In information security, many customers are now shifting their focus from getting their own house in order to making sure that their suppliers' houses are in order. Employee and customer data, as well as other valuable information obtained through sourcing, is in the hands of these suppliers. Outsourcing agreements provide the means to protect that information, but many lack key provisions.
What Is Information Security?
Information security means:
- Integrity: gathering and maintaining accurate information and avoiding malicious modification.
- Availability: providing access to the information when and where desired.
- Confidentiality: avoiding disclosure to unauthorized or unwanted persons.
Why Is Information Security Important?
Suppliers today need to protect both their own information and other people's information. A supplier's own information might include its financial information, proprietary methods for creating and delivering its products, customer lists, or business plans. Other people's information might include licensed software and personally identifiable information (such as employee or customer records).
This is not merely a matter of competitive advantage. A supplier that discloses financial information or releases maliciously modified financial information could be liable under the securities laws. A supplier that discloses licensed software could be liable under the software license agreement, trade secret laws, and copyright laws. A supplier that discloses information about, for example, a person's financial status, heath condition or employment could be liable under privacy laws.
These types of regulatory, legal, statutory and contractual requirements are not limited to actions by a supplier. A customer can be liable for information security breaches by suppliers, and, of course, a customer suffers equally if its own information is disclosed by its own people or by a supplier's people.
How Do You Assess A Supplier's Level Of Information Security?
Information security should be on every supplier's due diligence list as you review suppliers. However, it is difficult to find a clear metric for security. For example, one cannot determine the number of attacks that were discouraged or the number of disgruntled employees who decided not to attack because of strong information security. Thus, suppliers might consider the following indicators of good security:
- A written and realistic security policy.
- A management with a visible commitment to security.
- Evidence that the supplier has assessed security risks, understood legal requirements, and implemented steps to address the security risks.
- The supplier's operational team, when interviewed, shows a good understanding of security issues and demonstrates satisfactorily how the supplier deals with those issues.
- The supplier has adopted a well-accepted security standard, such as ISO/IEC 17799 Code of Practice for Information Security Management, the U.S. Department of Commerce's NIST Special Publication 800 Series, and the ISO/IEC TR 13355 Guidelines for Management of IT Security.
- Simple and obvious steps, such as having a disaster recovery arrangement in place, backing up data regularly, requiring keycard to access key facilities, protecting all databases with passwords, and making a background check a condition to hiring employees.
Potential customers should also inquire as to whether the supplier performs services under the legal controls that affect the customer. For example, health care institutions in the U.S. are affected by the HIPPA (Health Insurance Privacy and Portability Act) privacy regulations. These are dense and difficult to comply with. As a result, if the prospective supplier is not already complying with the HIPPA privacy regulations, the customer should seek assurances that the supplier is willing and able to comply.
What Do You Put In The Contract?
Outsourcing agreements should include covenants requiring information security. For example, the supplier should agree to:
- Keep confidential all information provided by the customer, on behalf of the customer, or as a result of performing services for the customer. Note that this protection is generally limited in a variety of ways (such as information being publicly available) and thus this is not sufficient protection.
- Abide by all relevant privacy laws including those listed in the agreement.
- Allow security audits on the supplier's systems, including hiring an "ethical hacking" firm to test the strength of the supplier's firewalls.
- Protect all information whether or not confidential with appropriate physical and logical controls. For example, access to customer data should require user IDs and passwords and a need-to-know authorization process. The supplier should agree to provide the names of all persons with such access upon request.
- Revoke access for any user upon a security breach or customer's request.
- Use reasonable efforts, including employment of industry-standard virus protection software, to avoid viruses, worms, back-doors, trap doors, time bombs and other malicious software.
- Provide a copy of all customer data in the supplier's possession or under its control, in a reasonable format, upon customer's request.
- Never grant any subcontractor access to the supplier's data unless the supplier has approved the subcontractor and the subcontract includes all of the security provisions of the outsourcing agreement.
- Report all security breaches or incidents to the customer.
- Have, maintain and follow an acceptable business recovery plan (including disaster recovery, data backup, alternate power and similar topics).
Of course, these are merely examples. Different provisions will be appropriate in different types of outsourcing transactions.
Lessons from the Outsourcing Journal:
- Information security is an increasingly important topic.
- The consequences of an information security breach include business harm and legal liability.
- Outsourcing contracts should include robust provisions for information security.
For more information about Outsourcing Center, visit www.outsourcing-journal.com.
(Reprinted from the March 2002 Issue of Outsourcing Journal. www.outsourcing-journal.com)