Spreading security service for employees saves external investments. But is it worth?

By Denny Roger

Last month, during a lunch with two friends specialists in internal audit, discussed the fact that companies outsource their processes and applications of information technology (IT), including information security. At the end of the conversation, one of my colleagues explained that some IT services are run by external collaborators. Thus, the “master key” is to be administered by service providers.

The dramatic tone of my colleague was not exceptional. Once I remembered that, in organizations, the “third party” or service providers have the administrator password of the computing environment. However, officials of the organization responsible for information security, auditing and internal controls, are kept away from the master key.

What are the threats?
In April 2009, developing activities related to risk analysis in an organization, I detected that there was a confidentiality clause in contracts for services. In other words, all countries would disclose information of the organization were made available for the development of their activities, including administration passwords.

The problem encountered, although it is common to many organizations, was not detected by the legal department. The main question were: a) there was a confidentiality clause between the organization and the supplier who was placing the service providers. But the professionals appointed to the service were not employees of the supplier. The truth is that these professionals have opened a company to issue invoices for the services rendered. The provider allocates its service to the development of activities on the client.

In this case, is no longer an outsourcing to be a “outsourcing delegation”, b) the service provider has not signed the confidentiality agreement between your company and the supplier c) some organizations request that the outside person hired for the job to sign a term responsibility, which, in turn, has no legal validity. The correct is the organization creating the “Statement of Confidentiality” for all service providers. The “Disclaimer” is valid only for employees.

Staff
By the time the supplier receives the approval of the proposed outsourcing of applications and IT processes, begins the process of hiring staff that will be reserved to the customer. The faster people are hired and assigned to the customer, the faster the supplier receives. But when it comes to hire professionals IT is a vast difference in the profile and knowledge of candidates.

The supplier does not have time to assess the skill levels of candidates and selects according to the basic profile and desired salary. Many customers are telling me that some contractors are learning to work managing the IT processes of the organization, bringing new threats to the company’s business.

The supplier does not offer training to professionals who will be allocated in a company. The first step, and perhaps most important, is the third to receive a copy of the information security policy and training about the guidelines and standards of the company, including the code of ethics and conduct.

Conclusion
Organizations should establish guidelines and standards to maintain the security of information applications and IT processes managed by third parties. Risk analysis should cover the agreements with third parties to avoid “outsourcing delegation” without a confidentiality clause.

It is the personal department and create legal terms for employees and service providers. Organizations should request a summary of the professional curriculum that will be allocated for the provision of service. It is recommended that all employees receive training on foreign policy and security standards before it began. Keep the “master key” of your company under the responsibility of officials.

Denny Roger (denny@dennyroger.com.br) is responsible for more than 100 projects about Information Security, including: risk management, maturity level, audits, penetration test, vulnerability management, security incident response, computer forensic investigations, information security policy and implementation of security technologies. As member of the ABNT / CB21 / CE 27, he participated in the development of ISO 27001, ISO 27002 and others ISO 27000 family standards.

Please visit http://idgnow.uol.com.br/seguranca/mente_hacker/idgcoluna.2009-09-30.9660851925/

 | Enviar por e-mail  | Hits para esta publicação: 103