SaaS / Security / DevOps / Compliance

Are outsourced managed services presenting a security risk to your business?

Arthur Marinis

4 Minute Read

The last few years saw unprecedented changes to the global regulation and legislation of data security. Increases to the Payment Card Industry (PCI) and Information Security Management (ISO) standards, and of course the introduction of the General Data Protection Regulation (GDPR), placed security firmly at the top of the list for both best practice business imperatives, and customer anxieties.

So, it’s likely that, by now, you’ve got your own backyard in order. As far as your business activities go, you have a thorough understanding of your requisite level of compliance and can promptly cite your data security practices to your existing and potential customers.

But what about those aspects of your business operations that lie outside of your control? What about outsourcing?

Outsourcing is a commercial reality for many successful cloud-based businesses. If you’re providing a SaaS application or a large-scale ecommerce website, then it’s more than likely that you are outsourcing at least some portion of your operations. Furthermore, it’s likely that that portion involves the handling of valuable and sensitive customer information by your supplier. How’s your security looking now?

The introduction of a third-party supplier may well reap cost-benefit reward, but it also introduces security risk. So how do you ensure that information confidentiality, integrity and availability is not compromised by the choice to outsource?

It’s critical to look beyond the products or services that you are acquiring and begin to consider security as a measured deliverable from the moment you start drafting your business agreement.

The processes surrounding the delivery your suppliers’ services can and should be controlled by security clauses outlined in your provider contract.


Where should you start and what should you insist?

Begin by making sure your supplier adheres to the relevant ISO standards, particularly ISO 27001 control A.15.1.2 pertaining to security within supplier agreements.

Then, get specific. Here are just some of the security clauses worth considering when drafting the contract with your supplier.

Management of supplier’s supply chain risks: just as introducing a supplier increases your risk, so does each element of their operations. This clause ensures that each of your agreed security clauses is adhered to within your provider’s own supply chain.

Right to audit: if you want the right to know how your organisation’s data is being handled, and the access to check-in regularly, then it’s essential to include a right to audit clause. Doing so will allow you the right to regularly audit and test your supplier’s security controls, particularly following consequential changes to your agreement.

Security breach alerts: a clause ensuring that your organisation be promptly notified in the case of any security breaches that may affect your business. This clause is common in relation to data breach notification laws.

Adherence to security practices: this clause helps address and prevent any inconsistencies, gaps, or conflicts between your business’ security practices and your supplier’s, by requiring your provider to adhere to your own security practices and communicate any circumstances where they are unable to.

Communication of changes: naturally your supplier’s environment is subject to change, this clause requires them to communicate that change if there’s a possibility that it impacts your business.

Maintenance service levels: this clause requires your supplier to notify you of its plans to ensure the maintenance of services levels during both normal conditions and in the event of disruption.

Response time to vulnerabilities: under this clause your provider must appropriately rectify any known vulnerabilities that demonstrate risk to your business, and do so in a timely manner.

Demonstration of compliance: it’s best to trust independent evidence. This clause requires your supplier to submit its operations to audit from a third-party, so that they may confirm that your supplier’s practices and controls comply with your contractual agreement.

Does one size fit all?

Of course not. Each supplier is unique and each contract should be tailored accordingly. It is not necessary to include each of these clauses in every agreement, that will only unnecessarily sideline too many potential suppliers and make your contracts far too expensive.

Instead focus on each supplier’s unique risks, employ surveys, request control documentation, and assess exactly what sensitive information each would be privy to before drafting your agreement.

Being proactive is profitable.

It’s simply best practice to address the security compliance of your outsourced services at the time of contracting. It gives your organisation the power to mitigate, monitor, and manage risks, which ultimately benefits your business’ agility, and your bottom line.

Contact us if you are currently or considering using outsourced services for your cloud applications and have questions or concerns over the security of your data.


More Blog Posts