Preparation
The journey begins with strategy development. During this step, senior and business management evaluate and determine whether it may be profitable for the organization to outsource, off-shore outsource or create an off-shore captive centre. The business then creates a strategic steering committee to manage the exploratory initiative, develop an outsourcing Project Management Office (PMO) governance office to operate the exploratory initiative and determine which business/IT functions may be profitably outsourced, off-shore outsourced or managed by an off-shore captive centre.

Traditionally, information security has no involvement at this stage of the process as well as the next step the organization takes which is the development of the business case. Multiple stakeholders are involved during this step. The PMO identifies all relevant stakeholders, all aspects of risk to be managed if functions are outsourced, and performs a detailed cost benefit analysis to determine what option makes the most sense. In addition, there needs to be legal analyses of the regulatory compliance implications for outsourcing, off-shore outsourcing and off-shore captive centre operations. Senior management then makes the final decision about what business/IT functions to outsource, off-shore outsource or develop a captive centre off-shore.

In a mature organization, information security begins to get involved at the next stage — Scope Definition. Multiple stakeholders participate in defining the scope of activities to be undertaken. The PMO identifies all processes, operations and technology associated with the functions to be outsourced, applications associated with the functions to be outsourced and retained processes, operations, technology, applications, etc. Information security performs risk assessments to address confidentiality, integrity and availability of information assets to be outsourced.

Partner selection and negotiation of the contract make up the next step in the journey — structuring the deal. Multiple stakeholders are involved during this step which involves the selection process, crafting the Request for Proposal (RFP) to outline requirements and identify metrics to measure success. Legal then ensures all relevant terms and conditions clauses are in the contract. Once a provider is identified, negotiation happens and the contract is eventually signed.

Implementation
After the decision is made to outsource, the organization begins the transition of the functions to be delivered by the service provider. The PMO plans and manages the transition schedule, begins to transition the function to the service provider and creates a process to do ongoing cost benefit analysis. Information security builds security into processes, builds an incident reporting/management process and builds a process for ongoing monitoring (security and compliance). Information security should be heavily involved at this stage of the process.