Outsourcing: Losing Control

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,91085,00.html

By Stacy Collett
MARCH 15, 2004 
COMPUTERWORLD

A woman in Pakistan recently struck fear among IT executives who
outsource. She had obtained sensitive patient documents from the
University of California, San Francisco, Medical Center through a
medical transcription subcontractor that she worked for, and she
threatened to post the files on the Internet unless she was paid more
money.

The story didn't sit well with John Golden, CIO at CNA Financial
Corp., a $12.3 billion insurance company in Chicago that outsources a
small portion of its billing functions to India. Golden's team
implemented a slew of physical, technical and contractual security
precautions to protect customer data, such as sending only necessary
bits of customer information, backing up files in a centralized server
at the home office and putting tough restrictions on employee turnover
at the outsourcing facility. But there's always a horror story to make
him wonder.

"I wish I could say we have the security issue licked," Golden says.  
"We haven't had any security breaches to our knowledge in this space"  
since CNA began outsourcing its billing function a year ago. But with
the growing number of sophisticated hackers, terrorist threats and
old-fashioned opportunists, the threat of a security breach looms
daily.

The outsourcing train has left the station with many top financial,
health care, tax reporting and credit reporting companies on board.  
The business process outsourcing market in India alone is expected to
grow 54% to $3.6 billion by the end of this quarter, according to the
National Association of Software and Services Companies, a New
Delhi-based organization made up of 800 Indian IT and outsourcing
companies.

Industry observers warn that if outsourcing isn't done thoughtfully,
with proper security controls beyond the encrypted domain level,
companies will have their own horror stories to tell. Here are their
tips on controlling data that's in the hands of a third party:


Ask to See a Security Audit

"If you're handling financial data or health data, you are required by
law to have an information security plan that has administrative,
technical and physical steps taken to safeguard the data -- even less
sensitive customer consumer data," says Becky Burr, an attorney and
member of the International Association of Privacy Professionals in
Philadelphia.

Though the requirement is broad and doesn't point to one particular
standard, Kelly Kavanagh, an analyst at Gartner Inc., says outsourcing
vendors should provide evidence that they have undergone a security
audit by a reputable third party, such as a Big Four accounting firm.

Audits using standards provided by a government agency such as the
National Institute of Standards and Technology or a Statement of
Auditing Standards 70 form also provide protection. But many
outsourcing firms balk at the high cost of those audits -- some run to
six figures -- and choose less expensive documentation.

Some outsourcing vendors conduct audits against vertical industry
standards. Health care companies should see an audit related to Health
Insurance Portability and Accountability Act (HIPAA) regulations. CIOs
in the financial services industry can look for audit guidelines under
the Gramm-Leach-Bliley Act.


Set Up a Clean Room

Some facilities handling sensitive data require a clean-room
environment to keep information from literally walking out the door.

Peter Bendor-Samuel, CEO of The Everest Group, an outsourcing
consulting firm in Dallas, describes a standard clean room: "All the
machines and output devices except for terminals are disabled. You
can't copy, can't use a hard drive or a PDA to get information out of
there. Their servers reside back in the U.S. So there's no way to get
data out of there."

What's more, employees are physically searched when entering and
leaving. "These are extraordinary precautions," says Bendor-Samuel,
and they might not be for every company.


Limit Access to Data

At CNA, all workers enter the centralized server through CNA's
intranet, where they can also view links to CNA's methods and
procedures and to the company's chat site. To handle its growing
outsourcing needs, CNA in April will roll out a companywide portal
that will restrict access based on user identity. A customized screen
will pop up at the outsourcing facility with only a few options.

Once offshore workers have access to the server, CNA limits the amount
of client information they can see. "If we're trying to verify that a
customer is a good credit risk, we don't have to send all parts of the
application, just [those] required to approve the application," Golden
says.


Know Your Workers

No matter how many safety precautions are taken, it's hard to stop the
opportunist who steals data for money or revenge. James "Zeke"  
Zoccoli, CIO at LifeCare Management Services LLC, says the best way to
keep his company's outsourced medical transcription records safe is to
know the outsourcing workers and make sure they're trained properly
about procedures and legal consequences.

"We do that through training, agreements and contracts," says Zoccoli.  
LifeCare, a Plano, Texas-based operator of 20 long-term-care hospitals
in nine states, outsources 400,000 lines of medical transcription data
each month to Affiliated Computer Services Inc. in Dallas.  
Transcriptionists have HIPAA training and know the rules and
regulations required to maintain compliance with privacy standards.

Zoccoli and Golden also recommend sending people to visit outsourcing
sites regularly to meet employees and monitor employee turnover and
subcontracting activities.

Collett is a freelance writer in Chicago. Contact her at
stcollett () aol com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.