Businesses worldwide need to embrace the higher security standards possible to keep themselves, their collaborators, partners, and customers safe.
When a business considers any form of outsourcing, the chosen outsourcing partner must meet at least the same security standards as the contracting company. Otherwise, outsourcing alone becomes a possible attack vector.
This article will present some of the most common points and considerations companies should consider when choosing an outsourcing business partner.
General Data Security considerations
Outsourcing is prevalent among companies of all sizes and industries. The reason is simple: outsourcing, when correctly implemented, translates into dramatic cost savings and efficiency improvements.
Companies can tap into external talent pools, whether in their home countries or abroad. Traditionally for manufacturing and later call centers, outsourcing nowadays can apply to virtually any business process, from software development to human resources.
Businesses have much to gain from a professionally implemented outsourcing strategy.
However, despite its popularity, having key processes outsourced to a partner outside a company does not come without risks regarding data security.
Businesses must select partners that are compliant with the same standards that apply to them. Typical examples are ISO standards, HIPAA for the health industry, and PCI for online retail and fintech, among many others.
Data security for a distributed workforce
Distributed teams are an increasing trend. The COVID19 pandemic has dramatically sped up the pace of companies converting from entirely in-house teams to partial or complete remote collaboration.
This is especially true for the software outsourcing industry. It is common practice for companies in the US to hire partners from LATAM, and EU-based companies are used to hiring collaborators from Eastern Europe or even Asia.
Before distributed work, companies relied entirely on in-house security measures. These include access policies, security cameras, badges, on-site security personnel, devices restrictions, and other surveillance practices.
Security practices need to be adapted for the reality of a distributed team working from abroad offices or even from their homes.
The use of a corporative VPN is considered mandatory. Traffic in and out of company servers should be encrypted. Security policies should be installed or otherwise enforced on team members' devices.
For example, a company can implement the use of disk partition encryption should a laptop be lost or stolen.
Another issue is identity management. A centralized solution like Okta can help businesses centralize and control user access among all its platforms and tools. Many security attacks occur when an outdated, overlooked legacy platform is inadvertently disclosed to the internet with poor user login practices.
Using a centralized identity to log in to each platform or tool is an excellent way of minimizing these risks. Companies should look for outsourcing partners that meet all these best-practices requirements.
If what Microsoft's CEO said is true, every company is now not only a software company but also a company with software security concerns. This translates into data handling practices and data security protocols from a data protection standpoint.
However, both companies and outsourcing partners should not overlook the human factor in adhering to these rules.
This is why choosing the right outsourcing partner must involve the technical aspects mentioned above and the compliance and legal framework that covers the consumer-provider relationship.
The business impact of Data Security
Data is a business asset of strategic importance. Even in 2022, many companies still fail to understand the importance of data security and the severe consequences a data breach can impose, from compromised user trust and PR nightmares to being out of business entirely.
Security should be a top priority concern if a company collects, stores, and analyzes user data. This is especially true if the software that handles the data, or the data storage or collection itself, is performed by a hired outsourcing partner.
Third-party software and data service providers can present a significant security risk for a business if the said provider does not meet the same compliance standards that the company is subject to.
Of course, these outsourced services present drastic financial savings, and companies should continue to rely on outsourcing to meet their goals.
They need to choose the right partner to treat data as a sensitive issue. Given that processes that do not happen in-house are intrinsically less controllable, a company should be able to carry out audits on its outsourcing partners as needed.
A note on Data Annotation projects
Machine Learning and Artificial intelligence products are becoming increasingly popular. Following that trend, it is common for a company to outsource the development and operation of machine learning software collecting user and company data.
Companies should carry out extra security measures when outsourcing data-sensitive projects and strictly follow best practices.
The legal department should also be involved, so any contract clearly states how data ownership and data-related responsibilities will work inside the outsourcing relationship.
Cloud operations and DevOps approaches are significant improvements in software development efficiency. Still, roles with access to sensitive data need to be correctly designed from a legal perspective for data-critical projects.
It could be advisable for this type of project to hire an external third-party security audit company that both the client and the outsourcing partner can rely on.
What is ISO 27001, and how does it relate to Data Security
In short, ISO 27001 is an international standard for information security. It established the necessary processes a company should have in place to implement and maintain what is called an Information Security Management System or ISMS.
The main idea behind the existence of an ISMS is that while most companies have some degree of security controls implemented, they are rarely organized in a methodic and centralized way.
Companies typically have password policies, access management, and other security-related policies, but these are more point solutions than a general organic approach.
The ISO/IEC 27001 standard requires that companies:
- Systematically examine security threats and impacts.
- Implement a comprehensive suite of controls to address said threats.
- Continuously ensure that information security controls are up to standard.
ISO 27001 is, in fact, a member of a broader family of 27000 standards. These include guidance to implement an ISMS, how to audit it, IT governance, special consideration for cloud services, among many others.
How to treat software outsourcing providers in the context of ISO 27001
When companies define the scope of their ISMS, the question arises of how to treat third-party service providers. Some businesses put service providers completely beneath their ISMS systems in search of greater control. Others, out of simplicity, consider third parties to be entirely outside of its scope.
However, an organization should only exclude a third party from their ISMS if direct risks arising from the said party cannot be reasonably treated. This should be analyzed on a case-by-case basis and determined by standard specialists and auditors.
More importantly, a company should not exclude for its ISMS any reasonable ways to evaluate and monitor third parties to ensure they meet the organization's standards and that practices are acceptably implemented.
While, for example, a company would be rarely considered accountable for physical security access to a provider's premises located abroad, they should evaluate and monitor that external contractors comply with security rules, such as using a VPN or the prohibition of using personal devices handled company data.
As with any ISO standard, evidence of this evaluation and monitoring should be kept by the ISMS for external audit.
How to audit outsourcing providers
A company can and should audit a service provider in the context of ISO 27001. There are three basic types of audits: first-party, second-party, and third-party audits.
While going into details of the ISO 27000 standards family is outside the scope of this article, in short, these are the different audit types:
- First-party audit: this type is commonly called an "internal" audit. A company's employee audits the ISMS.
- Second-party audit: this applies when a company audits a supplier. This is one of the types available to a business that needs to audit an outsourced software development provider.
- Third-party audit: this type of audit occurs when a company decides to adhere to international standards such as ISO and hires an external company to perform audits on themselves.
A company hiring an outsourcing development partner could perform at least second-party audits on them.
The right of a company to audit a supplier, and the scope of the audits, should be clearly stated in the legal documents that create the relationship; otherwise, legal roadblocks or other liabilities could arise.
Whether in companies working entirely in-house or in outsourcing scenarios, data security cannot be overlooked.
In particular, when a company hires outside help for its software development processes, it should carefully select a partner that will meet the same security standards that the company is subject to.
In particular, the ISO/IEC 27000 standards family establishes the rules for designing and maintaining an Information Security Management System or ISMS.
When working with external suppliers, companies should carefully plan to which extent providers will be a part of the ISMS, how to audit them, and how to produce and store the evidence of supplier monitoring processes.
Does your company need assistance in setting up an ISO 27001-compliant outsourcing strategy? Drop us a line!