Government body the Norwegian Security Agency has issued a 20-page white paper on the risks of outsourcing when it comes to (unsurprisingly, given the body’s brief) IT outsourcing. Unfortunately from our point of view it’s in Norwegian; happily Telecompaper has published a short summary.
The paper is particularly concerned with the rise of cloud services. Although the economies and good business sense of using these are clear, the notion of handing over your entire IT infrastructure and all apps, possibly data as well, to someone else has to have some implications so the need for diligence is obvious.
The summary, to which you can click through above, highlights five main points about which people buying the service should be concerned but we’d highlight one main one: the competence of the person or corporate body purchasing the service. So often in the various pieces of hostile coverage around outsourcing that everyone has noted over the last few years, particularly in the public sector, there is a conclusion about the contract not being overseen properly or adequately. This, rather than the supplier side, needs to be the starting point – if the suppliers realize they are going to lose contracts if they don’t conform, they’ll conform; if they’re not given a rigid set of security criteria in the first place there’s nothing to conform to.