Published in Outsource Magazine Online, June 2011
It is very important to understand and ensure your data is safe. There may be the tightest data protection and confidentiality clauses in the commercial outsourcing contract, but if the business processes are not in place to protect access to data, then breaches can happen. These processes are applicable internally as well as with the outsourcer. Business process to protect data is just as important as application security. There have been cases where the most robust application security has been bypassed by an individual accessing personal data, downloading it and then emailing it as an Excel attachment insecurely over the open internet. There have also been cases where outsourcing has taken place offshore and data has been sold to third parties by unscrupulous employees.
Here are some simple tips for compliance in both application software and business process.
Applications
Data access by user must be defined and only available to those that need it in the course of business. Employee data is normally restricted to the HR department, payroll department, and – in some cases – line managers, if there is developed responsibility of management. The application software must therefore have sufficient role-based permissions to enable this segregation.
An application should be able to generate passwords that are up to 12 characters in length and contain alpha, numeric and symbols. Passwords should always be encrypted in the database and not available for developers to view. And they should ideally be changed every three months
Unless an employee has given their specific written permission in Europe, data cannot be shared across borders. For example, an HR person in France should not be able to see an Italian employee’s data unless it is vital to conduct business, and the application software should therefore restrict this.
Ideally, if data can be exported, this should be restricted by specific roles in the user permissions, and there should be a facility to encrypt exported data quickly and simply if it does need to be emailed.
True data security needs non-repudiation; this means that the user accessing an application is recognised by the software. This can be in the form of a client-side certificate whose credentials are exchanged with the server-side application, or a token that is generated by an external device. Banks often use this approach. Applications that do not have client-side security and use open SSL are not safe.
Software should also be able to log every user action and transaction, so there is an audit trail.
Business Process
Each business transaction should be defined and ideally controlled by business process management software. Every process should be subject to audit on a regular basis. High-risk transactions should always be subject to dual sign-off.
If you outsource, do regularly make site visits, so you are sure that the processes which have been set up are being adhered to. Ensure that both commercial contracts and employment contracts create accountability and responsibility for data control.
Remember if you do not make it safe, it will not be safe, and data security is upheld at multiple levels.
Link: Original Source