Top tips for secure outsourcing

Outsourcing has once again become a bit of a buzzword in the industry as the recession bites and companies try to turn fixed costs into variable ones.

But one oft-overlooked angle is that of security. Most organisations now realise the threat posed by viruses and the folly of having unprotected web servers - but the words 'outsourcing' and 'security' aren't usually uttered in the same sentence.

But Fujitsu Services thinks they should be. Consequently John Alcock, principal consultant within the company's security practice, has come up with some top tips to ensure IT security isn't ignored when forging an outsourcing partnership.

And here they are...

1. Planning and preparation is paramount Carry out thorough planning throughout the outsourcing negotiations. Determine exactly which party is responsible for security and which systems are covered. Outline how the outsourcer's security team is to work alongside yours, if boundaries are blurred then companies are vulnerable to security breaches such as theft and fraud.

2. Know the risks Ensure that there are experienced security specialists within your organisation and your potential supplier. Discuss any existing or potential security problems during contract negotiations, because determining the problems beforehand will ensure a happier relationship.

3. Manage the partnership Good leadership is essential, make sure that your team is well managed and fully understands how security maps onto the business objectives of your company. Team members must have direct access to senior management to escalate any security issues.

4. Keep it simple Complicated language can hinder a successfully partnership. When addressing security, contracts should be written in plain English and specified in detail, so that they can be readily understood and managed by both parties.

5. Don't be unnecessarily harsh Avoid setting unnecessarily punitive damages to be levied in the event of a security incident. High penalty charges for reporting a suspect breach can lead to cover-ups, which leaves companies vulnerable to ongoing breaches. Openness and communication are critical to success.

6. Be flexible Look for a flexible, progressive attitude to security in the service provider. Security is not a static issue that can be implemented and then ignored. Security threats such as viruses evolve continually; technology companies need a dedicated resource to ensure that they can react and protect their changing business from those threats.

7. Is it technically viable? Before entering into a partnership with an outsourcer, confirm that they have the right breadth of technical expertise and their operations and can match those of your business. If they cannot match your technology and knowledge they will not be able to ensure your security.

8. Location, location, location Ensure that your service provider has the correct geographical coverage to match your own organisation. Often security incidents will require manual intervention, and your company will need people based locally to carry out investigations in the event of a breach.