IT WEEK • 7 JUNE 2004
40 COMMENT Offshore outsourcing raises questions
about the protection of data and legal responsibilities
40 ANALYSIS How to find
the right offshore partner
MANAGEMENTWEEK
WHERE TECHNOLOGY BECOMES BUSINESS REALITY
Editor: Madeline Bennett
Kit updates security policy
Madeline Bennett and Martin Veitch
INFORMATION SECURITY TOOLS
isk management specialist Secoda
has updated its security policy
management tool to help firms
demonstrate compliance with security
standards such as BS7799.
Secoda’s RuleSafe system is designed to
manage information security policies and
to ensure employees are provided with relevant information in a timely manner.
Users can search through multiple policy
documents online and drill down into the
areas relevant to the task in hand.
The latest version adds visible mapping
of external drivers, such as the BS7799
security standard, to internal policies. This
gives context to an organisation’s own
security policies, according to Secoda, and
can help auditors with
compliance reviews.
Secoda has also
enhanced the search
and feedback features
of the policy infrastructure tool, with a
simpler search inter-
has enhanced its RuleSafe
• Secoda
system to help firms manage infor-
R
Oosthoek: BS7799
improves processes
mation security policies.
increasing number of organisa• An
tions are seeking the BS7799 information security certification.
has the first independent
• Redbus
datacentre to gain accreditation.
face. This updated version streamlines the
process of developing, reviewing and
updating policies, and highlights new
entries so staff do not have to re-read policies when updates or changes are made.
RuleSafe 2.0 could make it easier for
organisations to ensure employees follow
IT security guidelines. “People can easily
locate the exact policy that relates to a
given situation,” said Adrian Wright, managing director of Secoda. “No more excuses, just immediate awareness of the relevant policies and guidance.”
The price of RuleSafe starts at around
£16,000 for the base package, excluding
support and maintenance.
There is a growing number of organisations that want to improve information
security procedures through BS7799 cert-
New laws offer upgrade lever
should seize the opportunity to drive
change and make improvements. Many of
he need for firms to comply with new
the new rules require IT systems to imprules and laws for good corporate
rove the reporting of how businesses are
governance should be seen as an opporturun, so IT leaders can push for system
nity to improve businesses processes,
upgrades to achieve benefits such as better
rather than as a cost, according to a report
views of processes and operations.
from analyst firm Butler Group.
The first step is to analyse existing busiIn Solutions for Compliance, the firm
ness processes. IT chiefs should then detail
argues that compliance
the requirements for
with corporate goverimplementing compliSTEPS TO COMPLIANCE
nance rules and other
ance systems, said Butlegislation can improve
ler. The report emphaAnalyse and monitor existing
overall operations and
sises that representatbusiness processes
give firms a competitive
ives from IT, HR and
Work with business managers
advantage over compaother units should work
on compliance plans
nies that fail to follow
together to ensure that
Promote IT systems that
best business practices.
systems will be impleimprove visibility of operations
The report recommented smoothly and
Source: Butler Group
mends that IT chiefs
with little disruption.
Madeline Bennett
T
itweek.co.uk
ification. The standard is seen as a badge of
good governance for information security,
among public-sector bodies in particular.
According to the Information Security
Management Systems user group, more
than 700 organisations are accredited to
the BS7799 standard – an increase of more
than 100 in the last two months.
Redbus Interhouse has become the
first independent datacentre hosting firm
to gain accreditation to the standard. It
recently achieved certification for its Amsterdam site and expects facilities in London, Milan, Paris and Frankfurt to follow.
“BS7799 brings proof of having things
organised the way they should be in the
datacentre,” commented Adriaan Oosthoek, Netherlands country manager at
Redbus. “It demands that we have good
physical infrastructure, redundancy, procedures and access logins.”
Oosthoek said undertaking BS7799
had helped the firm to improve its processes.“There were some small holes in the
way we were organised. We now have more
access logins for individual doors rather
than a just a central login. BS7799 makes
you more aware of what you’re doing.”
Comment, p13 www.xisec.com
www.secoda.com/rulesafe.htm
A number of tools are available to help
with compliance. For example, Netegrity
has updated its IdentityMinder eProvision
access management tool to accommodate
new auditing requirements. The new version helps firms to control and audit access
to financial systems, a key requirement of
the Sarbanes-Oxley Act, said Netegrity.
