Gartner Says Enterprises Must Evaluate the Security Risks Involved in Outsourcing Deals Before Signing an Agreement
STAMFORD, Conn. May 10, 2004 — While there may be benefits for enterprises that implement an outsourcing strategy, companies must identify and manage the security risks before they sign any agreement, according to Gartner, Inc.
"The key to successful and secure outsourcing agreements is understanding the security and privacy risks for a business process, application or technology function early in the outsourcing decision process," said Kelly Kavanagh, senior analyst at Gartner. "An enterprise's security staff should be at the table from the start of the process and throughout the life cycle of the outsourcing deal. The security staff should be included in the operations management functions, working with the vendor's delivery management staff, as well as the strategic planning function where standards, architecture and integration decisions are made."
Gartner analysts recommend that large enterprises audit prospective enterprise service providers (ESPs) to ensure that the policy and controls around the outsourced functions or systems meet the enterprise's security standards. Enterprises that can't take on the task of conducting a security audit should require ESPs to provide evidence of an audit by an independent third party.
"When audits aren't available, enterprises should use scanning tools or services to ensure that the ESP does not have vulnerabilities in the applications and network gateways facing the Internet," Kavanagh said. "Even when audits are available, periodic scanning of the ESP is necessary to ensure baseline profile is maintained."
Security and privacy-related issues come from several directions. Enterprise security groups establish security frameworks, industry-specific regulations, requirements for additional processes, controls and reporting. Customers and partners bring additional requirements for confidentiality, availability and access controls.
"Outsourcing decisions require careful analysis of what requirements must be extended beyond the enterprise, and planning to verify and monitor the ESP's ability to meet them," Kavanagh said. "Offshore outsourcing requires even greater care in several areas, such as the degree of governmental access to, or control over, the service provider, as well as over the customer's data."
Gartner analysts will provide additional analysis on outsourcing issues at the Gartner Outsourcing Summit 2004, to be held May 17-19 at the Rio All-Suites Hotel in Las Vegas. The Gartner Outsourcing Summit 2004 is the most comprehensive conference ever organized with the emphasis on sharing strategies that ensure tangible, sustainable results. For more details or to register for Gartner Outsourcing Summit 2004, visit www.gartner.com/us/itsourcing or call 1-800-778-1997. Members of the media can register for this event by e-mailing Christy Pettey at christy.pettey@gartner.com.
Additional analysis on security issues will be provided at the Gartner IT Security Summit 2004 on June 7-9 at the Marriott Wardman Park Hotel in Washington, D.C. This conference covers new and emerging technologies, as well as policy, planning and compliance issues. For more details or to register for the Gartner IT Security Summit 2004, visit www.gartner.com/us/itsecurity or call 1-800-778-1997. Members of the media can register for this event by e-mailing Maria DiMasi at gartnerevents@eurorscg.com.
Further in-depth analysis on security is available to subscribers of the Gartner IT Security Directors Membership Program. This powerful tool is designed to help those charged with ensuring optimal security for their business and IT infrastructures achieve their goals, and also help them to manage costs. For more information on Gartner's IT Security Directors Membership Program, visit www.gartner.com/mp/asset_51011.jsp or call Gartner at 203/316-1233.
About Gartner:
Gartner, Inc. is the leading provider of
research and analysis on the global information technology industry. Gartner serves more
than 10,000 clients, including chief information officers and other senior IT executives
in corporations and government agencies, as well as technology companies and the
investment community. The Company focuses on delivering objective, in-depth analysis
and actionable advice to enable clients to make more informed business and technology
decisions. The Company's businesses consist of Gartner Intelligence, research and
events for IT professionals; Gartner Executive Programs, membership programs and peer
networking services; and Gartner Consulting, customized engagements with a specific
emphasis on outsourcing and IT management. Founded in 1979, Gartner is headquartered in
Stamford, Connecticut, and has 3,700 associates, including more than 1,000 research
analysts and consultants, in more than 75 locations worldwide. For more information,
visit www.gartner.com.
