Some offshoring providers are so keen to acquire a business that they sometimes go overboard with security controls. One firm I seen in Chennai, India had several armed guards with rifles away from the primary entrance. As you can appreciate, I was quite worried about it, as I assumed it was a proportional response to a sort of threat. However, an independent expert assured me that there were no security dangers in the region. It later emerged that among the supplier’s main customers was concerned about overseas terrorism, and the armed guards were introduced to keep their business.
On that trip to Chennai, it was an automatic door closer which was the weakest link. Because it was not working, it was possible to enter a place of the building that processing confidential information without having an access card. The guards with guns away from the building, although quite noticeable, were mostly irrelevant.
Issues such as a broken door can occur anywhere in the world and may only be found on a trip to the provider’s premises. But it is the only way to carry out due diligence.
Enforcing your company’s IT security policy and business process outsourcing coverage, and all the procedures around this, are crucial here. Information security requirements should be much the same, whatever the supplier’s place, though you will have to make adjustments for overseas laws and customs.
If your organisation relies on a contract which enables spot checks to be run on suppliers with minimum notice, bear in mind that it could be mainly irrelevant abroad. Some states will only issue an entry visa when you’ve got a supportive letter from the provider you’re visiting.
If your provider has an ISO27001 (Information Security Management System) certification that will cover most or all your offshore assistance, this is an excellent sign. Because ISO27001 is a worldwide standard, the provider will have fulfilled the same standards as a business back home. Consequently, if the range of certification appears too narrow, or if a number of the provider’s buildings are not included, ask why. Don’t assume it’s because of differences in certification around the world – there should not be any.
Likewise, the provider’s safety controls should be strong, and your senior management should officially accept any openings (perhaps because of constraints of local infrastructure or experience ).
Hopefully, now you can find that due diligence and a close relationship with your provider are equally important if the provider is at home or overseas. There can be subtle differences due to cultural or geographical reasons, the only way to get assurance is via tried and trusted methods – like the supplier audit.