Data Governance Blog

When you outsourced your data management, did you also add new risks to your business?

A recent Associated Press headline touted that a Study warns US must develop cyber intelligence.  Being that Information Security is one of the pillars of Information Governance, the article should raise alarm bells for some businesses. Many businesses have been so intent on containing costs, that in the rush to outsource more and more of their data management, they have unwittingly exposed themselves to increased risks. They rely upon blind trust that the security offered by the vendor will be sufficient.

Effectively, these businesses are, rightly or wrongly, abdicating a portion of their security and risk management to a third party. The article states, “the report warns that the U.S. has also outsourced much of the design and maintenance of computer technology to other countries where potential adversaries can easily insert themselves into the supply chain.”  While some businesses have consciously chosen to keep their critical systems on-shore specifically because of this risk, others have put short-gains ahead of the risks posed by outsourcing.  Others have chosen to mitigate the risk by choosing in country vendors not realizing that the vendor uses off-shore resources. Cloud computing and outsourcing clearly have a place in our world today.

There are clear and compelling reasons to turn over some data management to a trusted third-party. The key word being “trusted.”  The risk is not the act of outsourcing; the risk is not managing the security and trust when that path is chosen. So how should you manage this trust? Here are some ideas:

• Build detailed security planning into your outsourcing contract, then audit compliance. Remember, trust but verify.
• Keep a mirror site on-shore. This helps mitigate the risk of a sudden disruption in service between you and your off-shore resources.
• Keep security functions on-shore and in-house. This includes managing access controls and all monitoring functions.
• Closely couple the Security function to your Information Governance efforts and ensure you know which data is high value and high risk.
• Look into the local laws in the country hosting your data management. What do they specify regarding access and disclosure?
• If you cannot audit and monitor the third-party work on your data and systems, rethink your strategy.
• Include outsourcing as a subject area in your Risk Management efforts.

Lastly, use data governance practices to understand your full information supply chain. Keep verifiable records of how information moves around your organization from the time you first acquire the data to the point where it is aggregated, analyzed and presented to people for action. Ensure that data is secure, the systems are robust, and the risks to them are not managed by blind trust.