whitepaper - data security when outsourcing engineering
TRANSCRIPT
7/31/2019 Whitepaper - Data Security when outsourcing engineering
http://slidepdf.com/reader/full/whitepaper-data-security-when-outsourcing-engineering 1/4
While outsourcing presents new opportunities for companies, it also presents
itself its share of challenges like Information Security and Intellectual Property
concerns. As much as availability of content and the ease of use of this content grows, the concerns about protecting this content also grows. This white paper
focuses on the information security challenges presented in the outsourcing
model and the best practices adopted to mitigate this risk.
INFORMATION SECURITY CHALLENGES IN OUTSOURCING
A best practices study
Raghuraman Ramamurthy
7/31/2019 Whitepaper - Data Security when outsourcing engineering
http://slidepdf.com/reader/full/whitepaper-data-security-when-outsourcing-engineering 2/42
WHITEPAPER
Informaon Security Challenges in Outsourcing
The outsourced services model is increasingly
being adopted by medium to large companies to
take advantage of the nancial benets it oers
and also enjoy the added advantages it presents
like skills enhancement and exibility of
operaons. While this presents a multude of
opportunies, it does not come without its share
of challenges.
The inherent structure of service providers in
itself poses mulple challenges to Informaon
Security. Their internal structure, mulple
service units, shared infrastructure and shared
resources—each of these contribute to the
challenge.
Informaon Security when not addressed
properly can turn out to be a signicant deterrent
to outsourcing. A large number of small andmedium enterprises are shying away from
outsourcing only for the fear of losing their
intellectual property. The large companies that
rely heavily on outsourcing have gured out
methods to overcome these risks by applying a
systemac approach to informaon security.
In this paper, we will aempt to provide a high
level overview of the challenges followed by the
best pracces employed to migate these risks.
When an organizaon outsources services, it
brings in a few challenges as follows.
Data security not part of governance
While any governance framework looks to dene
the nancial, performance and operaonal
outcomes, when it comes to data security, there
is very lile or no focus at all in dening the
same.
The absence of a systemac approach to dening
the processes to protect data security as opposed
to it being treated in an event-driven fashion is
missing.
Data security is IT’s responsibility
While the IT teams implement and enforce
standards, it is the responsibility of the teams
that interact with the customer organizaon to
dene these standards and pracces. The
execuon of these of data security cannot be
assigned to a single team, it is everyone’s
responsibility.
Interpretaon of security requirements
The security requirement with any relaonship is
dened to be “high”, without a clear denion of
“what” the “high” security requirement means
BACKGROUND
“ Fe a r o f l o s i n g
i n t e l l e c t u a l p r o p e r t yr e m a i n s t h e l a r g e s t
d e t e r r e n t t o
o u t s o u r c i n g . ”
CHALLENGES
“ D a t a s e c u r i t y
c a n n o t b e a s s i g n e d
t o a n y o n e , i t i s
e v e r y o n e ’ s
r e s p o n s i b i l i t y . ”
7/31/2019 Whitepaper - Data Security when outsourcing engineering
http://slidepdf.com/reader/full/whitepaper-data-security-when-outsourcing-engineering 3/43
WHITEPAPER
Informaon Security Challenges in Outsourcing
and “how” this requirement will be met.
The interpretaon and implementaon is le to
the IT teams’ bias and preferences. This leads to
large inconsistencies in pracces and lapses inimplementaon. While there are standards for
security that are pracced by IT, customizaon is
imperave based on requirement.
Percepon of reduced risk levels
It is common understanding that the risk levels
are lower as you go down the pyramid of
services. It is perceived that lower value services
aract lower informaon security risk compared
to higher value services. While it may be true in a
few cases, largely, this is not true. All levels of
service present the same level of risk and will
need to aract the same level of aenon.
Distributed operaons
With globally distributed operaons, the
challenge becomes more complex with praccesand standards being dierent in dierent
locaons. Also, regulaons vary for each
country/state and the infrastructure available
may also dier from locaon to locaon. This
makes it very dicult for an organizaon to
coordinate informaon security globally.
