Outsourcing involves transferring responsibility for carrying out certain internal business activities to an outsourcing provider for an agreed price. Whilst information security strategy in relation to IT outsourcing has been well documented, the outsourcing of data processing and analytics activities presents unique information security risks that must be identified and addressed. DataSeer employs a range of information security best practices for identifying and mitigating security risks in relation to outsourced data processing and outsourced analytics functions.
Our outsourced analytics best practices include:
Having a shared information security plan
At the outset of your outsourcing agreement with DataSeer, one of our information security managers helps you to establish a Shared Information Security Plan (SISP). The SISP is an operational document that contains agreed information security policies, controls, standards and procedures to be implemented by both DataSeer and your company to ensure the protection of client information. Whilst DataSeer has its own comprehensive information security plan that governs the handling of information within the organization, the SISP can specify higher levels of controls in relation to the client’s needs.
Having defined standard operating procedures for the transfer, storage and handling of client data
Portable storage devices including laptops and USBs present one of the biggest threats to information security. DataSeer’s information security policy prevents outsourced staff from bringing unauthorized equipment (such as a non-DataSeer USB) into the company premises or leaving the company premises with any form of portable storage (unless the express written approval of the client has been issued). We can also work with you to establish a reliable and secure method of information transfer between your outsourced resources and your onshore staff. This process may involve cloud, secure FTP or registered courier transfer.
Carefully defining, assigning and managing access controls
Security Access Controls (SAC) lie at the heart of our information security policies. From the outset, we work with you to carefully delineate which of your outsourced resources should have access to your sensitive information. Further we can help you to establish a hierarchical structure that defines varying levels of information access between your offshore resources. SAC are carefully monitored at DataSeer – all staff are trained to change passwords every two weeks and are required to use multifactor authentication on email and other communications. Where necessary, we can also establish information barriers within DataSeer, so that you can further control the flow of information within our premises. Finally, the DataSeer premises are equipped with multiple armed guards, 24 hours a day, 365 days a year.
Hiring and training employees with ‘safe hands’
From the outset, DataSeer works with you to clearly delineate which of your outsourced employees are granted access to particular datasets that you designate to be used for outsourced work. Before allowing outsourced staff to access your data, DataSeer travels through an extensive selection procedure. All DataSeer employees responsible for handling client data are subjected to extensive background checks that include but are not limited to:
- Proof of identity and address
- A Philippine police check
- Proof of academic qualifications
- Proof of prior work experience
- Proof of good professional standing including a detailed reference check
After selecting the right people, all DataSeer outsourced staff members undertake a 2 Day DataSeer Information Security Training (with exam) delivered by either an Australian or US thought leader in the Data Management and Information Security space. This training provides a solid grounding in data handling best practices including locking of keyboards, guidelines on portable storage devices and rules surrounding the receipt, transfer and destruction of client data. Finally, prior to being assigned to projects involving outsourcing clients, DataSeer staff are assessed on their ability to demonstrate ‘safe hands’ with DataSeer internal data over a period of 1-3 months. Staff who both pass the 2 Day Information Security training and have demonstrated ‘safe hands’ are then eligible to handle client datasets.
Have regular security audits
Regular information security audits ensure that outsourced staff members are compliant with the SISP. At DataSeer, we conduct eight randomly timed information security audits per each client per calendar year. The audit consists of the following items:
- Reviews DataSeer’s and the client’s compliance with the SISP
- Scores each outsourced staff member in relation to compliance with DataSeer security standards
- Checks portable and non-portable storage devices for appropriate data handling
- Reviews the recovery plan for information in the event of disaster
Assigning a Data Custodian
Where applicable, we can work with you to establish a primary ‘data custodian’ within DataSeer – an individual nominated to have primary responsibility for your data at all times. This individual is also responsible for the full and complete destruction of any copies of your data on DataSeer hardware immediately upon request.
Underpinning everything with a solid contract and NDA
Underlying our shared information security policies are solid contracts and NDAs. We can work with you to ensure that your NDA provides the coverage you need. Beyond these measures, DataSeer employs additional controls and procedures that ensure the security of your data. Download our Outsourced Analytics Information Security Whitepaper.
To avail our services, you may contact us.Contact us »