Today I want to summarize some of the good practices we are seeing clients apply in managing the security of outsourced vendors. As more and more work gets globally distributed, this is now an important theme.
Over 400 of the Fortune 500 are outsourcing/off-shoring business processes. Internal Audit, Strategic Sourcing, and Information Security groups are working in unison to establish programs where vendors operate under strong security oversight. Top management recognizes you can outsource processes but not responsibility.
Nature of the program - A matrix of geography, divisions, processes and vendors
When organizations outsource, there may sometimes be five (5) or more offshore vendors spread across the globe. The outsourcing arrangement is further complicated because:
Each outsourced operation is handled by more than one vendor
Each vendor handles more than one outsourced operation
Each vendor has multiple locations, with each location handling one or more outsourced operation
In our experience, formal mechanisms are still rare to do structured Information Security Audit of the vendors, even when their MSAs mandate security audits.
Keeping a rein on it - Three phase approach
The programs we have seen work best take a three phase approach:
Set up the audit program including audit schedule, frequency, develop checklists and reporting mechanisms. This will also include scoring criteria to compare over time and between vendors.
Carry out onsite and remote audit of each vendor for each of their locations, with individual reports and mitigation plans. These include application security tests, penetration testing, vulnerability scanning, architecture review, process reviews etc.
Create consolidated reports and action items for improvement across the vendors. These include identification of root causes, identification of recurring failure and steps to improve the program. These also cover scoring systems and trend analysis.
Since outsourced vendors have multiple locations and they also service multiple operations of the Client, we recommend dividing the audit for each vendor into two parts-
Substantive audit- which is carried out once for each vendor and which covers larger company-wide security issues to be assessed
Selective audit- which is carried out for each outsourced operation and each location of a particular vendor and which covers security issues specific to outsourced operation or location.
In this manner, the entire audit program can be made more efficient without vendors having to devote long time for audit exercise.
The audits can be carried out against ISO 27001 standard, FISAP requirements, BITS guidelines, client specific requirements or other adopted standards. Additionally, IT service management domains from ITIL, relating to change, problem and capacity management can be incorporated into audit scope.
Rapid deployment and early gains give necessary bump to the success trajectory
Audit programs can be set up in 4-6 weeks and thereafter individual audits are carried out periodically. The first round of audit across vendors and locations can be usually completed in 10-12 weeks. That results in identification of a dozen or so improvement actions to protect your organization's critical data. These early gains give the program instant credibility and greater acceptance. In time the program will enable organizations to expand the trust and control boundaries to include all necessary parts of their outsourcing vendors.