Lack of awareness
Most incidents of data security lapses when
analyzed point to the fact that they were
unintended acons rather than malicious aacks.
These lapses are mostly caused due to lack of a
properly documented security policy and
inadequate training on security pracces.
The following are some best pracces that have
evolved over years of experience that BWIR has
acquired in successfully managing outsourced
relaonships for customers and for Barry-
Wehmiller.
Data security is a key part of governance
Data security is regarded as a key part of
governance in customer relaonships. A top-
down approach was adopted with senior
management showing commitment to adhere to
the highest standards of security.
The coverage is the enre organizaon rather
than pockets of implementaon.
Tailored control requirements
Rather than adopng an out of the box control
standard, it is important to analyze what suits the
organizaonal pracces also keeping in mind the
type of services oered. It is also important to
keep the customer in mind while designing these
standards, so as to not make it an administrave
overhead to adhere to these standards, while atthe same me not compromising on security.
“ M o s t i n c i d e n t s o f
d a t a s e c u r i t y l a p s e s
a r e u n i n t e n d e d
a c t i o n s . ”
BEST PRACTICES
“ S e n i o r m a n a g e m e n t
c o m m i t m e n t i s
i m p e r a t i v e f o r
s e c u r i t y . ”
7/31/2019 Whitepaper - Data Security when outsourcing engineering
http://slidepdf.com/reader/full/whitepaper-data-security-when-outsourcing-engineering 4/44
WHITEPAPER
Informaon Security Challenges in Outsourcing
Interpretaon of security
While BWIR has specic processes and standards
laid out for security, we make it a point that
every customer is engaged in a discussion on
specic security requirements that they may have
to customize the models to suit their
requirement. Data security policies and
standards are then designed to suit the customer
policies and standards to ensure that the
maximum level of security is maintained.
When there are mulple locaons involved in
delivery of services it becomes all the more
important to ensure that policies are
standardized and implemented across delivery
locaons.
Appropriate use of technology
With the availability of technology, it is possible
to achieve the highest standards of security. It is
important to make investments in appropriate
technology and implement them correctly.
While technology helps enforcement of data
security, it is the people who ensure adherence.
Hence, it is important to invest in appropriate
training for individuals for adherence.
Training
BWIR adopts a structured training process where
training is extended not only to BWIR associates,
but to customer stakeholders too to ensure they
follow the same pracces as their extended
engineering teams.
The challenges of informaon security with
outsourcing can be overcome to a large extent
with the right mindset and approach to security.
What is important is a systemac approach to
security, a clear understanding of customer
needs and ability to customize requirements for
each customer within a given framework. This
requires marrying the customer processes with
that of the service providers and training allrelevant stakeholders for adherence. It goes
without saying that this requires appropriate
infrastructure to enable enforcement.
CONCLUSION
About the author
Raghuraman Ramamurthy (Raghu) is a Product Manager—Engineering Soluons with extensive
experience in operaons excellence and process opmizaon. Raghu carries experience from diverse
industries and has spent most part of his career consulng, developing and implemenng best pracces
for large outsourcing iniaves.
About BWIR
Barry-Wehmiller Internaonal Resources (BWIR) is part of the consulng plaorm of the $1.2 billion Barry
-Wehmiller Companies Inc., a market leader in packaging, paper and paper converng capital equipment
manufacturing, headquarter in St. Louis, Missouri with global operaons. BWIR brings the best of both
worlds—the dependability of a global billion dollar company with the benets of distributed operaons.
BWIR has been recognized as a pioneer in outsourcing with a distributed global network of resources. ISO
9001:2008 cered, BWIR has validated systems and processes in place to deliver superior services to our
customers.
USA
8020, Forsyth Boulevard,
St. Louis, MO 63105
Phone: +1 (314) 862 8000
Fax: +1 (314) 862 4154
Toll free: +1 (800) 862 8020
INDIA
MPL Silicon Towers, 23-1/B3,
Velachery Tambaram Road, Pallikaranai, Chennai—600 100
Phone: +91 (44) 4390 9100
Fax: +91 (314) 862 4154
Email: [email protected] | Web: www.bwir.com