1

6 - Outsourcing

Outsourcing

© Robert G Parker – UW-CISA 2010

Dealing with issues when a portion or all of the provision of technology services is performed outside of the entity’s normal service delivery envelope.

• Loss of control (Priority, timing, effort, changing deadlines, etc.)

• Additional security risks (Lack of understating of outsourcer’s security procedures, lack of knowledge of their consistent application)

• Concern over the inadequacy of IT governance procedures (Within the organization and at the outsourcer)

• Contract terms and service level agreements are not consistently met (Poor/inadequate contract management, lack of contract metrics and lack of timely reporting)

• Re-outsourcing of services to another third party (Concern despite contractual agreements, use of cloud computing by outsourcer, etc.)

S-2

Outsourcing

© Robert G Parker – UW-CISA 2010

Renaissance in USA Industrial manufacturing by 2015

2015-China only 10% to 15% Cheaper than the USA

2010 – Caterpillar opening 600,000 sq-ft. manufacturing facility in Texas

Manufacturing Costs

S-3

Outsourcing

Emerging Economies

Source-Canwest Times Colonist- May 28, 2008Transportation Costs

Outsourcing

© Robert G Parker – UW-CISA 2010

OutsourcingOutsourcing Risks

• UCSF outsourced the processing of its medical transcripts to a U.S.-based company that outsourced the records to yet another company in the U.S.

• The second outsourcing company, in turn, sent the transcripts to a company in Pakistan for processing.

• A Pakistani data entry clerk attempted to extort money from the University of California at San Francisco’s (UCSF) Medical Center.

• The Pakistani clerk was having trouble getting paid for her work, so she directly contacted the University, attached some of the medical data she had as proof, and demanded payment, threatening that she would post all of the medical records on the Internet if she did not receive the money.

• The UCSF Medical Center asserted it was not even aware that sensitive medical records were processed offshore.

S-5

© Robert G Parker – UW-CISA 2010

6 - Outsourcing

• Increasing labour rates in Asia

• Increasing transportation rates between North America and Asia

• Security concerns over intellectual property

• Lack of ‘hands-on’ control

• Language and cultural differences

• Regulating laws

• Cultural differences

Business Risks

S-6

© Robert G Parker – UW-CISA 2010

6 - Outsourcing

• Implement more sophisticated automated manufacturing processes in North America

• Reduce transportation volume between North America and Asia

• Increase use of lockable/destructable software code vs. mechanical controls to protect intellectual property

• Repatriate ‘hands-on’ control (Your people in their land)

• Implement two way cultural training

• Establish all laws to be in country exporting the work or technology

Outsourcing Risk Management

S-7

8

7 - Public Trust

Public Trust

© Robert G Parker – UW-CISA 2010

7 - Public Trust

Technology Appears to Present a Threat to Society

• Hackers, Security Breaches, Identity Theft, Viruses, Worms, etc.

• Concerns Over Data Theft, Confidentiality of Personal Information

• Concerns over Identity Management, Credit Card Fraud and Unauthorized Access or Sharing of Information

With warnings about viruses, worms, Trojan horses, phishing, identity theft, hackers, and an ever increasing prevalence of malware, users of Information Technology have expressed legitimate concerns. With the business need to reduce costs, technology provides an enticing opportunity for eBilling, payments, distribution of newsletters, product information, and any number of product support scenarios. Users want assurance that their information is safe and that they are dealing with a legitimate business

S-9

10

Public Trust

The Attacks Increase

11

Public Trust

The Attacks Increase

77 Million User

Accounts

12

Public Trust

Canada Is Not In An Enviable Position

13

Public Trust

Information security management was reported to be third on ISACA's 2011 Survey of Top Business/Technology Issues.

The survey attributed the finding to a combination of high profile breaches and the large investment in security technologies.

Most significant issue were the unknown security threats or those security threats that are not fully assessed. Other issues in order of ranking, that likely contribute to the a lack of public trust include:• Information security controls are not regularly assessed for performance and

effectiveness. • Top management is not involved "in setting direction and objectives for

information security ".• “Lack of enterprise-wide information security awareness and training ".• Perception that security is owned by Technology.• Lack of integration of information security into the culture of the organization.

14

IT Governance

Business Reaction

Public Trust Risk ManagementLack of enterprise wide training and awareness of The risksLack of enterprise level ownership of the riskLack of ownership, accountability and responsibilityLack of a security culture

319% should be a wake up call to businesses and professionalsCyber risks must be taken seriouslyIncreased senior management involvement is security and the security messageInitiation of an enterprise-wide security programC-suite responsibility and direction for the security program