infosecurity and outsourcing 17 march 2009 colin dixon head of risk and compliance
TRANSCRIPT
2
Agenda
• The complexities of outsourcing• Brain surgery through binoculars (the wrong way around)• Ways to approach InfoSec in outsourcing• The secret of a good outsourcing arrangement• Some things you really must do• Some things that can help• Questions
3
There are three types of outsourcing
Outsourcing
• Outsourcing business services • Outsourcing business functions• Outsourcing security services
4
• de-mergers • non-sale divestitures• sell-offs• off-shoring
Possible complications
* Where a significant relationship persists
5
• Outsourcing suppliers have done it before • Many outsourcing decisions are political• InfoSec people hear about outsourcing at the same time
as the media• InfoSec is rarely at the top of the agenda• InfoSec is viewed as negotiable
Possible complications
8
Brain surgery through binoculars (the wrong way around)
Dis
co
nn
ec
tion
Risk Assessment
Control Definition
Control Implementation
Control Monitoring
Organisation’s responsibilities Provider’s responsibilities
The complexity of managing risks is significantly increased by this boundary
9
The Taxi analogy
When you get into a Taxi you can do one of three things:
• Give the driver detailed instructions
• State the destination and expect the driver to find the way
• Ask the driver to take you to a (good) restaurant etc.
10
• A very detailed control specification
• Specification of control objectives rather than controls and monitoring for effectiveness
• Broad specification of controls, providing for evolution of the control regime
The three (main) approaches
11
Detailed requirements Broad requirements
The type of contract affects the requirements
Cheque printing
Web development
HR System
12
It is the relationship between the organisation and the provider that underpins the outsourcing arrangement - the contract is only the legal framework within which the relationship is bound
The secret of a good outsourcing arrangement
13
“If you have to resort to the contract the relationship is not working”
“If you are not working on the relationship you may very soon
regret it”
relationshiprelationshiprelationship
The secret of a good outsourcing arrangement
“if the relationship with your provider breaks down the
contract is irrelevant”
14
• Expectations differ • A clash of cultures • Perceptions disrupt the relationship• Trust and confidence has not been established
Why relationships break down
16
The information risks from
outsourcing
The information risks from the
provider
The information risks from the
business function
Preparation and Planning
Information risk assessment of an outsourced business function is complex because there are three components
17
Preparation and Planning
• Risk assessment• Due diligence against the outsource company• SAS 70 Pt.2• Determining appropriate control regime• A business issue not a technology issue• Transition• Exit
18
It is important that, from the beginning of an outsourcing arrangement, there is provision for the business function to evolve without punitive constraints on either the organisation or the provider.
Change and evolution
Evolution of the outsourcing arrangement is key to preventing it from becoming irrelevant to the business
19
• Monitor performance against evolution strategy• establish a forum to consider evolution plans• regularly review evolution plans• regularly review architectural issues• regularly review change management procedures
Change and evolution
20
The exit strategy must be defined before the contract is agreed so that suitable provision for termination is in place before the outsourcing arrangement commences.
This is because the conditions at the end of the outsourcing arrangement may be completely different from those which prevail at the beginning.
Exit strategy
The exit strategy is as important as the early transition
22
• Skills and knowledge transfer • Address staffing differences immediately• Review roles and responsibilities • Joint strategy for the resolution of security incidents• Regular discussion of information security issues• Work together to agree on the current top ten risks • Agree an approach to managing the current top ten risks.
Responsibilities and communication
23
• Monitoring (against SLAs)• Regular security audits• Review of monitoring analysis• Review incident management actions• Corporate governance, regulator and FSA reporting• Contingency preparation check/training• Security management needs to be delivered
• defined and dedicated methodologies• processes • delivery staff
Monitoring and audit
24
• Measurable - in an objective preferably automatic way• Specific - expressed unambiguously• Repeatable - predictable, controllable service levels• Valued - understood by the business, linked to business process• Visible - not embedded in the IT architecture
SLAs - characteristics of good service items
25
• Ensure accountability• Review response to legal issues - privacy etc.• Develop joint strategy for resolution• Review emergency response skills and controls • Review monitoring information for incidents• Ensure that perceptions of criticality are the same• Review incident response procedures• Check training in incident response
Incidents and Incident Management
26
Conclusions
• The contract• Benefit from early preparation • Infosec is not always able to influence the contract • Legal regulatory requirements • Termination is far too important to leave to the end of the contract• Dynamic businesses favour less rigid contracts