security in outsourcing or cloud-based project: the relationship with your outsourcer

In this second blog post, we will focus on the responsibilities you have in an externalization of your IT environment. (By the way, if you haven’t read my first post, you may want to do so first: click here!)

do you know yourself?

Before starting an outsourcing project, it is best to evaluate the current security controls and the risks that they mitigate. This will allow you to duplicate the controls that are working and replace those that are not, in order to maintain the same level of risk. In very rare instances, the current situation is unknown or too complex to be understood. In those cases, outsourcing can be the catalyst to improving security and setting the foundation for a good security approach for critical business processes.

managing outsourcers’ security levels

In all cases, internal security policies, regulations and local laws are critical in painting a precise picture of what the business’ overall security should look like in an outsourced environment.

Outsourcer management is often neglected. Some companies outsource different parts of a project to different suppliers. For example, they outsource a telephony infrastructure to one company and the WAN to another. When they do this, the company must ensure that the same level of security is requested and delivered by both outsourcers. Establishing clear communications between the various outsourcers and also between the internal departments that deal with the outsourcers is critical.

a word about outsourcers’ responsibilities

Although this sounds straightforward, when an incident occurs or a large set of changes are requested, problems that could have been avoided often surface. Don’t you feel a link is missing when dealing with critical incidents?

The RACI model, a relatively straightforward tool that can be used for identifying roles and responsibilities during an organizational change process, is well known but rarely used. A RACI matrix, however, is not only crucial in an outsourcing project, but should be completely explicit. Outsourcing companies deal with IT, not with business, so blurred areas can be common and must be avoided.

understanding what is outsourced

As mentioned above, the as-is state of security controls must be understood before an outsourcing project is undertaken. In addition, you also need to be aware of the processes that will be affected by the outsourcing project.

For example, how do you control access management if you do not receive notice of persons leaving the company or changing roles? And how do you prove to your own auditors that the process is fully managed?

The incident management process is, of course, also affected. You must ensure that

  • security incidents are detected by your outsourcers
  • they are correctly evaluated
  • they are reported to you in a suitable timeframe

Incident management can have very diverse impacts, including legal and operational. Therefore, you need to ensure that the outsourcers’ obligations are clearly stated and determine whether or not the outsourcers have any legal constraints that are incompatible with your business.

Internal incidents must also be considered. To analyze internal incidents, the security department may need information that is in the hands of outsourcers. You should ensure that your security team can access those logs within a reasonable timeframe and identify the individual(s) within the outsourcers’ organizations who can understand the issues and take the correct actions.

Stay tuned for the following post: I’ll talk about the constraints and challenges of the outsourcer.


crédit photo: © XtravaganT -

Michel Nolf

I am providing information security officer consultancy for multinational clients and governmental institutions.  Being paranoiac as any security responsible, I am quite relax at home enjoying family. My work has driven me to work with many different cultures that I am so happy to meet during my vacations.

Working in the security for so much time, I have seen the evolution of the mentality but I dream for more. But dreaming is not enough…Let’s work on it!