It's a fairly typical scenario: A global enterprise looks to save money by outsourcing systems management, allowing broad access to the enterprise's information as well. If effective, the hybrid onshore-offshore model results in lower IT service costs and allows for 24/7 maintenance and development. In addition, the service provider has the advantage of leveling its staff workload across multiple client organizations based on the most...
effective use of talents and skills.
On the other hand, outsourcing could pose compliance risk management problems for some organizations, especially if their products have national security implications as defined by federal regulations. Consider, for example, what could happen when a company that produces sensitive material hires an offshore IT service provider with broad access to its intellectual property and to restricted product information that defines not only the complex bill of materials for the products, but also the manufacturing processes for making them.
Clearly, this potential information sieve could violate several regulations, but hundreds of auditors would be needed to check the access rights of the offshore provider in its various operating locations. Instead, a better starting point is provided by a thoughtful approach to compliance risk management and access rights based on federal regulations and policies.
Safeguard intellectual property, but don't stop there
Proper management of intellectual property is a major part of safeguarding restricted information as a corporate asset. But several compliance risk management elements also come into play -- some with huge penalties if they are not followed.
First, there are requirements for proper licensing and exporting of products, as well as for the information surrounding their composition and manufacture. Most countries have restrictions on products and license requirements that differ based on the country of origin and the country of destination. Lists of embargoed nations, restrictions on product categories, and proper shipping documents play into the automatic export system, or AES, for each country combination. These are all areas that could result in international commerce infractions and hefty fines if they're not heeded.
A second area to consider is compliance with the International Traffic in Arms Regulations (ITAR), which govern the exchange of defense-related goods and services between the United States and other nations. ITAR's provisions are more detailed because the technology transfer is governed, not only between the sending and receiving parties but also where those parties might be located.
For example, if a component manufacturer for a nuclear reactor facility is developing certain products, those products and information about them could be restricted in certain countries. This restriction includes even employees of the manufacturer itself, depending on where they are physically located. For example, a nuclear reactor manufacturer's employees located in Iran (currently an embargoed nation) could not have access to that information when they travel to the embargoed nation even though they might have access to it in their home office in the United States.
Another area that has received increased attention in international commerce is the Foreign Corrupt Practices Act (FCPA). The FCPA prohibits activities where a foreign official could be found guilty of or could be suspected of paying (or intending to pay) a contractor or member of the United States government for the purpose of securing business.
As for IT systems management, export laws, ITAR and FCPA could all apply based on in which host nation the offshore service provider resides, and on where the individual staff of the service provider is located.
Use the system to your advantage
Fortunately, there are a number of technical approaches that can provide proper safeguards to restricted information surrounding compliance risk management.
First is the use of systems-based or process-based access controls. This allows offshore service providers to view the nature of an information file (its structure, size, extension and other attributes) but not the file's specific content or context (product definitions, manufacturing plans, recipe formulas and so forth). Several information system vendors provide very sophisticated applications that can be configured to approach different forms of information.
The RASCI -- responsible, accountable, support, consult and inform -- matrix is one approach to determining the level of information access appropriate for each user. Because offshore service providers are users within the system they are contracted to support and maintain, each user profile should have some level of access based on their role. In this case, a support role can be defined that delineates what can be seen by whom and by where they might be located (via an IP address location).
There are a number of technical approaches that can provide proper safeguards to restricted information surrounding compliance risk management.
Another growing field of systems management that can be applied in this case is the Audit Information System (AIS). The AIS concept was created for the sole purpose of using system capabilities to avoid dispersing fleets of auditors and instead monitoring the system by capturing initial base information around system use and access. While some initial field work is needed to make a baseline assessment of a particular situation, a properly implemented AIS will allow for the logging and tracking of system use (and attempted use) by all individuals maintaining a user profile. Advanced analytics enhances risk assessment and mitigation planning capabilities when it's used in conjunction with an AIS environment.
Finally, there is always a change in business model to consider. I have heard of a growing trend to bring back in-house systems management functions that formerly were outsourced to reduce costs and increase service. Now that the global price point for these services has leveled somewhat, there are small "near-shore" facilities being established in the southern United States and in Canada, where sensitive information could be managed with less consideration of export rules and ITAR and FCPA restrictions.
These challenges can account for a large portion of an organization's compliance risk management portfolio. Properly safeguarding restricted information leads to greater profits and less information "leakage" to competitors and undesirable parties. It also eliminates the chance that an organization will be penalized or debarred from participating in government contracts.
William Newman is managing principal of Newport Consulting Group, an independent management and technology consulting firm based in Clarkston, Mich. Contact him via email at firstname.lastname@example.org or follow him on Twitter (william_newman).
Let us know what you think about the story; email Ben Cole, Associate Editor.