What are your best tips for protecting data when outsourcing IT?

Establishing a clear and detailed contract is a crucial step in any IT outsourcing project, especially when it comes to data protection. The contract serves as a legally binding agreement between the outsourcing provider and the client, ensuring that both parties are on the same page regarding the scope, terms, and conditions of the project.

Clear provisions that outline the team members accountable for specific areas, along with consistent updates regarding team composition changes or contract particulars—such as unforeseen new functionalities—serve to prevent communication mishaps. What we put down in the contract should mirror our requirements and anticipations. Absent these contractual stipulations, the supplier is left to speculate about the ordering party's expectations. This underscores the significance of meticulous contract formulation, as it eliminates any potential for interpretations misaligned with our outlook.

Develop strong legal contracts that outline security requirements, data handling procedures, breach notification protocols, and consequences of non-compliance. Make sure the contract includes specifics about data protection and confidentiality.

Not having clear roles and responsibilities defined is one of the most common reasons for failure of outsourcing efforts. The contract should include a detailed and clear expectation from the provider by the means of a RACI that clearly outlines the tasks that they are supposed to perform. And this RACI should be aligned with the controls that you want to be out in place and not a generic outline.

Whilst it is always a good idea to "review and update the contract regularly", one should remember that when doing so, your negotiating power as a customer has significantly diminished. To this end, it is much more effective if during the procurement and selection process, the scope has been defined as tightly as possible, using a "lifecycle approach". In this way, you can predict and negotiate challenging (and potentially very costly) areas when you have the upper hand in negotiations, as opposed to deferring this to the future

Protecting data from hackers should be the #1 priority of CIOs whether the data-items reside on in-house or outsourced (ie the cloud) servers. How this is achieved is either: 1. Applying rigorous multi-layered approaches that addresses various aspects of security such as (for a comprehensive list simply as chatGPT 'how to best protect data from hackers': 1.1. Strong Passwords & Authentication 1.2. Regular Updates 1.3. Firewalls and Network Security 1.4. & at least 8 others or 2: Creating database tables that are aligned to a Business Knowledge model (BKM). The stumbling block is knowing how to develop a BKM. In 1990 I not only solved this problem but also developed a software solution to accomplish both

Incorporating security right from the beginning is a critical aspect of guaranteeing software security. Potential vulnerabilities must be assessed at each project stage and tackled during the design phase. Consistent security validation, evaluations, and referencing the initial security blueprint—these actions should be an ongoing part of every sprint. Approaches to handling arising issues should be outlined in the contract. It's not valid to assert that the customer requested a functional application, not a secure one, and that security measures are supplementary efforts.

Security culture is not driven by vendors but by the outsourcing firm themselves. Your own staff should know about access control, dos and don'ts. E.g. I've seen instances where an outsourcer provides a dump of live production data to be used in a lower environment without anonymization or masking of PIIs in spite of it being clearly outlined in the contract. It is imperative to ensure your own staff know the best practices and understand security controls to ensure effective performance of the provider.

Dependent upon the country/countries involved between the Outsourced IT Company and the Company requesting the outsourced services, the relevant Legal Regulations/Laws such as GDPR (UK Commonwealth), POPIA (South Africa) which requires the personal info of individuals to be handled and protected effectively as well as destroyed when requested to, should also be kept in mind to prevent possible Court Cases being tabled against companies that do not comply. To reduce this possibility, sensitive personal info (refer appropriate Legal Acts), the personal info could be substituted with a key such as a numeric reference which is only known to the Company requesting the Outsourced Service - this will minimize this risk.

Ensuring internal staff awareness and training is a cornerstone of successful data protection in IT outsourcing. By educating employees about the nuances of data security in outsourcing, you empower them to be active stakeholders in safeguarding sensitive information. Teaching them about the risks and benefits helps foster a culture of informed decision-making. Training on IT systems and secure data handling equips them to navigate outsourcing arrangements confidently. Strict access controls and passwords reinforce the principle of least privilege, minimising vulnerabilities. Limiting shared data underscores the importance of controlled information flow.

