outsourcing, and information security

Managing Managing OperationsOperations

2

Chapter 8Chapter 8•The three major operational issues

discussed are:– Outsourcing information systems

functions– Information security, and – Planning for business continuity

4

What Are Operations?What Are Operations?

•A Typical MIS Department Budget:– 33% Systems and Programming

• 70% Maintenance• 30% New Development

– 10% Administration and Training– 57% Operations

• Involve more $$$ than any other part of the IS department

• Very involved (difficult), challenging and rewarding area

5

Solving Operational ProblemsSolving Operational Problems

Operational problems are:•Response times are slow•Networks are down•Data isn’t available•Data is wrong

6

Operational MeasuresOperational Measures• What the customer sees:

– System uptime– Response time – Turnaround time – Program failures

• = Customer Satisfaction• Of interest to systems people:

– Computer usage as % of capacity– Disk storage used – Job queue length etc.

• Problems reported by external measures can be explained by deviations in internal measures

7

OUTSOURCING INFORMATION OUTSOURCING INFORMATION SYSTEMS (IS) FUNCTIONSSYSTEMS (IS) FUNCTIONS

•Outsourcing means turning over a firm’s computer operations, network operations, or other IT function to a vendor for a specified time

•CIOs are expected to at least to ‘prove’ that their in-house operations are as efficient and effective as if they were outsourced– Shared Services concept– Should outsource what they do not do well

8

• Managing outsourcing is different from managing internal staff– One reason = it is a joint effort between parties that

may not have the same goals

• Typically, parties establish layers of joint teams.– Top-level team: final word in conflict resolution– Operational team: oversees day-to-day functioning– Joint special purpose teams: created from time to time

to solve pressing issues– Committees: oversee the use of formal change

management procedures– Relationship Manager(s): look after the ‘relationship’

• Skills = different to those of e.g. a data center manager

Managing Outsourcing:Managing Outsourcing: 1. Organizational Structure1. Organizational Structure

9

•Service Level Agreement (SLA)– Responsibilities, performance

requirements, penalties, bonuses• Another important component of SLAs is metrics. An SLA needs to be measurable to be of use• It is only when trust in one another breaks down that they turn to the contract.

Managing Outsourcing:Managing Outsourcing: 2. Governance2. Governance

11

OffshoringOffshoring• Offshore outsourcing differs in

some unique ways from domestic outsourcing

– Some areas to be considered:1. Offshoring options are broadening2. Both parties need cultural training to

bridge cultural differences• Clients = cultural integration programs• Providers = accent neutralization

12

• Used to be an arcane technical topic• Today even CEOs need to ‘know about it’ due to the

importance of electronic information in running their businesses

• Need to understand Internet-based threats and countermeasures and continuously fund security work to protect their businesses

• Since 1996 the Computer Security Institute have conducted an annual survey of US security managers

– Spring 2004 survey report – 2 key findings:1. The unauthorized use of computers is declining2. The most expensive cybercrime was denial of service

Information SecurityInformation Security

13

The Threats

Note: heaps of similarSurveys e.g. KPMG

15

Information SecurityInformation SecurityThe ThreatsThe Threats•Threats are numerous•Websites are particularly vulnerable•Political activism is one motivation for

Website defacement•Theft of proprietary information is a

major concern•Financial fraud is still a significant threat

– Especially credit card information– No data of any value should be stored on

web servers

16

CREDIT CARD FRAUDCREDIT CARD FRAUDCase Example: ThreatsCase Example: Threats• In one case, MSNBC reported that a bug in one shopping

cart software product used by 4,000 e-commerce sites exposed customer records at those sites– One small e-commerce site did not receive the warning– Within days, cyber criminals charged thousands of

dollars on the credit cards of users of this small site

• In another case, two foreigners stole 56,000 credit card numbers, bank account information, and other personal financial information from U.S. banks– Then tried to extort money from the cardholders and

the banks, threatening to publicize the sensitive information they had unearthed

17

Information SecurityInformation SecurityThe Threats The Threats cont.cont.

• Losses are increasing dramatically because companies have rushed into e-commerce, often with applications that do not have security built into the architecture or procedures– People think security can be added later but it really

can’t be bolted on as an afterthought– Best security = designed into applications via checks

during processing and at data transfer points

• It is easier to guard a bank vault than to guard every house in town– That’s why many companies are outsourcing their

data center operations to data center specialists with vault-like security

18

•Mobile computing and telecommunications increase the possibility for crime– The greater number of network openings provides

opportunities for illegal entry•The rise of e-commerce and e-business put more

communications online to the Internet, which is open to everyone including crackers (evil hackers)

•As the Internet doesn’t (currently?) have intrinsic security protocols this public space is vulnerable


19

• The ‘hacker community’ (public club?)– ‘True’ Vs. Parasites

• Approaches hackers use:1. Cracking the password2. Tricking someone (social engineering = ‘cute’ term!)3. Network sniffing4. Misusing administrative tools5. Playing middleman6. Denial of service7. Trojan horse8. Viruses9. Spoofing


