Of Outsourcing, Compliance and Due Diligence
George Mathew has an informative post on ITToolBox about the role of due diligence in outsourcing success. I thought it was necessary to add to that post in terms of its importance in an evolving regulatory environment. In a world of HIPAA, CA SB 1386: the Database Breach Notification Security Act, and Sarbanes-Oxley, outsourcing firms must document their due diligence in vendor selection and management of business processes and IT security over the life of the contract. The need to understand processes and technology becomes more pronounced and complex when a business process is offshored to locations such as India, Eastern Europe, China where the intellectual property rights regime is weak and legal liability is limited.
For example, in 2003, Ohio-based Heartland Information Services, which had outsourced some work to a firm in Bangalore, India had a close call when several disgruntled employees of the offshore firm stole proprietary information and sent anonymous e-mails to Heartland, demanding money from Heartland for the return of the information. If Heartland refused to pay, the employees said they would release the information, which they claimed contained patient records, on the Internet. Fortunately, the perpetrators were nabbed within a few hours, and the information was never publicly disclosed. Unfortunately, it was not an isolated incident. The University of California at San Francisco Medical Center and more recently, Citigroup have had close calls with the protection of their customers' personal information.
In an environment where adequate compliance is necessary for competitiveness, a thorough due diligence by the outsourcing firm is necessary. The firm must require an audit of the provider's systems and business environment. It must have a thorough understanding of how information is created, transmitted, processes and destroyed. Such audit reports and results of any testing or on-site inspections must be reviewed actively by the client firm. Finally, security responsibility and liability must be clearly documented in contracts and/or service level agreements to allow for effective and timely response to breaches when they occur.
Marne Gordan, the Director of Regulatory Affairs for TruSecure Corporation, in a recent article on ZDNet says, "Remember, it is impossible to put too high a price on information security, particularly in today’s regulatory environment. A little time and effort spent up front can save any organization potential loss in terms of revenue, resources, and reputation."
For example, in 2003, Ohio-based Heartland Information Services, which had outsourced some work to a firm in Bangalore, India had a close call when several disgruntled employees of the offshore firm stole proprietary information and sent anonymous e-mails to Heartland, demanding money from Heartland for the return of the information. If Heartland refused to pay, the employees said they would release the information, which they claimed contained patient records, on the Internet. Fortunately, the perpetrators were nabbed within a few hours, and the information was never publicly disclosed. Unfortunately, it was not an isolated incident. The University of California at San Francisco Medical Center and more recently, Citigroup have had close calls with the protection of their customers' personal information.
In an environment where adequate compliance is necessary for competitiveness, a thorough due diligence by the outsourcing firm is necessary. The firm must require an audit of the provider's systems and business environment. It must have a thorough understanding of how information is created, transmitted, processes and destroyed. Such audit reports and results of any testing or on-site inspections must be reviewed actively by the client firm. Finally, security responsibility and liability must be clearly documented in contracts and/or service level agreements to allow for effective and timely response to breaches when they occur.
Marne Gordan, the Director of Regulatory Affairs for TruSecure Corporation, in a recent article on ZDNet says, "Remember, it is impossible to put too high a price on information security, particularly in today’s regulatory environment. A little time and effort spent up front can save any organization potential loss in terms of revenue, resources, and reputation."
posted by Deepa at
7:12 PM
