Category Archives: Data Security

Outsourcing IT in the Third Sector

Information security in the 3rd Sector: does outsourcing IT represent a benefit or a risk?

While most of AMDS Consultants Ltd’s clients operate in the defence, security, transport and generic business process transformation markets some of our recent information security work has been with the 3rd Sector. Our 3rd Sector practice includes: charitable endeavours, the arts and civic organisations.

We recently concluded a major information security audit for an arts organisation. The main purpose of which was to assess their position against the PCI DSS framework for the management of debit and credit card transactions. Like many organisations in the 3rd Sector this particular community had chosen to outsource their information technology function to a third party provider and this is a common approach across the entire market segment.

Important elements of such an approach are shown below:

a. Retaining sufficient expertise in-house, to be an intelligent IT service buyer

b. Ensuring that requisite SLAs (Service Level Agreements) are in place

c. Negotiating robust and effective contracts

d. Clearly annunciating the third party’s place in your supply chain, and their responsibilities

e. Most importantly, ensuring that the third party will fully support you in information security

With these elements in place any information security assessment should go smoothly, provide significant benefit and present limited risk.

If, however, the IT provider chooses a different philosophy, as they did in our most recent 3rd Sector contract, then the possibility of a breach of the PCI DSS regulations becomes real as do the concomitant fines. In particular, we found it remarkable that any third party paid to provide comprehensive IT support to an organisation in the 3rd Sector would see an information security audit as an opportunity to make a profit. By refusing to supply responses to questions about their approach to information security without receipt of a fee not only did they raise concerns over the robustness of their information management systems but also placed one of their most high profile customers at increased risk of a breach. If the level of PCI DSS fines being discussed rwee implemented then our client would face financial ruin.

The question that exercises us now is how typical of 3rd Sector IT providers is this behaviour? Does the generic IT service company see this market segment as easy pickings dependent, as it it often is, on a mixture of employed ofIicers, administrative staff and willing volunteers?  Perhaps it is that the IT providers consider the 3rd Sector lacks the commercial nous to properly manage the services these providers supply and so use the 3rd Sector as a highly profitable dupe. Alternatively, we may have merely encountered a “bad” company and the broader base of IT service providers are committed to comprehensive support to 3rd Sector clients.

Whichever scenario represents a true reflection of these relationships, before choosing to follow this route, the 3rd Sector must consider how much of a risk their provider presents.

In an information security context, risk is vested with the owning organisation, i.e. the buyer of the service, not the outsourced IT provider. It is the responsibility of the buyer to ensure that sufIicient precautions are utilised by their IT providers to protect personal data in both storage and transmission. The buyer should also make sure that the supplier adheres to the appropriate information security standards as well as established best practice in their industry.

In the worst case scenario, where there has been a breach in data protection, any investigation would look first at the information security arrangements put in place by the buying organisation. If it is apparent that the buyer has not set appropriate information security standards and targets or has failed in their due diligence of the supplier then they will receive any penalty.

However, if it is clear that the buyer has done everything that is reasonably practical and the failure to protect information lies with their supplier then it will be the IT provider who will incur any fines deemed necessary.

Returning to the question posed at the outset. The ability of the 3rd Sector to successfully outsource IT services, in a world where the fines for information security breaches could cause financial ruin, is no longer just dependent on making a well-founded choice of supplier. Successful supplier selection is not merely a combination of: running a competition, setting generic performance standards, and placing the contract. In an increasingly connected world, where all IT service buyers carry data security responsibilities the following additional essentials must be considered:

a. Buying intelligently

b. Addressing information security and data protection from the outset

c. Setting genuine information security performance targets

d. Clearly delineating responsibilities

e. Creating and managing a robust but collaborative relationship with the IT provider

The absence of any of these factors in the provision of IT supply increaes risk and limits benefits.

Where’s my data?

Moving corporate data off-site to a cloud provider can make good sense; it will have levels of security, resilience and availability that it would not get in a local server room and at a lower cost. However, talking to a colleague yesterday reminded me that I have often spoken to businesses that do not know where their data is held. At least their IT department might know but the C-suite decision makers answer the question with: “It is in the cloud”. Asked to define the cloud many are surprised when they realise that cloud storage just means putting your data on somebody else’s server or servers.

Where those servers are physically sited can be an issue. I remember one CEO who threw a wobbler when he learned that his precious data was sitting in a datacentre in China. That was an extreme reaction but if you are possibly going to have your data stored on multiple sites in different countries and backed up elsewhere then you need to know where those locations are and to satisfy yourself that you are happy with the risk strategies, insurance and legal safeguards in place at these locations.

When working as a systems or solution architect among the questions I ask clients are: “Is your cloud provider reliable and trustworthy?” “Have you looked into their track record, size, stability?” “What insurance have they got in place?” “Has the provider been hacked or otherwise compromised?” (They will provide levels of security and resilience beyond the resources of most local datacentres but they are not invulnerable). “Can they provide 24/7 cover and support?” (If your business operates over the weekend you do not want your operating data stored with an organisation that goes home at five on Fridays).

There is a danger, too, in excessive reliance on a single supplier. Once your data is embedded with the supplier the cost and inconvenience of moving it to another supplier can make it impractical or you might end up running in parallel with two suppliers for a time. Some organisations get round this by having a primary cloud provider and a deep storage supplier.

If we accept that an organisation’s data is its most valuable resource then handing it over to another organisation should only be done after a good deal of due diligence, investigation, visits to the datacentre, talking to other customers of the provider, the entire process. It might also be worth calling in a consultancy to review or design your cloud storage. A little extra up-front cost but a lot of extra peace of mind.