ISF identifies outsourcing security risks and how to manage them

A new report published by The Information Security Forum (ISF) - the
global not-for-profit organisation with over 260 corporate and public
sector Members - highlights the unique risks to information presented by
outsourcing critical and non-critical business functions. The report
addresses many of the concerns that currently deter organisations from
outsourcing and provides a practical step-by-step guide to overcome

The ISF report shows that the complexity of managing information risk is
increased significantly when the responsibility for specifying controls
is separated from the responsibility for implementing and monitoring
them. Furthermore, simply assessing outsourcing risk is made more
difficult because there are three types information risk to assess: that
associated with the business function, the outsourcing provider and the
outsourcing process itself.

"Outsourcing is here to stay and despite increased risks, the majority
of our members are already outsourcing or planning to outsource business
critical functions," said Colin Dixon, senior project manager at the ISF
and author of the report. "However, with corporate governance
initiatives such as Sarbanes-Oxley and increasing concern about data
security and privacy, there is a real need to understand, assess and
reduce outsourcing risks. It is critical that risk management teams get
involved at a very early stage in the process and are active in defining
the outsourcing contract which is the primary method to manage risk."

The relationship between the organisation and outsourcing provider will
determine the success of the contract and it is important to have a
dynamic arrangement that is driven by the needs of the business and
reflects changes in the risk management strategy. "Most outsourcing
relationships that fail do so because of a lack of planning and clear
communications," says Dixon. "And while no one sets out expecting
failure, the exit strategy is a least as important as the initial

The full report is available to ISF members and is the latest addition
to the ISF library of over 150 research reports. The ISF has invested
more than US$50 million over the past fourteen years in providing best
practice material for its members. Founded in 1989, the Information
Security Forum (ISF) is a not-for-profit international association of
over 260 leading organisations which fund and co-operate in the
development of practical, business driven solutions to information
security and risk management problems.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development