by: Ronald Escanlar
Monday, November 14, 2011 |
As the world becomes smaller due to emerging web technologies, information security has become more important as companies seek to go global. Some have even outsourced captive offshore operations in their bid to become global companies. As with any expansion, plans are needed to ensure that the expansion enables the company to achieve its objectives of being effective and efficient. Among companies that rely on outsourcing, an offshore risk mitigation plan is needed for captive operations.
Most companies already have internal security controls in place before turning to outsourcing. Since captive operations are regarded as offshore business units, a captive operation is expected to adopt its mother company’s security policies. Outsourcing consultancy firm TPI.net points out that captives oftentimes face hurdles in enforcing these policies due to internal customizations made by client companies, especially in policies regarding Internet use, social networking exposure, and the use of storage devices.
TPI suggests the following tips for outsourcing companies and their clients in formulating an offshore risk mitigation plan:
Assess the mother company’s internal controls. Can the mother company’s internal controls be immediately adopted for the captive operation, or do they need to be modified accordingly? With a comprehensive assessment, risks can be mitigated early on as the outsourcing service provider takes an active stance to quickly address issues as they crop up.
Focus on human resources. The reputation of the outsourcing service provider is at stake in any outsourcing deal, especially those who serve the financial and healthcare sectors where data confidentiality is of top concern. An exhaustive screening process is vital in hiring staff for captive operations.
Include local influences in creating the plan. Study how captive operations and local companies deal with security issues - how do they compare against the mother company’s internal controls? Such observations can be used in assessing whether those internal controls can be adapted into the local operation.
Imbibe the importance of security. More security controls do not mean an office is better secured than an office where the employees are security-conscious. Having a culture of security among employees is more effective than enforcing a multitude of security controls and policies among employees who may find ways to circumvent security policies.
Constant training. Train the staff regularly on information security courses. The effectiveness of the training must be measured to evaluate if it supports and complements the company’s risk mitigation plan.
An offshore risk mitigation plan ensures that the outsourcing service provider is ready to hurdle the operational challenges in a captive operation that functions as an extension of the client company. Such a plan must include security policies that should be flexible enough to factor in human behavior and local culture.