The system is designed to improve
companies’ control over access to applications. A graphical interface offers dragand-drop icons to simplify the development of workflow processes, while an
enhanced policy-building feature makes it
easier to configure workflow policies. Unified management of user access is supported via a new centralised control panel
that can be used to create policies, view
tables and define resources.
Netegrity’s IdentityMinder eProvision
4.0 is due for release at the end of June.
www.butlergroup.com
www.netegrity.com
CONTENTS
40 COMMENT Companies are responsible for data protection, even if
services are performed overseas.
So how can they make sure their
data is safe, asks Mark Street
37 ANALYSIS Forecasts suggest companies will rely more and more heavily on offshore outsourcing services. So how can businesses find the
right offshore partner?
IT leaders
warned of
data scams
David Neal
The Office of the Information
Commissioner has issued an urgent
warning to alert IT managers to registration scams concerning compliance with data protection law.
The information commissioner,
Richard Thomas, announced late last
month that he had received a spate
of complaints from managers who
had received letters requesting fees
of up to £95 for registering as a “data
controller” under the terms of the
Data Protection Act (DPA).The actual registration fee is £35 per year.
In a statement,Thomas advised:
“The golden rule is that if you receive
a letter out of the blue demanding
more than £35 to register under the
DPA this will be a scam. Our simple
message to businesses is to throw
the letter in the bin and not to pay
the fee demanded.”
Firms that need to register but
have not yet done so should go to
the web site at the URL below, where
their rights, responsibilities, terms and
conditions are spelled out in detail.
Thomas said that since the new
law came into force, such scams have
cost UK businesses huge amounts of
money.“My office still receives over
2,000 calls a month from anxious
businesses,” he added.
The information commissioner’s
powers allow him to take action
against bogus registrars, and Thomas
said he would work with local
authorities and the Office of Fair
Trading (OFT) to ensure that more
businesses do not get fooled.
Thomas added that a list of
the companies being investigated by
the OFT is available on his department’s web site – at the address
below – and there is also a helpline
number: 01625 545 740.
www.informationcommissioner.gov.uk
39
MANAGEMENTWEEK
IT WEEK • 7 JUNE 2004
Data needs a safe harbour
If firms use offshore outsourcers, they need to ensure that their data will be protected
in accordance with European law or they could face legal problems, says Mark Street
n the old days, the list of reasons
for deciding not to outsource IT
services offshore was fairly simple. It
usually included language barriers,
quality of service issues and fear of
losing control of core competencies.
But that was before the ramifications of the Data Protection Act and
corporate governance laws struck
home, increasing the importance of
protecting consumer privacy.
Many firms, not to mention the
Office of the Information Commissioner, seem blissfully unaware of
the added complications likely to
arise if firms have, for example,
transferred database controls to
India, Russia or wherever.
Offshore outsourcing seems to
raise a thousand questions about
how carefully the data is being protected and whether systems conform to the increasingly high
standards that are being set by the
information commissioner, Europe
and the UK government.
Under the Data Protection Act, a
I
firm that collates data about customers is designated an “information controller” no matter where the
data is sent, so it is responsible for
protecting that information.
So if something goes horribly
wrong and consumers’ details end
up where they shouldn’t, there is no
point in blaming the third party
that was looking after the data on
your behalf. It just won’t wash.
Such concerns led to the Safe
Harbour Agreement between the
US and Europe. US firms operating
under the agreement pledge to protect data from European partners in
accordance with European law.
While Indian offshore firms have
been quick to achieve a whole list of
internationally recognised accreditations, including the IT security standard BS7799, they have so far failed
to tackle the issue of data protection
by developing a version of the Safe
Harbour Agreement.
Other rules that have muddied
the offshore waters include the
Combined Code on Corporate Governance and, more recently, the
Operating and Financial Review,
which puts UK firms under more
pressure to provide details of all
possible risks to their business, especially in the financial sector.
It is an old axiom that you
should only accept responsibility for
risk if it is something over which
you have complete control. So
where does that leave firms that
have decided to outsource the bulk
of their IT operations overseas?
