InfoSecurity and Outsourcing

17 March 2009

Colin DixonHead of Risk and Compliance

2

Agenda

• The complexities of outsourcing• Brain surgery through binoculars (the wrong way around)• Ways to approach InfoSec in outsourcing• The secret of a good outsourcing arrangement• Some things you really must do• Some things that can help• Questions

3

There are three types of outsourcing

Outsourcing

• Outsourcing business services • Outsourcing business functions• Outsourcing security services

4

• de-mergers • non-sale divestitures• sell-offs• off-shoring

Possible complications

* Where a significant relationship persists

5

• Outsourcing suppliers have done it before • Many outsourcing decisions are political• InfoSec people hear about outsourcing at the same time

as the media• InfoSec is rarely at the top of the agenda• InfoSec is viewed as negotiable

Possible complications

6

I have this…

…and I want this

Possible complications

7

I have this…

…and I want this

Possible complications

Plays hell with the metrics

8

Brain surgery through binoculars (the wrong way around)

Dis

co

nn

ec

tion

Risk Assessment

Control Definition

Control Implementation

Control Monitoring

Organisation’s responsibilities Provider’s responsibilities

The complexity of managing risks is significantly increased by this boundary

9

The Taxi analogy

When you get into a Taxi you can do one of three things:

• Give the driver detailed instructions

• State the destination and expect the driver to find the way

• Ask the driver to take you to a (good) restaurant etc.

10

• A very detailed control specification

• Specification of control objectives rather than controls and monitoring for effectiveness

• Broad specification of controls, providing for evolution of the control regime

The three (main) approaches

11

Detailed requirements Broad requirements

The type of contract affects the requirements

Cheque printing

Web development

HR System

12

It is the relationship between the organisation and the provider that underpins the outsourcing arrangement - the contract is only the legal framework within which the relationship is bound

The secret of a good outsourcing arrangement

13

“If you have to resort to the contract the relationship is not working”

“If you are not working on the relationship you may very soon

regret it”

relationshiprelationshiprelationship

The secret of a good outsourcing arrangement

“if the relationship with your provider breaks down the

contract is irrelevant”

14

• Expectations differ • A clash of cultures • Perceptions disrupt the relationship• Trust and confidence has not been established

Why relationships break down

15

Preparation and Planning

16

The information risks from

outsourcing

The information risks from the

provider

The information risks from the

business function

Preparation and Planning

Information risk assessment of an outsourced business function is complex because there are three components

17

Preparation and Planning

• Risk assessment• Due diligence against the outsource company• SAS 70 Pt.2• Determining appropriate control regime• A business issue not a technology issue• Transition• Exit

18

It is important that, from the beginning of an outsourcing arrangement, there is provision for the business function to evolve without punitive constraints on either the organisation or the provider.

Change and evolution

Evolution of the outsourcing arrangement is key to preventing it from becoming irrelevant to the business

19

• Monitor performance against evolution strategy• establish a forum to consider evolution plans• regularly review evolution plans• regularly review architectural issues• regularly review change management procedures

Change and evolution

20

The exit strategy must be defined before the contract is agreed so that suitable provision for termination is in place before the outsourcing arrangement commences.

This is because the conditions at the end of the outsourcing arrangement may be completely different from those which prevail at the beginning.

Exit strategy

The exit strategy is as important as the early transition

21

Exit strategy

• Data ownership • Clean transition• Archives• Escrow• IPR• Legal and regulatory

22

• Skills and knowledge transfer • Address staffing differences immediately• Review roles and responsibilities • Joint strategy for the resolution of security incidents• Regular discussion of information security issues• Work together to agree on the current top ten risks • Agree an approach to managing the current top ten risks.

Responsibilities and communication

23

• Monitoring (against SLAs)• Regular security audits• Review of monitoring analysis• Review incident management actions• Corporate governance, regulator and FSA reporting• Contingency preparation check/training• Security management needs to be delivered

• defined and dedicated methodologies• processes • delivery staff

Monitoring and audit

24

• Measurable - in an objective preferably automatic way• Specific - expressed unambiguously• Repeatable - predictable, controllable service levels• Valued - understood by the business, linked to business process• Visible - not embedded in the IT architecture

SLAs - characteristics of good service items

25

• Ensure accountability• Review response to legal issues - privacy etc.• Develop joint strategy for resolution• Review emergency response skills and controls • Review monitoring information for incidents• Ensure that perceptions of criticality are the same• Review incident response procedures• Check training in incident response

Incidents and Incident Management

26

Conclusions

• The contract• Benefit from early preparation • Infosec is not always able to influence the contract • Legal regulatory requirements • Termination is far too important to leave to the end of the contract• Dynamic businesses favour less rigid contracts

27

Questions?

Colin.dixon@mwrinfosecurity.com