As proposed by the North American Electric Reliability Corp., the new critical infrastructure protection (CIP) standards charge utilities with identifying their own critical assets and related...
Outsourcing, Reliability, and IT: When will the Three Meet?
the offshore partner would be in its prime shift.
It is not uncommon that the outsourcing partner supports some of these infrastructure resources remotely. The advantage of this approach is that the critical IT infrastructure resources are supported after office hours by an offshore team during its prime office hours as compared to an in-house support staff working the graveyard shift. The key, therefore, is to define and manage SLAs between the client organization and the outsourcing partner or partners. Once again, the experience of the outsourcing service provider is extremely valuable in supporting similar agreements.
To manage different outsourcing partners performing complementary functions, a management office sets up an office to oversee all outsourcing activities related to a particular part of the client's business. The office may consist of both client staff and representatives of the outsourcing partners or sole-sourced to one of the vendors or a separate vendor. Either way, by keeping a high-level perspective across functions, activities can be better coordinated and planned.
Security of CIS Information Assets
Corporate data security is maintained by defining stringent induction criteria for an outsourcing partner similar to that of the client's own employee. The criteria are agreed upon by the client's CIS manager and the human resources, corporate security, and procurement departments, as well as the outsourcing partner's management. Overprotection can result in an operational nightmare for the outsourcing partner while compromising the process could be a potential security weakness. Security criteria used in the past include:
Background checks: A law enforcement agency of the outsourcing partner country can be used to verify that members of the outsourcing partner team do not have criminal backgrounds and are compliant with visa regulations when bringing outsourcing team members onsite. Confidentiality agreements: These should be signed by the outsourcing partner and members of their team. Misdemeanor and felony prosecution. For any outsourcing partner team member who fails to work within the standards set forth by the client country's law. Physical security: Limit access to the building/room where client work is performed via access control IDs and badges. Access to secure areas: Only during business hours. Definition of separate systems' security groups: These determine access to development, test, and production environments on an as-needed basis only. Revoking all access: Whether physical or system access, as soon as a team member rolls off the project. Periodic security awareness training programs: Periodic audits to ensure process compliance. Outsourcing partner compliance: With industry security standards such as BS779. Periodic security updates: For desktops used by the outsourcing partner team. Biometrics. To provide for an additional level of physical security. Paperless office. Sometimes a system can be designed so that notes do not need to be taken by hand. All customer data therefore stays within the system and cannot be accidentally removed from the outsourcing partner's environment. Periodic client visits to offsite offices. To ensure compliance with policies.
At the end of the day, the processes set forth in an SLA are only as good as the people using them. The key, therefore, is to ensure that the outsourcing partner's