outsourcing, and information security
TRANSCRIPT
Managing Managing OperationsOperations
2
Chapter 8Chapter 8•The three major operational issues
discussed are:– Outsourcing information systems
functions– Information security, and – Planning for business continuity
3
4
What Are Operations?What Are Operations?
•A Typical MIS Department Budget:– 33% Systems and Programming
• 70% Maintenance• 30% New Development
– 10% Administration and Training– 57% Operations
• Involve more $$$ than any other part of the IS department
• Very involved (difficult), challenging and rewarding area
5
Solving Operational ProblemsSolving Operational Problems
Operational problems are:•Response times are slow•Networks are down•Data isn’t available•Data is wrong
6
Operational MeasuresOperational Measures• What the customer sees:
– System uptime– Response time – Turnaround time – Program failures
• = Customer Satisfaction• Of interest to systems people:
– Computer usage as % of capacity– Disk storage used – Job queue length etc.
• Problems reported by external measures can be explained by deviations in internal measures
7
OUTSOURCING INFORMATION OUTSOURCING INFORMATION SYSTEMS (IS) FUNCTIONSSYSTEMS (IS) FUNCTIONS
•Outsourcing means turning over a firm’s computer operations, network operations, or other IT function to a vendor for a specified time
•CIOs are expected to at least to ‘prove’ that their in-house operations are as efficient and effective as if they were outsourced– Shared Services concept– Should outsource what they do not do well
8
• Managing outsourcing is different from managing internal staff– One reason = it is a joint effort between parties that
may not have the same goals
• Typically, parties establish layers of joint teams.– Top-level team: final word in conflict resolution– Operational team: oversees day-to-day functioning– Joint special purpose teams: created from time to time
to solve pressing issues– Committees: oversee the use of formal change
management procedures– Relationship Manager(s): look after the ‘relationship’
• Skills = different to those of e.g. a data center manager
Managing Outsourcing:Managing Outsourcing: 1. Organizational Structure1. Organizational Structure
9
•Service Level Agreement (SLA)– Responsibilities, performance
requirements, penalties, bonuses• Another important component of SLAs is metrics. An SLA needs to be measurable to be of use• It is only when trust in one another breaks down that they turn to the contract.
Managing Outsourcing:Managing Outsourcing: 2. Governance2. Governance
10
11
OffshoringOffshoring• Offshore outsourcing differs in
some unique ways from domestic outsourcing
– Some areas to be considered:1. Offshoring options are broadening2. Both parties need cultural training to
bridge cultural differences• Clients = cultural integration programs• Providers = accent neutralization
12
• Used to be an arcane technical topic• Today even CEOs need to ‘know about it’ due to the
importance of electronic information in running their businesses
• Need to understand Internet-based threats and countermeasures and continuously fund security work to protect their businesses
• Since 1996 the Computer Security Institute have conducted an annual survey of US security managers
– Spring 2004 survey report – 2 key findings:1. The unauthorized use of computers is declining2. The most expensive cybercrime was denial of service
Information SecurityInformation Security
13
The Threats
Note: heaps of similarSurveys e.g. KPMG
14
15
Information SecurityInformation SecurityThe ThreatsThe Threats•Threats are numerous•Websites are particularly vulnerable•Political activism is one motivation for
Website defacement•Theft of proprietary information is a
major concern•Financial fraud is still a significant threat
– Especially credit card information– No data of any value should be stored on
web servers
16
CREDIT CARD FRAUDCREDIT CARD FRAUDCase Example: ThreatsCase Example: Threats• In one case, MSNBC reported that a bug in one shopping
cart software product used by 4,000 e-commerce sites exposed customer records at those sites– One small e-commerce site did not receive the warning– Within days, cyber criminals charged thousands of
dollars on the credit cards of users of this small site
• In another case, two foreigners stole 56,000 credit card numbers, bank account information, and other personal financial information from U.S. banks– Then tried to extort money from the cardholders and
the banks, threatening to publicize the sensitive information they had unearthed
17
Information SecurityInformation SecurityThe Threats The Threats cont.cont.
• Losses are increasing dramatically because companies have rushed into e-commerce, often with applications that do not have security built into the architecture or procedures– People think security can be added later but it really
can’t be bolted on as an afterthought– Best security = designed into applications via checks
during processing and at data transfer points
• It is easier to guard a bank vault than to guard every house in town– That’s why many companies are outsourcing their
data center operations to data center specialists with vault-like security
18
•Mobile computing and telecommunications increase the possibility for crime– The greater number of network openings provides
opportunities for illegal entry•The rise of e-commerce and e-business put more
communications online to the Internet, which is open to everyone including crackers (evil hackers)
•As the Internet doesn’t (currently?) have intrinsic security protocols this public space is vulnerable
Information SecurityInformation SecurityThe Threats The Threats cont.cont.
19
• The ‘hacker community’ (public club?)– ‘True’ Vs. Parasites
• Approaches hackers use:1. Cracking the password2. Tricking someone (social engineering = ‘cute’ term!)3. Network sniffing4. Misusing administrative tools5. Playing middleman6. Denial of service7. Trojan horse8. Viruses9. Spoofing
Information SecurityInformation SecurityThe Threats The Threats cont.cont.
