By Paul Liu and John Wagster of Freeborders

In an era marked by vivid information sharing via social networks, such as Facebook, MySpace, and Twitter, the need to protect a company’s data has become even more critical. While exchanging information collaboratively to develop new services and products is a successful concept, giving away a company’s proprietary data seldom qualifies as “sharing is caring”. 

According to the latest annual Security Survey from the industry analyst firm Forrester, data protection remains the top IT security priority and is high on every organization’s senior management agenda. Companies are looking to prevent the leaking of confidential company data and the unauthorized sale of proprietary code, especially when some or all of its outsourced operations are located offshore. As a result, companies continue to invest in security technology.  Staying up-to-date on security technologies is important, however best practices for protecting a company’s intellectual property (IP) when outsourcing go beyond technology implementations and require a strong collaboration with the outsourcing partner on multiple organizational levels.  To build a strong fortress that protects data at offshore locations, companies need to vigorously combine physical, technical, process and human resources elements for their security approach.

Building the Fortress - Physical Security

Setting in place the physical security and maintaining its integrity are the building blocks of every company’s security system. This includes badge-based control of all facility ingress and egress as well as having security guards inside and outside the facility.  We recommend using closed-circuit TV surveillance of access points and workspaces, security guard control, electronic badge access, as well as door alarms that notify the security staff if any access point remains open too long.

Digging the Moat - Technical Security

After the foundation is set, it’s time to design the moat, which is a series of technical control systems. These include network- and host-based intrusion detection systems (IDS) that alert the IT staff to any anomalous behaviors as well as network segmentation techniques. Critical components continue to be firewalls, antivirus and antispyware tools that prevent the introduction of viruses and other malware into a company’s network.  A commonly practiced policy is to forbid the use of USB ports, CD burners, or other media devices that would allow those with access to workstations to copy and remove data.  Severely restricting Internet access and email attachment capabilities can further prevent the data transmission beyond a company’s network. By using thin-client architecture, employees today can easily and securely perform a wide range of tasks without ever copying or transferring live data off of the servers. To support the physical security policies, we have seen success with granular resource access control. This access policy limits the employees’ data use based on their exact needs.   Moreover, it enables companies to document data access for validation and compliance purposes.  

Positioning the Guards - Processes & Policies 

The last component for building a strong fortress is institutionalizing a clear policy and process framework by which companies govern outsourcing operations together with their outsourcing partner. Policies and processes can provide several additional layers of protection. We call processes and policies “positioning the guards”, as employees can be the biggest threat, but on the flip side, also the strongest ally to protect a company’s data. 

Proven security tactics include diligent employee screening incorporating thorough background checks and an intensive interview process with a special focus on ethical issues.  It is important to have all employees sign confidentiality/non-disclosure agreements that fully support legal redress.  Trainings can promote best practices for security and IP stewardship and keep corporate policies on top of mind. Sending out alerts and bulletins on an ongoing basis further help keep employees abreast of the latest policies, threats, and counter-measures associated with data and infrastructure safety.  Some companies started offering security hotlines that make it easy for employees to immediately and anonymously report any technical problems, questionable behaviors, or other incidents that could potentially harm a company’s information security.

Staying On Watch

By combining physical security, technical systems and policies, companies can build a strong fortress at their offshore location that protects their data.  But don’t fall asleep on your watch yet. Once the complex security system is in place, it is equally important to continuously monitor it. We highly recommend conducting regular audits and threat assessments. This includes ISO27001 audits and re-certifications by independent authorized third parties. Vulnerability threat assessments (VTA), which can be described as “mock attacks” are an excellent way to test a company’s security system for potential threats and exposures. By setting a complex security system in place and rigorously maintaining it, companies can truly capitalize on the advantages of their offshore locations, such as the access to a large pool of technical talent and cost benefits, with maximum peace of mind.

About the Authors

John Wagster, Executive Vice-President and General Counsel, Freeborders
John Wagster has served as Counsel to Freeborders since its inception in 1999 and joined the company as General Counsel in 2007. Prior to joining Freeborders, John assisted clients with matters relating to federal administrative law and international business transactions in the Americas, Europe, Asia and the Middle East. He has many years experience helping U.S. companies forge cross-cultural contractual arrangements around the world using industry best practices and western style contracts. John holds a B.A. degree from the University of Mississippi and a J.D. from Georgetown University Law Center.

Paul Liu, Chief Information Officer, Freeborders

Paul Liu joined Freeborders in October 2007 as Chief Information Officer and has overall responsibility for Information Technology, Security, and Quality. Additionally, he leads the Freeborders Infrastructure Outsourcing Service practice. Paul has over 16 years of experience in Information Technology spanning North America and Asia, covering a wide range of high tech start-ups, IPO companies and Fortune 1000 companies.  He received his education from UCLA and holds multiple certifications in Systems and Infrastructure.

About Freeborders

Headquartered in San Francisco, Freeborders, Inc., is a global provider of consulting, technology and outsourcing solutions to the financial services, high tech and travel industries using an integrated China to US delivery model.  With more than ten years of experience in doing business in China, Freeborders developed a rigorous approach to IT security and IP protection called Hyper-Vigilance™. Please click here to download the Hyper-Vigilance White Paper.