One of the key points here is for local IT administrators to implement a strict policy of Role-Based Access Control to ensure that only the information pertinent to each user group is available to them at any given point in time. Data breaches can occur on both sides of the fence, whether internally or outsourced and it is critical that outsourced partners do not have access to superuser or admin passwords at any point. Furthermore, a policy of password validity, forcing users to change their passwords after a given number of days further reduces the chance of data breaches.

Without the understanding and awareness of employees, neither a safety officer nor an engineer can guarantee the company's and its products' security. In most instances, errors stem from human inattentiveness or negligence. At times, these errors can yield gravely serious repercussions. Furthermore, the ever-evolving technological landscape and emerging vulnerabilities require vigilant monitoring. Employee knowledge holds paramount importance in this regard—ranging from fundamental grasp of password and identity security, evasion of phishing attempts, to measures for fortifying code security. Equally important is educating employees about the nature of valuable, safeguarded data and how its leakage can occur.

Regular audits of your IT outsourcing provider's data security, conducted by independent experts, enhance trust and accountability. Reviewing logs, reports, and incident responses ensures compliance and identifies vulnerabilities. Recommendations for improvement bolster safeguards. Evaluating project effectiveness and data protection's impact informs strategic decisions. This proactive approach ensures robust protection and value in your outsourcing endeavors.

Most business-critical applications come with built-in audit tracking features which are often not used because of the large amounts of disk space that these consume after time. The correct approach is to always have these switched on by default and to have an adequate log retention and purge period defined to reduce the size of the database.

For effective checking and inspection, it's imperative to be knowledgeable about what needs to be examined and possess the appropriate tools and personnel. While utilizing checklists for conformity to standards is important, we should place greater emphasis on substantiating claims with concrete evidence rather than mere assertions. The checking process should be built upon well-defined benchmarks, encompass planned tasks, and adhere to specified timelines and scope of execution. Having an architecture security plan and set objectives streamlines the verification process, making it more straightforward to ascertain if the delivered product aligns with our intended goals.

KEEP A STRONG CORE OWN TEAM OF ARCHITECTURE, COMPLIANCE AND DATA SPECIALISTS This is my experience of succesful large outsourcing deals; by challenging and co-steering ,there is a long term win.It supplements what has been said here and is a recipe for succes.Yves

And to achieve effective audits and reviews, ennsure that in the contract / SLA, you are in fact entitled to do so. Several vendors (especially the largest ones) restrict such rights to "once a year" which may be inadequate in cases of data breaches. Another usual term imposed by large outsourcers is that audits shall be limited to documentation reviews. This should be avoided at all costs, and specific provisions should be included allowing the customer to conduct on-site reviews and audits, including Attack & Penetration and vulnerability assessment exercises, technical policy reviews, etc

Sadly, the frequent news reports of data breaches very rarely contain details of the incident and what went wrong in the first place for reasons of liability and admission of guilt. However, the frequency of such reports in the news itself should highlight the need for strict controls on outsourced data.

Failing to consistently monitor technological shifts and the evolving security landscape will result in us lagging behind. Technological progress often gives rise to the discovery of new vulnerabilities. Consequently, it's essential that we remain current and vigilant, continuously assessing whether the technologies we employ have become susceptible. We must be adept at sourcing relevant knowledge—identifying benchmarks, references, and sources detailing the latest threats—and adopt methods for tracking vulnerabilities inherent in our technology stack. Automation should play a pivotal role in this pursuit—identifying a bug late in the software delivery process could necessitate a complete overhaul of the architecture.

The long term nature of outsourcing deals means that even if you are on top of emerging risks and threats, unless specific mechanisms and provisions have been included in the SLA, the outsourcer shall be able to demand additional payment for addressing such emerging risks. To this end, ensure that you assign responsibility for information and data security to the outsourcer, not commit to a specific set of technologies which may quickly become outdated and ineffective. Also, to the best of your ability ensure you provide for upgrades to the deliverables at pre-agreed costs, for changes to your business reality. One example is when at the start of the outsourcing contract, no eCommerce platform is used, but one is later introduced

In my company, before we share any sensitive info outside our circle, we use a Non-Disclosure Agreement (NDA) to protect your data and ideas. It spells out how we keep things confidential and what steps to take if there’s ever a concern about data safety. Carefully go through it to understand the terms and conditions for ensuring confidentiality. It also outlines the actions to take if you suspect a breach in the confidentiality of your data.