20
1. Authentication: verifying the authenticity of users
2. Identification: identifying users to grant them appropriate access
3. Privacy: protecting information from being seen
4. Integrity: keeping information in its original form
5. Nonrepudiation: preventing parties from denying actions they have taken
Information SecurityInformation Security : :Security’s Five PillarsSecurity’s Five Pillars
21
•The major problem these days:– Enterprises cannot have both access to
information and airtight security at the same time
•Companies must make tradeoffs between:– Absolute information security and – The efficient flow of information
•Because airtight security is not possible:– Companies need to prioritize their risks and work
on safeguarding against the greatest threats• An example to consider is the case example of one
company from a Gartner Executive Programs report
Information SecurityInformation SecurityManagement CountermeasuresManagement Countermeasures
22
• Five major findings from the Computer Crime Survey:
1. Most organizations evaluate the return on their security expenditures
2. Over 80% conduct security audits– Including by ‘outsiders’ e.g. KPMG3. The percentage reporting cybercrimes to law enforcement declined– Some = worried re
• Damage to stock price / company reputation• Competitors using for their advantage4. Most do not outsource cybersecurity
5. Most respondents view security awareness training as important
Information SecurityInformation SecurityManagement Countermeasures Management Countermeasures cont.cont.
23
24
AN INTERNET SERVICES COMPANYAN INTERNET SERVICES COMPANYCase Example: Security Case Example: Security • This firm’s starting point in protecting its systems
is to deny all access to and from the Internet• From there, it opens portals only where required,
and each opening has a firewall and only permits specific functions
• The security team constantly “checks the locks” by:– Keeping track of the latest bugs found– Staying up to date on the latest security attacks– Subscribing to hacker e-mail lists and bulletin boards– Personally exploring some risks– Logging and monitoring all incoming and outgoing traffic,
and – Testing the system monthly from a remote site
• Most importantly, it educates employees and clients as the greatest security precaution
25
• The trend in computer security is toward defining security policies and then centrally managing and enforcing those policies via security products and services or policy-based management
• E.g. a user authenticates to a network once, and then a “rights based system” gives that user access only to the systems to which the user has been given rights– Establishes basic control of segregation of
duties– The ‘computer’ (system) is the control
Information SecurityInformation Security: : Technical CountermeasuresTechnical Countermeasures
26
27
Three techniques used by companies to protect themselves
1. Firewalls: Control access between networks• Used to separate intranets and extranets from
the Internet so that only employees and authorized business partners can access
• Implementation– Packet filtering to block “illegal” traffic,
which is defined by the security policy… or– By using a proxy server, which acts as an
intermediary
Information SecurityInformation Security: : Technical Countermeasures Technical Countermeasures cont.cont.
28
2. Encryption: to protect against sniffing, messages can be encrypted before being sent e.g. over the Internet• Two classes of encryption methods are used today:
– Secret Key encryption• DES
– Public Key encryption• RSA• Needs public and private key• Incorporated into all major Web browsers and is the basis
for secure socket layer (SSL)• Most individuals don’t have such keys hence B2C
applications are only secure from the consumer to the merchant
Information SecurityInformation Security: : Technical CountermeasuresTechnical Countermeasures cont. cont.
29
30
31
32
Note: The Internet is not secure because, for one thing, none of the TCP/IP protocols authenticate the communicating parties
3. Virtual Private Networks (VPN): maintains data security as it is transmitted by using: – Tunneling: creates a temporary connection
between a remote computer and the CLEC’s or ISP’s local data center. Blocks access to anyone trying to intercept messages sent over that link
– Encryption: scrambles the message before it is sent and decodes it at the receiving end
Information SecurityInformation Security: : Technical CountermeasuresTechnical Countermeasures cont. cont.
33
• Three ways to use VPNs:1. Remote Access VPNs: give remote employees
a way to access an enterprise intranet by dialing a specific ISP
2. Remote Office VPNs: give enterprises a way to create a secure private network with remote offices. The ISP’s VPN equipment encrypts all transactions
3. Extranet VPNs: give enterprises a way to conduct e-business with trading partners
Information SecurityInformation Security: : Technical CountermeasuresTechnical Countermeasures cont. cont.
34
Planning for Business ContinuityPlanning for Business Continuity•Business continuity is broader than
disaster recovery because it includes:– Safeguarding people during a disaster– Documenting business procedures (instead
of relying on certain employees who may become unavailable), and
– Giving employees the tools and space to handle personal issues first so that they can then concentrate on work
– Where will the work be done?
• In short, it is a business issue, because IT disaster recovery is just one component
35
Planning for Business ContinuityPlanning for Business ContinuityUsing Internal ResourcesUsing Internal Resources•Organizations that rely on internal
resources for IT disaster recovery generally see this planning as a normal part of systems planning and development. They use :– Multiple data centers
• Move to have all computing in ‘one location’ = now under question
– Distributed processing– Backup telecommunication facilities– Local area networks
• One LAN can be used to backup servers for other networks
36
Planning for Business Planning for Business ContinuityContinuityUsing External ResourcesUsing External Resources
• Cost Vs. Risk may not justify permanent resources so companies use the services of a disaster recovery firm:– Integrated disaster recovery services– Specialized disaster recovery services– Online and off-line data storage facilities