The business environment is dynamic and ever-changing, and so is technology. The technology used for security controls, as well as for controlling roles and responsibilities might change over time. Regular reviews of the security operation and corresponding access controls should be conducted. Before an outsourcing contract begins, it is possible that a service provider might have overlooked some of details in the outsourcing operation. A regular review provides a channel for both parties to evaluate the service and make adjustments as necessary.
Security best practices, including the timely update of virus signatures, detection and repair engines, proper implementation of security patches for operating systems and applications, and enforcement of password policies should be maintained at all times. On certain occasions, access to privileged accounts such as the Administrator account in Windows servers or root in UNIX systems, might have to be granted to third party service providers. The use and activities carried out with these privileged accounts should be monitored, logged and reviewed periodically and compared against the change requests raised. When a support employee working for the service provider resigns or leaves a project, all user IDs and privileges assigned to that person must be revoked or changed as early as possible.
To ensure an effective and comprehensive review, inventory detailing:
- a list of servers and systems within the scope of the project, and which servers / systems are storing sensitive or personal information,
- a list of support staff from third party service providers as well as the user ID and access privilege granted to individual support staff,
- a list of data, especially sensitive or personal data, transferred to the third party service providers should be maintained accurately and kept up-to-date. An inaccurate or incomplete inventory might be the first sign of problems in the governance of an outsourcing project. Regular audits should be conducted to assure that the agreed security controls are actually in place.
Source: IT Outsourcing Security