News
ISF: Companies see information risk as an afterthought when outsourcing IT
July 2008 by isf
Despite awareness of the information security risks associated with outsourcing projects and well publicised cases of data loss or theft, many companies still ignore the potential problems until it is too late. That is the warning highlighted by the Information Security Forum (ISF) – an independent organisation with some 300 major business and public sector Members from around the world.
“The potential to cut significant costs and increase speed to market clearly make outsourcing and offshoring an attractive proposition,” says Simone Seth, author of a new report published by the ISF. “But without the right level of security expertise from the outset to fully identify information risk, there will always be important gaps in the business case. If the necessary controls are not budgeted or put in place to mitigate the risks, it can have serious consequences and even threaten the long term success of the outsourcing project.”
The ISF’s research shows that information risk management is often integrated as an afterthought, and information security professionals become involved too late in the lifecycle. This can often be explained by a lack of awareness at the highest levels and a failure to understand the importance of information risk management through all stages of an outsourcing project.
“Failure to involve information risk managers at the start of a project and through its lifecycle increases the enterprise’s exposure to risk; whether it’s data theft, information leakage or disputes that may arise from questions of ownership of intellectual property,” says Simone Seth.
Information mangers need to identify all outsourced processes, operations and technology and agree business criticality levels through all four steps that comprise an outsourcing lifecycle: Prepare, Implement, Operate and Review. Information risk managers are also able to add contractual clauses that relate to information security regulatory requirements and offer additional protection from a legal standpoint. It is also important to understand regional compliance requirements and regulations as well as the wording of contractual terms to prevent future disputes over the ownership of intellectual property and the transfer of data.
Typical risks at implementation and operational stages that can occur if the right controls are not effective, include fraud, data theft or hacking that can lead to data loss and confidentiality breaches.
The ISF is a not-for-profit international association of some 300 leading international organisations, which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a leading-edge research programme and has invested more than US$100 million to create a library of over 200 authoritative reports along with information risk methodologies and tools that are available free of charge to ISF Members.
