INFORMATION SECURITY
CONSIDERATIONS FOR
OUTSOURCED ICT SERVICES
Badru Ntege
Group CEO
NFT Consult
What is Outsourcing?
 Outsourcing  “the strategic use of outside resources to perform
activities traditionally handled by internal staff
and resources” Dave Griffiths
 Why Outsource?
 Provide services that are scalable, secure, and
efficient, while improving overall service and
reducing costs
 international corporation of the future will
need to consider security as more of a
"customer service" and "profit protection"
entity rather than a necessary evil. In the long
run, should they fail to do so, they will lose the
trust of their customer (who in the end) is the
one who dictates their future
Ted Richardson wrote in his blog
Wickipedia
 Security is the degree of protection to
safeguard a nation, union of nations, persons
or person against danger, damage, loss,
and crime. Security as a form of protection
are structures and processes that provide or
improve security as a condition.
Business process outsourcing (BPO) or ITES is
a subset of outsourcing that involves
the contracting of the operations and
responsibilities of specific business functions
(or processes) to a third-party service
provider
Components of Security
 People
 Systems
 Technology
People & Trust in BPO
 The Four cores of Credibility (stephen MR
Covey)
 Integrity
 Intent
 Capability
 Results
The Economic Formula…..
Trust Tax
Low Trust Slows Down Your Success
Leading at the Speed of Trust
FranklinCovey
Trust Dividend
High Trust Speeds up Your Success
Leading at the Speed of Trust
FranklinCovey
People
 It is critical that both the client and the
service provider play a shared role in the
selection of people.
 An effort from both sides must also be made
to build and inspire trust within the workforce
 Remember in outsourcing we start and end
with people.
Systems AND Technology
ITES-BPO Security Factors









Lack of meaningful sponsorship
Failed agreement on business processes
Lack of formal and disciplined project management
Project team turn-over of staff
Inability to identify and mitigate risks or remedy
incidents
Excessive software customisation, with poor
documentation
Insufficient training
User adoption factors
Project viewed as an “IT” project
A need for
policy
good security
 You must also check your security policy.
 A good security policy will be sound and rational.
 should include a data classification that can
distinguish between sensitive and common data.
 The policy should also state clear standards and
guidelines.
 These guidelines should be finalized by the
stakeholders, managers and employees of your
organization
privacy and intellectual
property policy
 vendor must have sound intellectual property
protection laws.
 vendor will go by your privacy and intellectual
property policies.
 Make these clear with your vendor in simple
language to avoid later misunderstandings
Protecting your data
 use of database monitoring gateways and
application layer fire walls before
outsourcing.
 These devices can help you enforce usage
policies.
 prevent privilege abuse and vulnerability
exploitation.

The rule of least privilege
 decide on a method to monitor material
exceptions on your vendors and ensure the
rule of least usage.
 Most of all, do not provide access to all your
records during the same time. Ensure that
this is also monitored
Leak-Proof traffic
 Make sure that your vendor monitors
outbound Internet traffic
 Monitor emails for potential information
leaks.
Security
Trust Dividend or Tax
 Vendor and client have to build trust with
each other
 Vendor must have credibility to perform
 Vendor must inspire trust in his employees
 A trust relationship between both vendor and
client must exist
Thank You ----Any questions