2) Research Chinese business laws: work closely with your legal team to determine the Chinese requirements placed upon your outsourcer. The findings should translate into service levels and capabilities in your new/existing contracts.
3) Establish due diligence depth: work closely with your legal, compliance and outsourcing team to build the appropriate depth to your due diligence analysis.
4) Understand government monitoring: China monitors and filters content to and from its population. The monitoring of encrypted traffic, such VPN, secure web transactions and file transfer should be identified to make sure that the outsourcers contractual commitments align with your expectations.
5) Explore government encryption keys access: China business laws may require access to encryption keys used to send and receive data to other countries. Determine how this access will occur and its implications on your existing key policies and procedures.
6) Investigate security breach notification: inquire about the security breach process with issues that may emerge from inside China’s borders. If a physical or technical breach occurs, you will need to determine if government censorship will prevent or filter disclosure. This can impact you ability to remain compliant with regulations in other countries.
7) Develop sourcing awareness: provide your sourcing team with the information necessary to design your outsourcing contracts so that they align with your industry requirements appropriately. This can also provide them the tools necessary to identify an information security caution flag which will allow you to engage early in the contract process to assist in building security-aware agreements.
Overall, if this trend in outsourcing continues there will be many new categories showing up in your transitional risk analysis, such as censorship, government laws, and restrictions. Getting ahead of these items and building a scalable process to handle them will bring efficiencies to your assessment process. This will build awareness earlier in your engagement process that can provide the appropriate balance to mitigating identified risks. In the end your customers will silently thank you for it.
Rick Lawhorn (CISSP, CISA, CHSS, CHP, TCNP) is a Principle of Information Security & Compliance at Dataline, Inc. He has served as CISO at GE Financial Assurance & Genworth Financial and has over 16 years of experience in information technology.