I think outsourcing and offshoring should not be seen as threats but as sources of threats if these activities are not properly supervised. The standards ISO / IEC 27001 and 27002 provide the framework for these activities in terms of cyber security:
- At the data and flows exchange, by encrypting
- Level access with the company’s identity through access management or the establishment of a badge system to access to some areas of the compagny, for example a contractor.
These activities must be framed in different ways to reduce the threats they may cause:
- Through carrying out a risk analysis before launching the project or mission, which will assess the level of risk of the activity and reduce these risks before starting the outsourcing.
- Via contracts with providers
- Via the « cybersecurity assurance plan » often added to the starting note of the project that contains all project-related security measures and that be put in place throughout the activity.
- Via compagny security policies, that contain all the cyber security requirements for contractors, partners, consultants, etc.
- And it is also possible to audit its suppliers.
So if you create a governance plan for outsourcing/offshoring management, you can encrease easily the number of vulnerabilities that will exist on this activity or their threat level.by