The Sun’s report (june 23) about outsourced customer data being sold in India, has prompted a claim that enterprises need a strategy for ensuring that the same security standards they place on their corporate data are being placed on the companies they partner with across the globe to process their customers’ financial and personal information.
Paul Henry, Senior Vice President of CyberGuard Corporation, a US internet security firm, has a list of recommendations for firms to ensure that their customer data is not compromised and they can continue to enjoy the benefits of outsourcing critical data to the right partners.
What they say
Mr Henry said: I am appalled at the apparent disregard for network security we are seeing in offshore outsourcing firms. One can only assume that part of the cost savings that European firms who choose to outsource are benefiting from is due to the reduced expenses the outsourcing partners have in not having to meet the same security standards as European organisations. In view of the lower wages and hence lower cost in outsourcing one must also consider that the cost to potentially compromise an individual’s integrity is also proportionally lower with that same outsourcing partner. In light of this consideration clearly the security controls set in place for an outsourcing firm must be more stringent than those that would have been in place had the organization kept the task in house. First, as we recommend to companies across the globe, a strong security policy must be put in place and followed vigorously. Then you must be extremely careful to ensure that the companies you outsource data to fully support the policies, procedures and technical safeguards you have put in place to protect your client’s personal information. A chain is only as strong as its weakest link – don’t let your outsourcing partner become your weak link. This goes beyond perimeter security to include physical security as well as both access and application controls. We are starting to see this problem in India, and unless enterprises are diligent protecting their data it will explode out of control like identity theft."
His recommended tips:
Firms that outsource their data to call centers should ensure that the security policy, procedures and technical safeguards used by the outsourcing partner are equal to or better then their own;
Both regular and random risk assessments should be carried out on the call or outsource center, especially if it is located in a high commercial risk area geographically where bribery and corruption are endemic. Risk assessments should cover all 10 domains of network security and should not be limited to gateway security.
At the call center the following should be done:
Encrypt all data in storage and in transit;
Physical security controls should be in place to mitigate the risk of data leaving the facility via magnetic or optical media, recording devices, cameras and hard copy;
Ensure that all data sent in and out is monitored or even prevented, by email, web mail, FTP, data and file transfer websites (by controlling website access); only essential internet communication should be allowed;
At the desktop prevent any unauthorized data entering or leaving the network via USB (USB sticks), and fire wire devices (i.e. iPods), CD, DVD, floppy drive, SCSI, Parallel or any of the other ports;
All employees should be vetted for criminal records and credit history to see if they are a high security risk. Simply put, if you can not manage your own finances you should not be entrusted to manage the financial records of others.
