The Information Security Forum recently issued a press release about outsourcing and information risk, stating that many companies consider information risk as an afterthought when using third-party providers for IT services.
All too often using outsourcing services is viewed as the remit of the IT department and perhaps the business user department, but unfortunately the risk involved is often not considered in enough detail before the decision to outsource has been made.
A February Butler Group article entitled 'Securing business systems in 2008' said that understanding what users do with the sensitive information that they are allowed to work with is going to be a key issue for organisations and their service providers in 2008.
It said these and other information management basics will need to be properly addressed before organisations can aspire to delivering services that are capable of supporting the information management and business continuity challenges that lay ahead.
Regrettably, this does not appear to have been addressed sufficiently so far this year.
According to the ISF, despite awareness of the information security risks associated with outsourcing projects and well-publicised losses and theft of data, many organisations still ignore the potential problems until it is too late.
Outsourcing remains an attractive proposition not only for the cost benefits that it can provide user organisations, but also the improvement in processes and quality that can be achieved. When the business case is handled effectively then any risks should be covered. This is not to say that the outsourcing or managed services project should not go ahead, but any potential risks have been reviewed, addressed, and mitigated where appropriate.
However, the ISF's research shows that information risk management is often integrated as an afterthought, and information security professionals become involved too late in the lifecycle. This can often be explained by a lack of awareness at the highest levels and a failure to understand the importance of information risk management through all stages of an outsourcing process.
The ISF concludes by saying that information managers need to identify all outsourced processes, operations, and technology, and agree business criticality levels through all four steps that comprise an outsourcing lifecycle: prepare; implement; operate; and review.
The topic of information assurance and protecting an organisation's data sits firmly within the governance, risk, and compliance (GRC) agenda, and there should be ownership and accountability for this at board level.
If this accountability is not present then it is unlikely that there is a company culture to ensure that risk is considered and addressed as part of any decision to use third-party providers for IT services, and the data of organisations will continue to be at risk, whether this exposure is inadvertent or deliberate.