When they compile risk lists do they
declare their exacting standards or
do they have a third-party service
provider declare their standards?
And what about risks that are
endemic to the country where a
firm has outsourced its services?
For example, low wages in India
could mean that staff may be more
vulnerable to bribery and industrial espionage, raising more questions about the security of data.
Hopeless idealists used to think
Offshore visits pay dividends
Firms planning to outsource overseas should visit potential
partners in person to inspect infrastructure and security
IT OUTSOURCING ANALYSIS BY MADELINE BENNETT AND DAVID NEAL
T outsourcing is on the agenda of most
large enterprises. Firms have to decide
which IT functions to outsource and which
to retain in-house, and they also have to
decide whether to use a service provider in
the UK or one based further afield.
Before signing any outsourcing deal,
firms need to identify and manage security risks, said Kelly Kavanagh, senior analyst
at research firm Gartner. He pointed out
that offshore outsourcing requires even
greater care in several areas, including the
degree of control over
customer data.
Kavanagh added
that to deal with these
issues, IT staff should
be involved in the outsourcing process from
the earliest stages. This
I
Rajah: political
stability is needed
40
means that they should be included in
operations management, as well as the
strategic planning phase.
Firms should audit prospective service
providers to ensure policies and controls
meet the required standards, said Kim Rajah, vice-president of European operations
at outsourcing specialist Cognizant.
“The more educated buyers will visit
the proposed location, look around the
facility, look at the infrastructure and security and see if the processes are being adhered to,” said Rajah.
He stressed that the location of an offshore partner is important.“Buyers tend to
do a lot of due diligence, looking at political stability, the size of the labour pool and
technical capabilities,” he said. According
to Rajah, few countries apart from India
can meet the required standards.
Rajah predicted that offshore IT outsourcing would increase as the economy
improves. “Companies will be picking up
on new development spend and running
new projects and they won’t have enough
IT people in-house to do it,” he said.
Another trend could see more companies handing over day-to-day responsibility for their IT operations to third parties.
“There’s a strong likelihood that more and
more firms will see IT as a utility and outsource their entire function,” said Rajah.
But companies will still keep certain
key IT personnel, he added: “Firms will
look for hybrid IT managers who know IT
and the business, and project management
skills will also be required in-house.”
Businesses requiring a high level of
security may be attracted by a new scheme
called Outsource2NewZealand, designed to
encourage UK firms to outsource highlevel, business-critical systems to New
Zealand. The scheme includes a coalition
of 20 vendors, supported by the New
Zealand government and managed by the
IT Association of New Zealand (Itanz).
Outsource2NewZealand members said
they were not interested in competing with
mainstream outsourcing companies in
India, China or Eastern Europe, but instead would offer top-end, niche solutions.
“We are pitching our skills at a much high-
that the term “global village” stood
for the coming-together of cultures
and races to create a more happy
and stable world. As time marches
on, it is becoming increasingly
apparent that the term actually
stands for offshore outsourcing
opportunities or cheap labour for
western corporations intent on
improving their margins.
As information controllers, UK
firms need to insist that their offshore service providers offer contractual guarantees to protect data.
And UK firms should also lobby for
more countries, including India, to
adopt versions of the Safe Harbour
Agreement, based on the template
that is already in place. ITW
[email protected]
SUMMARY
is on the agenda of
• ITmostoutsourcing
large organisations, but they
•
•
should check potential offshore
partners carefully.
IT managers should visit overseas
locations to review infrastructure,
security and privacy provisions.
Outsource2NewZealand is a new
initiative backed by more than 20
vendors. It offers European firms
high-end services and security.
er level,” said Jim O’Neill, executive director of Itanz. He added that New Zealand
should be a good choice for data privacy.
“Our regulations and laws are [comparable] to those in the UK. New Zealand is a
very safe destination for outsourcing.”
Another attraction of New Zealand
may be its time zone, which is 12 hours
ahead of the UK. This could speed up
projects, because when one territory stops
work, the other could continue it without
requiring night shifts.
For example, one of the group’s members, Jade Software, provided UK building
society Skipton with a complete branch
automation system in less than three
months, working with Skipton for what
were essentially 24-hour days. ITW
www.outsource2newzealand.com
itweek.co.uk