Organizations fail to audit outsourcers

The 2006 Ernst & Young global information security survey has found organizations worldwide are failing under the weight of vendor risk management in outsourcing relationships, but internally have woken up to the relationship between information security and effective risk management.

Nearly two thirds of all global survey respondents claim their companies use regular meetings, steering groups and formal frameworks to ensure better information security. In the 2005 survey, 40 percent of respondents said information security was integrated with a risk management process or program. In 2006 that figure has risen to 43 percent.

However the report noted when it comes to managing the risks associated with the vendor running your outsourced IT shop, very few companies are actually prepared. Or for that matter understand what they should be doing to protect themselves from vendor-induced information vulnerabilities.

"More companies need to adopt formal procedures for vendor risk management and when they do they need to have those procedures validated," the report reads.

"Only six percent of companies use formal procedures, validated by a third party, to manage risks with vendors and 21 percent say they do not address these issues at all.

"Currently only 14 percent of organizations that rely on vendors require them to have an independent third-party review of their information security and privacy practices against leading practices. Only one quarter require that their vendors be aligned with a recognized standard."