|
|
Data Protection When Outsourcing The country that takes data protection seriously - Wins!
In 2006 there has been a major shift toward the awareness of data protection. High profile cases of lost or stolen data have been hitting the media daily. The breaches are not new, but the awareness of them is at an all time high. Governments are passing legislation to financially penalize organizations responsible for losing sensitive data. Companies are increasingly concerned about losing intellectual property.
The good news is that some countries like India, where some of theses high profile cases occur, are making an effort in data protection. However, there are things that companies can do at a corporate level to compliment these efforts at a national level.
Active data protection steps need to be taken, which greatly limits the ability to take the data in the first place. A cluster of outsource companies from a geographic area can implement an active data protection framework and gain a reputation in the market for taking it seriously. When that happens, they will win, their county will win and the companies who outsource will win. The following five data protection steps are a good place to start actively protecting data.
The five steps for Active Data Protection when Outsourcing.
Step 1: Keep it under tight control If there is not a very sound reason to send data overseas, then do not send it. The latest data protection policies in most western countries holds the originating company responsible for the protection of the data even when they are dealing with a third party supplier. The company is outsourcing a business process, not the responsibility of protecting the data. The company who outsource this process is required by law to report on who accessed the data and what was done to it. Outsource Providers in many countries can access a reasonable amount of information over a network, which can be protected and the data can be held encrypted and controlled. If the data is required to be sent overseas, then implement controls that can be managed remotely. In addition, make sure the data that is most valuable is encrypted at rest, not just in transit.
Step 2: Get it right and get it in writing. Data protection and security considerations must feature in the initial vendor due diligence which should be supplemented by audit rights exercisable during the life of the contract so that the business may reassure itself that data is lawfully processed and protected by adequate security. The outsource provider needs to be aware of the data protection laws imposed on the data he is working with. The laws of the originating country follow that data regardless of where in the world it is stored and processed. Some common questions that need to be asked: is data gathered overseas, where is it stored, who has access, is it encrypted, is there a log of who accessed the data and what was done with it, can the outsourcing provider use third party contractors etc. Layout the rules and make sure everyone understands them and ensure they are enforced.
Step 3: Control Access to required data. Allow access to only the data required to do the job. If you have a package sent to your house, you need to provide the address to the courier, you do not give them the keys to your house and the combination to your safe. Same rule applies here, just give access to the data that is relevant to the job. MOREOVER, NOTHING MORE.
Step 4: Control the Use: Stop Internal Leakage This is an important rule often overlooked, and is possibly the best defense against internal leakage of sensitive information. This technology is available today and if ever there was a need to use it: Outsourcing is it. Usage control allows the required use of protected information, but stops the unnecessary use of the protected information. (control; copy paste, screen-grabs, printing etc.)
Step 5: Log actions and access to Sensitive Data Keep a Log of all activity of your sensitive data. This has a three-fold benefit. 1. review activity in case of a breech. 2. Report on compliance. 3. set rules that notify unusual activity
Conclusion: Outsource providers need to implement an active data protection framework to regain trust and continue to gain the outsource business. The country or cluster of providers who establish a reputation in the market as taking data protection seriously are in the best position to gain enormous amounts of outsourcing market share.
-- Trent Allen Haag
Trent Allen Haag is a Digital Asset Protection Specialist for Softection Pty Ltd. For more information on implementing these steps or a proven technical architecture visit www.softection.com or email trent@softection.com
The content on this site is Copyright © 2006 by FooBooOnLine.com & Contributors. These articles may be used for publication in magazines and newsletters with prior permission from the authors. Please contact us at info@foobooonline.com for further information |
|