Outsourcing has become very common in recent years, especially in the field of Information Technology. So that companies can focus more on their core business, it makes sense to outsource many of their IT services and work to external organizations. In addition to this, quite often outsourcing can provide a cheaper means of labor if sent off shore, which enables the company to reduce costs and remain competitive. There are however security concerns with outsourcing IT services, some of which include maintaining privacy of sensitive data, quality of service and awareness of local laws and regulations. Vacca’s Computer and Information Security Handbook reminds us that in outsourcing situations, “even non-employees have rights to view/create/delete some of the most sensitive data assets within an organizations.”
In order to effectively secure outsourced activities, it is essential to have in place proper procedures. Securing transfer of data is equally as important as the procedures on how the external organization will store this data and secure it within their facility. Karabulut et al. (2007) discusses the effectiveness of a developing a data protection agreement between the company and its contractor to ensure that they maintain the high level of security expected to protect data and only make it available to authorized parties. Other countries do not have as effective privacy laws and regulations and therefore the use of such an agreement becomes even more important. Alexander at CIO News wrote an article for Search CIO discussing some of the issues with outsourcing. He provided advice on reducing or eliminate the need to send highly sensitive data where possible, for example replacing social security numbers with some other form of unique identifier.
As companies hire or contract out to other organizations both within the United States and abroad, effective security measures must continue to be put in place. Where possible, background checks should take place and processes should be implemented to effectively monitor activities of data access and transactions closely. In the cases where the cost of security may outweigh the benefits of outsourcing, the organization should re-evaluate it’s long-term outsourcing strategy and determine if certain services or work should simply remain within the company.
