Security.

In an incident, earlier in the month, former call center employees of an outsourcer are accused of taking part in a theft of $350,000 from U.S. consumers' bank accounts. In the wake of the theft, some observers have voiced concerns about the security of data being handled by outsourcers. Generally, the security risks offshore aren't any different than the security risk you face onshore.

Authentication for offshore IT operations is similar to what you see in the Europe/US. The key areas are access control, network security, facilities and operations, and applications security. Currently, passwords are most frequently used. Biometrics is very rare offshore, and used for selected transactions. Smart cards are used for physical access.

To reduce such incidents, if you are contemplating a move offshore, you should

* First do, a gap analysis, to find gaps between existing security policies and what will be required for offshore. This analysis helps you to determine the your security readiness and sets expectations for securing the offshore operation.

* You need to do a proper investigation of who you're doing business with, exercising due diligence on the security in place.

* You must write specific requirements into your SLA for vulnerability assessments and audits.

* You should provide appropriate budgets for periodic vulnerability assessments from third parties, penetration assessments, external audits, and security process audits, and for policies and tools such as handling of backups and remote access. The periodicity of these audits can depend on the criticality, the compliances needs, & host country's legal requirements.

Offshore service providers have the financial muscle to provide secure infrastructure. One of the most popular nations for outsourcing is India, which is recording double-digit growth in revenues from IT services, which are expected to reach $57 billion in 2008, according to a joint study by McKinsey & Co. and Nasscom, an Indian software association. Based on a U.S. model of spending 5% to 7% of the IT budget on security, and with the IT budget consuming 15% of a service company's revenue, India should be ramping up to spend $450 to $600 million on information security and assurance by 2008.

India has no shortage of information security skills. The International Information Systems Certification Consortium in Dunedin, Fla., which administers the Certified Information Systems Security Professional exam, has 175 Indian CISSPs who have voluntarily registered on its Web site, from a broad mix of both U.S. and local Indian companies. China has 465 registered CISSPs, with approximately 90% based in Hong Kong and also representing a broad mix of local and foreign companies.

As the ethos of the offshore locations are different, it may be advantages to utilize local independent security audit firms for the periodic assesments.