Outsourcing risks.

From EN Ikoula wiki
Revision as of 16:27, 10 December 2020 by Woussen.alexis59c630e (talk | contribs) (Created page with " {{#seo: |title=Outsourcing risks |title_mode=append |keywords=these,are,your,keywords |description=In this article, you will find a complete analysis with main outsourcing ri...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
⧼vector-jumptonavigation⧽ ⧼vector-jumptosearch⧽

Outsourcing risks

As all forms of recourse, outsourcing recourse has many advantages but also some risks which need to be addressed.

Risks related to the loss of control over one's information system

When a company uses subcontracting or a kind of subcontracting like outsourcing, it takes risks. These risks are numerous but the main are related to the loss of control over one’s information system. As it entrusts the latter to a company, it does not have the usual right of supervision, and this creates risks.

Subcontracting risks

A candidate often resorts to subcontracting, particularly in the context of a call for tenders. The service provider must present all guarantees of security in the event of recourse by the client to this form of sub-contracting, which is outsourcing. Financial and security risks may arise from outsourcing. It is important that the service provider guarantees its client security and minimises financial risks.

Risks related to the location data

Not all facilities management systems allow hosted data to be located with certainty. This is the case with hosting solutions such as the Cloud for example.

These solutions can be a factor in aggravating the risks of data confidentiality breaches.

In the event of recourse to outsourcing, the risk of disclosure of information of significance must be examined before any recourse by both parties. For example, an uncontrolled location of data may lead to the following risks: - Difficulties in responding to various court orders for tax reasons

- Difficulties in exercising a right of control over the provider's personnel

- Difficulties in carrying out a safety audit of the infrastructure

IKOULA hosts the data in two data centres that we own in France. The company complies with European standards governing data protection laws. In this way, we guarantee our customers data protection and traceability.

Risks related to the personal data

The transfer of data outside the EU is governed by a European directive and the law of 6 January 1978 relating to information technology, files, and freedoms. By virtue of these provisions, it is therefore agreed to consider whether the recipient of this transfer acts as a "data controller" or "processor".

IKOULA remains at your service through 4 levels of outsourcing service according to the type of infrastructure and the needs you meet, and acts as a subcontractor.

The CNIL has made a distinction between their roles:

- The data controller is characterised by his or her autonomy in the management and implementation of a processing operation.

- The sub-contractor's mission is to manage tasks under the responsibility and instructions of the data controller.

Thus, any processing of personal data or transfer of personal data by a subcontractor or infomanager can only be carried out by the instruction of the data controller and on condition that a contract guaranteeing security and confidentiality measures is put in place by the subcontractor. This contract must also be signed by the parties. Health data hosts are, for example, subject to specific security obligations, as are credit institutions.

Legal obligations must be respected in the outsourcing environment.

It must also be ensured that they are properly implemented.

Risks related to remote interventions

The risks depend on the characteristics of the devices used. They also depend on the context in which they are implemented.

However, as mentioned above, IKOULA offers 4 levels of outsourcing to its customers depending on the type of infrastructure and the needs you encounter. With these 4 levels, you benefit from real advantages that allow you to entrust your IT equipment with complete peace of mind.

- The Liberty level offers the customer support and a guarantee on the hardware.

- The Prime level ensures, in addition to what is offered by the Liberty level, a system supervision and a complete security audit.

- In addition to the other levels, the Business level provides customised procedures, supervision, and backup services.

- The First level offers complete outsourcing of your system (technical management, advice, evolution, security, etc.).

Each level offers possibilities to the customers. Each level presents limited risks thanks to its characteristics. Thanks, to the guarantees offered and the use of recognised expertise.

Below are a certain number of weaknesses frequently linked to remote maintenance systems:

- The link established permanently with the outside world.

- Default passwords (known worldwide) or weak passwords.

- The existence of flaws in the access interfaces.

- The operating systems of the devices that are not kept up to date.

- Lack of traceability of actions.

- Staff responsible for these devices are not aware of security problems or are poorly trained.

- The interconnection of trusted secure systems with low-level systems (e.g. Internet).

The exploitation of vulnerabilities on a remote maintenance device is likely to facilitate intrusions into the information system and thus affect the security of the entire IS. The main risks related to devices dedicated to remote interventions are:

- intrusion into the information system by an unauthorised person (use of a weak password, a loophole or a backdoor) with more or less serious consequences depending on the attacker's motivations and his ability to remain undetected, including: an equipment unavailability that could lead to the unavailability of the information system and an attack on the confidentiality or integrity of the data present on the information system.

- abuse of the rights of a support centre technician during an intervention: which may lead to access to confidential data or mass downloading of the latter and the modification of data on the information system, possibly without leaving traces (absence of traceability function or possibility of erasing traces afterwards).

Risks related to shared hosting

- Loss of availability: A denial of service attack usually causes the server hosting the target of the attack to be unavailable. When multiple services are hosted on the same server, services that were not targeted may be indirectly affected.

- Loss of integrity: if one of the websites is targeted by an attack such as (information theft, website defacement, rebound attacks), code execution can affect all services.

- Loss of confidentiality: when services share the same physical environment, this can lead to information crossover. In an uncontrolled environment, the risks to which a co-host is exposed increase.

Conclusion

As you may have read in this article, the use of outsourcing presents many risks. Outsourcing is a form of sub-contracting. Thus, there are risks. Such as those linked to the loss of control of one's information system or those linked to the use of shared hosting.

Despite these risks, the use of outsourcing offers many advantages that are beneficial to a company

Retrieved from "https://en-wiki.ikoula.com/index.php?title=Outsourcing_risks.&oldid=10467"