8 Steps of Information Security Management for IT outsourcing

[bullkin]

IT outsourcing is an ongoing world wide trend that had a steady growth during 2008-2009 economic crisis and is one of smart business solutions in the situation of the global economic recession. An expanding number of IT outsourcing software development providers is also a factor of the market growth. Most enterprises usually start to deal with several IT outsource companies simultaneously as an example of multi-outsourcing model. A very small percentage of these companies are not satisfied with IT outsourcing providers collaboration mainly due to non-realistic expectations of client-side management and owners, missed deadlines of outsourcing introduction and a lack of project management from the client side.

Most important provider’s choice criteria are its services cost. However the risk management is also under the following factors:

• Reputation
• Market experience
• Specific expertise

The fundamental principle of moving processes to IT outsourcing is to maintain their stability. And the main disadvantage of IT outsourcing is the weakening of information security. It can be partially or fully solved by client data encryption and access management. Reliability risks of main business processes come from the contradictory requirements of process lower costs and their higher stability. A documentary agreement, including e.g. software quality assurance is a solution to these points.

The main advantages of IT outsourcing are:

• Higher level of services
• Reduction of IT infrastructure expenses
• Collaborative management of process operational risks
• Engage external investments for defined tasks
• Focus on key business process

Every aforementioned point is achievable in case a client understands that an outsourcer needs to be managed on every project life cycle stage. The process of  outsourcing is inextricably linked to the main business process. So in order to have it all working properly it is essential to have all the interfaces between company processes and outsourced ones created, regulated and controlled.

Critical material losses can be caused by wrong organization of information protection in the situation of IT outsourcing. So it is crucial for a client to be aware of extra costs of information security as a part of process outsourcing. One of the key requirements is a tooled system to manage information security risks in order to minimize its consequences or its complete prevention and also a formed technological infrastructure to prevent critical technological failure. Construction of effective system for information security management along with IT process outsourcing  is not a one-time project, but a complex process that is aimed at minimizing internal and external threats according to available time and resources.

A generalized process of information security management provided by Adoriasoft can be set as the following sequence:

1. Description of company IT processes
   This is an initial stage when processes need to be described for further classification as the most critical ones for the company business and conducting a tender for IT-outsource providers. In order to do so the descriptions need to include enter and exit points, process owners and information streams. Most common are ARIS and IDEF methodologies.
   
2. Classification of company processes according to their degree of criticality for the business in general
   The basics of processes description and classification is ITIL and CoBIT standards. In order to understand which IT process can be safely outsourced, it is essential to analyze what information goes through them and their importance to business. From this point of view business information can be classified as:
   
   
   
   
   • Trade secret
   • Restricted
   • Public
3. Definition of company IT process outsourcing model
   This phase takes place when there is a need to select between evolutionary and revolutionary outsourcing models. You will need an internal IT outsourcing department if your IT tasks are closely connected with the rest of  the company departments. But if IT processes requirements are formulized or can become so, it is usually reasonable to engage the external IT outsource provider.
   
4. Selecting a process to outsource
   This is a selection of foreground IT processes to outsource with mostly public and some restricted data involved.
   
5. Definition of requirements to IT outsource provider
   The system steadiness towards unauthorized access is defined by its weakest component. This is why it is important to take in account the entire process of system development and provide a required level of IT security on each stage. Technical requirements of information security are:
   
   
   
   
   • Protection of data transmission channels
   • Data encryption mechanism
   • Authorization order
   • Information storage order
   • Mechanism for information access level management etc
   
   To make the right choice of a supplier the company needs to pay attention to:
   
   
   
   • Years od active expertise
   • Own capacities
   • Technical support level
   • Secure data center
   • ISO 9000:2000 certification
   • Service cost
   • Reputation
6. Selection of IT outsource provider
   The finalists of an open or closed tender are IT outsource providers that have met all critical requirements and maximum number of the rest of specification
   
7. Regulation of two-way agreement for information security
   The cornerstone questions are:
   
   
   
   
   • Service level agreement
   • Non-disclosure agreement
   • Regulations of access to capacities anf channels, rented by client
   • Regulations of unauthorized access attempts informing
   • Control order of client performance of obligation by order
8. Risk management during the IT outsourcing processes
   A risk management process consists of the following subprocesses:
   
   
   
   
   • Risk collection and identification
   • Risk evalutation
   • Planning of risk management events
   • Execution of risk management events
   • Evaluation process of information security performance
   
   
   

Although providing of information security in context of moving to process outsourcing is a complicated task, a system approach and ongoing improvement of business process analysis and description procedures along with risks evaluation allow to achieve a significant decrease in IT-costs and improvement of IT-services.