Companies outsourcing their IT may find it impossible to meet the strict requirements of new legislation such as Sarbanes-Oxley and Basel II, say industry watchers.
Some high-profile cases have highlighted the danger of leaving security and data protection to third parties, especially when outsourcers offload some work to other providers without informing their customers. Last year, a woman from Pakistan threatened to publish medical records she had transcribed. The records belonged to the UCSF Medical Centre in San Francisco, which had outsourced transcription to a local service, in turn sending them on to the woman in question.
"There will be big outsourcing failures before people wake up," said Jay Heiser, a security analyst with Gartner, which has predicted that up to a quarter of IT jobs may be outsourced to emerging markets by 2010. Heiser said he expected a sharp market correction as a result of compliance violations, and said that any outsourcing firms which fail to tackle this will lose business.
One way to beat the problem is to demand industry accreditation such as BS7799 from outsource providers, but it is also important to understand the limitations. "You have to look for more than just a badge," said Dr Emlyn Everitt, a security consultant at UK integration company Logicalis.
Accreditations are awarded to specific functions within companies, and any processes or data crossing that line may no longer be adequately protected. Companies should ask their providers to detail the scope of their accreditation, and examine the outsource provider's business closely to identify risks.