps relieve the organization of information security concerns, but it does not remove liability if there is a security breach.
Liability cannot be transferred to a third party, unless the buyer invests in appropriate insurance policies.
A good source of security risk management guidelines, policies, and best practices is the SANS Institute Web site at www.sans.org.
The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization.