A Security Focus on China Outsourcing
by Richard Lawhorn - Wednesday, 24 October 2007.
Business process outsourcing (BPO), such credit card transactions, medical claims data entry and financial transactions, has been around for a number of years. The act of outsourcing these functions offshore to India has become increasingly more viable since a great amount of progress has been achieved in developing the information security framework to protect customer data.

Many of the risks in outsourcing to India based companies have been mitigated through trial and error along with the adoption of best practices emerging from all parts of the globe. Over the past 7-10 years, many security risk analysis and reviews have resulted in controls being implemented in most facets of security: administratively, physically and technically. Contracts now have the appropriate language to protect sensitive data and physical security measures have been built to align with the client’s company policies and standards. The technical measures continue to build upon a strong foundation built in partnerships with government and outsourcing firms.

As we gain the benefits of this maturing environment, it becomes increasingly challenging for the India based outsourcers to remain competitive in the world economy. Many outsourcers realize this issue and have turned to China for the answers.

As businesses attempt to keep variable cost structures intact and operational costs down, China presents itself favorably. India based outsourcers are starting to reduce their costs by outsourcing your BPO process to China to remain cost competitive and offset client defection. This change allows them to remain competitive in the world economy but this places a big question back on the security risks we have started to overcome with India over the past few years. No matter which way this outsourcing arrangement occurs, one point remains the same… new data distribution points means increased risk and exposure for companies and their customers until they are reassessed.

On the surface the BPO outsourcing appears as a reduction in the cost associated with the outsourcing partner. From an information security perspective, red flags should pop up early, especially in the review process, to question the cost savings and how it will be achieved in light of potential increases in due diligence and due care. Information security brings enormous value to the table since part of our mantra is to ensure that businesses can truly keep those cost savings it expects while maintaining the proper security posture.

There will be many challenges ahead for information security professionals in the investigating, identifying and mitigating outsourcer outsourcing to China. One challenge will require more in-depth analysis of the outsourcing company’s business practices, methods, policies and even gaining insight into the contracts that managed their third party. In some cases, the arrangement is buried under layers of legal entities and companies incorporating in countries that pool the labor force in China. Another challenge will be determining and implementing the increased audit requirements necessary to comply with your regulations and information security best practices. This is the “hidden” cost associated with maintaining appropriate security levels for your organization, especially since there is an increase in the distribution of your business process data.

To stay one step ahead of the trend, here are some key areas that can implemented to assist your business in managing the risk associated with government sponsorship, censorship and implementation of security controls:


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th