whitepaper - data security when outsourcing engineering

7/31/2019 Whitepaper - Data Security when outsourcing engineering

http://slidepdf.com/reader/full/whitepaper-data-security-when-outsourcing-engineering 1/4

While outsourcing presents new opportunities for companies, it also presents

itself its share of challenges like Information Security and Intellectual Property

concerns. As much as availability of content and the ease of use of this content grows, the concerns about protecting this content also grows. This white paper

focuses on the information security challenges presented in the outsourcing

model and the best practices adopted to mitigate this risk.

INFORMATION SECURITY CHALLENGES IN OUTSOURCING

A best practices study

Raghuraman Ramamurthy



WHITEPAPER

Informaon Security Challenges in Outsourcing

The outsourced services model is increasingly

being adopted by medium to large companies to

take advantage of the nancial benets it oers

and also enjoy the added advantages it presents

like skills enhancement and exibility of

operaons. While this presents a multude of

opportunies, it does not come without its share

of challenges.

The inherent structure of service providers in

itself poses mulple challenges to Informaon

Security. Their internal structure, mulple

service units, shared infrastructure and shared

resources—each of these contribute to the

challenge.

Informaon Security when not addressed

properly can turn out to be a signicant deterrent

to outsourcing. A large number of small andmedium enterprises are shying away from

outsourcing only for the fear of losing their

intellectual property. The large companies that

rely heavily on outsourcing have gured out

methods to overcome these risks by applying a

systemac approach to informaon security.

In this paper, we will aempt to provide a high

level overview of the challenges followed by the

best pracces employed to migate these risks.

When an organizaon outsources services, it

brings in a few challenges as follows.

Data security not part of governance

While any governance framework looks to dene

the nancial, performance and operaonal

outcomes, when it comes to data security, there

is very lile or no focus at all in dening the

same.

The absence of a systemac approach to dening

the processes to protect data security as opposed

to it being treated in an event-driven fashion is

missing.

Data security is IT’s responsibility

While the IT teams implement and enforce

standards, it is the responsibility of the teams

that interact with the customer organizaon to

dene these standards and pracces. The

execuon of these of data security cannot be

assigned to a single team, it is everyone’s

responsibility.

Interpretaon of security requirements

The security requirement with any relaonship is

dened to be “high”, without a clear denion of

“what” the “high” security requirement means

BACKGROUND

“ Fe a r o f l o s i n g

i n t e l l e c t u a l p r o p e r t yr e m a i n s t h e l a r g e s t

d e t e r r e n t t o

o u t s o u r c i n g . ”

CHALLENGES

“ D a t a s e c u r i t y

c a n n o t b e a s s i g n e d

t o a n y o n e , i t i s

e v e r y o n e ’ s

r e s p o n s i b i l i t y . ”



WHITEPAPER


and “how” this requirement will be met.

The interpretaon and implementaon is le to

the IT teams’ bias and preferences. This leads to

large inconsistencies in pracces and lapses inimplementaon. While there are standards for

security that are pracced by IT, customizaon is

imperave based on requirement.

Percepon of reduced risk levels

It is common understanding that the risk levels

are lower as you go down the pyramid of

services. It is perceived that lower value services

aract lower informaon security risk compared

to higher value services. While it may be true in a

few cases, largely, this is not true. All levels of

service present the same level of risk and will

need to aract the same level of aenon.

Distributed operaons

With globally distributed operaons, the

challenge becomes more complex with praccesand standards being dierent in dierent

locaons. Also, regulaons vary for each

country/state and the infrastructure available

may also dier from locaon to locaon. This

makes it very dicult for an organizaon to

coordinate informaon security globally.

Lack of awareness

Most incidents of data security lapses when

analyzed point to the fact that they were

unintended acons rather than malicious aacks.

These lapses are mostly caused due to lack of a

properly documented security policy and

inadequate training on security pracces.

The following are some best pracces that have

evolved over years of experience that BWIR has

acquired in successfully managing outsourced

relaonships for customers and for Barry-

Wehmiller.

Data security is a key part of governance

Data security is regarded as a key part of

governance in customer relaonships. A top-

down approach was adopted with senior

management showing commitment to adhere to

the highest standards of security.

The coverage is the enre organizaon rather

than pockets of implementaon.

Tailored control requirements

Rather than adopng an out of the box control

standard, it is important to analyze what suits the

organizaonal pracces also keeping in mind the

type of services oered. It is also important to

keep the customer in mind while designing these

standards, so as to not make it an administrave

overhead to adhere to these standards, while atthe same me not compromising on security.

“ M o s t i n c i d e n t s o f

d a t a s e c u r i t y l a p s e s

a r e u n i n t e n d e d

a c t i o n s . ”

BEST PRACTICES

“ S e n i o r m a n a g e m e n t

c o m m i t m e n t i s

i m p e r a t i v e f o r

s e c u r i t y . ”



WHITEPAPER


Interpretaon of security

While BWIR has specic processes and standards

laid out for security, we make it a point that

every customer is engaged in a discussion on

specic security requirements that they may have

to customize the models to suit their

requirement. Data security policies and

standards are then designed to suit the customer

policies and standards to ensure that the

maximum level of security is maintained.

When there are mulple locaons involved in

delivery of services it becomes all the more

important to ensure that policies are

standardized and implemented across delivery

locaons.

Appropriate use of technology

With the availability of technology, it is possible

to achieve the highest standards of security. It is

important to make investments in appropriate

technology and implement them correctly.

While technology helps enforcement of data

security, it is the people who ensure adherence.

Hence, it is important to invest in appropriate

training for individuals for adherence.

Training

BWIR adopts a structured training process where

training is extended not only to BWIR associates,

but to customer stakeholders too to ensure they

follow the same pracces as their extended

engineering teams.

The challenges of informaon security with

outsourcing can be overcome to a large extent

with the right mindset and approach to security.

What is important is a systemac approach to

security, a clear understanding of customer

needs and ability to customize requirements for

each customer within a given framework. This

requires marrying the customer processes with

that of the service providers and training allrelevant stakeholders for adherence. It goes

without saying that this requires appropriate

infrastructure to enable enforcement.

CONCLUSION

About the author

Raghuraman Ramamurthy (Raghu) is a Product Manager—Engineering Soluons with extensive

experience in operaons excellence and process opmizaon. Raghu carries experience from diverse

industries and has spent most part of his career consulng, developing and implemenng best pracces

for large outsourcing iniaves.

About BWIR

Barry-Wehmiller Internaonal Resources (BWIR) is part of the consulng plaorm of the $1.2 billion Barry

-Wehmiller Companies Inc., a market leader in packaging, paper and paper converng capital equipment

manufacturing, headquarter in St. Louis, Missouri with global operaons. BWIR brings the best of both

worlds—the dependability of a global billion dollar company with the benets of distributed operaons.

BWIR has been recognized as a pioneer in outsourcing with a distributed global network of resources. ISO

9001:2008 cered, BWIR has validated systems and processes in place to deliver superior services to our

customers.

USA

8020, Forsyth Boulevard,

St. Louis, MO 63105

Phone: +1 (314) 862 8000

Fax: +1 (314) 862 4154

Toll free: +1 (800) 862 8020

INDIA

MPL Silicon Towers, 23-1/B3,

Velachery Tambaram Road, Pallikaranai, Chennai—600 100

Phone: +91 (44) 4390 9100

Fax: +91 (314) 862 4154

Email: [email protected] | Web: www.bwir.com

whitepaper - data security when outsourcing engineering

Documents