There will be many challenges ahead for information security professionals in the investigating, identifying and mitigating outsourcer outsourcing to China. One challenge will require more in-depth analysis of the outsourcing company’s business practices, methods, policies and even gaining insight into the contracts that managed their third party. In some cases, the arrangement is buried under layers of legal entities and companies incorporating in countries that pool the labor force in China. Another challenge will be determining and implementing the increased audit requirements necessary to comply with your regulations and information security best practices. This is the “hidden” cost associated with maintaining appropriate security levels for your organization, especially since there is an increase in the distribution of your business process data.

To stay one step ahead of the trend, here are some key areas that can implemented to assist your business in managing the risk associated with government sponsorship, censorship and implementation of security controls:

1) Communicate expectations: China is a new player in the world economy and likewise is a new player in the world information security space. Remind your business leaders that the same amount of attention we shared with India will be required with China in order to weave the fundamental information security policies and requirements in to fabric of its government and business law.

2) Research Chinese business laws: work closely with your legal team to determine the Chinese requirements placed upon your outsourcer. The findings should translate into service levels and capabilities in your new/existing contracts.

3) Establish due diligence depth: work closely with your legal, compliance and outsourcing team to build the appropriate depth to your due diligence analysis.


4) Understand government monitoring: China monitors and filters content to and from its population. The monitoring of encrypted traffic, such VPN, secure web transactions and file transfer should be identified to make sure that the outsourcers contractual commitments align with your expectations.

5) Explore government encryption keys access: China business laws may require access to encryption keys used to send and receive data to other countries. Determine how this access will occur and its implications on your existing key policies and procedures.

6) Investigate security breach notification: inquire about the security breach process with issues that may emerge from inside China’s borders. If a physical or technical breach occurs, you will need to determine if government censorship will prevent or filter disclosure. This can impact you ability to remain compliant with regulations in other countries.

7) Develop sourcing awareness: provide your sourcing team with the information necessary to design your outsourcing contracts so that they align with your industry requirements appropriately. This can also provide them the tools necessary to identify an information security caution flag which will allow you to engage early in the contract process to assist in building security-aware agreements.