A Security Focus on China Outsourcing
by Richard Lawhorn - Wednesday, 24 October 2007.
1) Communicate expectations: China is a new player in the world economy and likewise is a new player in the world information security space. Remind your business leaders that the same amount of attention we shared with India will be required with China in order to weave the fundamental information security policies and requirements in to fabric of its government and business law.

2) Research Chinese business laws: work closely with your legal team to determine the Chinese requirements placed upon your outsourcer. The findings should translate into service levels and capabilities in your new/existing contracts.

3) Establish due diligence depth: work closely with your legal, compliance and outsourcing team to build the appropriate depth to your due diligence analysis.

4) Understand government monitoring: China monitors and filters content to and from its population. The monitoring of encrypted traffic, such VPN, secure web transactions and file transfer should be identified to make sure that the outsourcers contractual commitments align with your expectations.

5) Explore government encryption keys access: China business laws may require access to encryption keys used to send and receive data to other countries. Determine how this access will occur and its implications on your existing key policies and procedures.

6) Investigate security breach notification: inquire about the security breach process with issues that may emerge from inside Chinaís borders. If a physical or technical breach occurs, you will need to determine if government censorship will prevent or filter disclosure. This can impact you ability to remain compliant with regulations in other countries.

7) Develop sourcing awareness: provide your sourcing team with the information necessary to design your outsourcing contracts so that they align with your industry requirements appropriately. This can also provide them the tools necessary to identify an information security caution flag which will allow you to engage early in the contract process to assist in building security-aware agreements.

Overall, if this trend in outsourcing continues there will be many new categories showing up in your transitional risk analysis, such as censorship, government laws, and restrictions. Getting ahead of these items and building a scalable process to handle them will bring efficiencies to your assessment process. This will build awareness earlier in your engagement process that can provide the appropriate balance to mitigating identified risks. In the end your customers will silently thank you for it.

Rick Lawhorn (CISSP, CISA, CHSS, CHP, TCNP) is a Principle of Information Security & Compliance at Dataline, Inc. He has served as CISO at GE Financial Assurance & Genworth Financial and has over 16 years of experience in information technology.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th