20

1. Authentication: verifying the authenticity of users

2. Identification: identifying users to grant them appropriate access

3. Privacy: protecting information from being seen

4. Integrity: keeping information in its original form

5. Nonrepudiation: preventing parties from denying actions they have taken

Information SecurityInformation Security : :Security’s Five PillarsSecurity’s Five Pillars

21

•The major problem these days:– Enterprises cannot have both access to

information and airtight security at the same time

•Companies must make tradeoffs between:– Absolute information security and – The efficient flow of information

•Because airtight security is not possible:– Companies need to prioritize their risks and work

on safeguarding against the greatest threats• An example to consider is the case example of one

company from a Gartner Executive Programs report

Information SecurityInformation SecurityManagement CountermeasuresManagement Countermeasures

22

• Five major findings from the Computer Crime Survey:

1. Most organizations evaluate the return on their security expenditures

2. Over 80% conduct security audits– Including by ‘outsiders’ e.g. KPMG3. The percentage reporting cybercrimes to law enforcement declined– Some = worried re

• Damage to stock price / company reputation• Competitors using for their advantage4. Most do not outsource cybersecurity

5. Most respondents view security awareness training as important

Information SecurityInformation SecurityManagement Countermeasures Management Countermeasures cont.cont.

24

AN INTERNET SERVICES COMPANYAN INTERNET SERVICES COMPANYCase Example: Security Case Example: Security • This firm’s starting point in protecting its systems

is to deny all access to and from the Internet• From there, it opens portals only where required,

and each opening has a firewall and only permits specific functions

• The security team constantly “checks the locks” by:– Keeping track of the latest bugs found– Staying up to date on the latest security attacks– Subscribing to hacker e-mail lists and bulletin boards– Personally exploring some risks– Logging and monitoring all incoming and outgoing traffic,

and – Testing the system monthly from a remote site

• Most importantly, it educates employees and clients as the greatest security precaution

25

• The trend in computer security is toward defining security policies and then centrally managing and enforcing those policies via security products and services or policy-based management

• E.g. a user authenticates to a network once, and then a “rights based system” gives that user access only to the systems to which the user has been given rights– Establishes basic control of segregation of

duties– The ‘computer’ (system) is the control

Information SecurityInformation Security: : Technical CountermeasuresTechnical Countermeasures

27

Three techniques used by companies to protect themselves

1. Firewalls: Control access between networks• Used to separate intranets and extranets from

the Internet so that only employees and authorized business partners can access

• Implementation– Packet filtering to block “illegal” traffic,

which is defined by the security policy… or– By using a proxy server, which acts as an

intermediary

Information SecurityInformation Security: : Technical Countermeasures Technical Countermeasures cont.cont.

28

2. Encryption: to protect against sniffing, messages can be encrypted before being sent e.g. over the Internet• Two classes of encryption methods are used today:

– Secret Key encryption• DES

– Public Key encryption• RSA• Needs public and private key• Incorporated into all major Web browsers and is the basis

for secure socket layer (SSL)• Most individuals don’t have such keys hence B2C

applications are only secure from the consumer to the merchant

Information SecurityInformation Security: : Technical CountermeasuresTechnical Countermeasures cont. cont.

32

Note: The Internet is not secure because, for one thing, none of the TCP/IP protocols authenticate the communicating parties

3. Virtual Private Networks (VPN): maintains data security as it is transmitted by using: – Tunneling: creates a temporary connection

between a remote computer and the CLEC’s or ISP’s local data center. Blocks access to anyone trying to intercept messages sent over that link

– Encryption: scrambles the message before it is sent and decodes it at the receiving end


33

• Three ways to use VPNs:1. Remote Access VPNs: give remote employees

a way to access an enterprise intranet by dialing a specific ISP

2. Remote Office VPNs: give enterprises a way to create a secure private network with remote offices. The ISP’s VPN equipment encrypts all transactions

3. Extranet VPNs: give enterprises a way to conduct e-business with trading partners


34

Planning for Business ContinuityPlanning for Business Continuity•Business continuity is broader than

disaster recovery because it includes:– Safeguarding people during a disaster– Documenting business procedures (instead

of relying on certain employees who may become unavailable), and

– Giving employees the tools and space to handle personal issues first so that they can then concentrate on work

– Where will the work be done?

• In short, it is a business issue, because IT disaster recovery is just one component

35

Planning for Business ContinuityPlanning for Business ContinuityUsing Internal ResourcesUsing Internal Resources•Organizations that rely on internal

resources for IT disaster recovery generally see this planning as a normal part of systems planning and development. They use :– Multiple data centers

• Move to have all computing in ‘one location’ = now under question

– Distributed processing– Backup telecommunication facilities– Local area networks

• One LAN can be used to backup servers for other networks

36

Planning for Business Planning for Business ContinuityContinuityUsing External ResourcesUsing External Resources

• Cost Vs. Risk may not justify permanent resources so companies use the services of a disaster recovery firm:– Integrated disaster recovery services– Specialized disaster recovery services– Online and off-line data storage facilities

outsourcing, and information security

Technology