"The key to successful and secure outsourcing agreements is understanding the security and privacy risks for a business process, application or technology function early in the outsourcing decision process," said Kelly Kavanagh, senior analyst at Gartner.
Kavanagh explains:
"An enterprise's security staff should be at the table from the start of the process and throughout the life cycle of the outsourcing deal. The security staff should be included in the operations management functions, working with the vendor's delivery management staff, as well as the strategic planning function where standards, architecture and integration decisions are made."
Gartner analysts recommend that large enterprises audit prospective enterprise service providers (ESPs) to ensure that the policy and controls around the outsourced functions or systems meet the enterprise's security standards. Enterprises that can't take on the task of conducting a security audit should require ESPs to provide evidence of an audit by an independent third party.
"When audits aren't available, enterprises should use scanning tools or services to ensure that the ESP does not have vulnerabilities in the applications and network gateways facing the Internet," Kavanagh said. "Even when audits are available, periodic scanning of the ESP is necessary to ensure baseline profile is maintained."
Security and privacy-related issues come from several directions. Enterprise security groups establish security frameworks, industry-specific regulations, requirements for additional processes, controls and reporting. Customers and partners bring additional requirements for confidentiality, availability and access controls.
"Outsourcing decisions require careful analysis of what requirements must be extended beyond the enterprise, and planning to verify and monitor the ESP's ability to meet them," Kavanagh said. "Offshore outsourcing requires even greater care in several areas, such as the degree of governmental access to, or control over, the service provider, as well as over the customer's data."