1 / 27

InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance

InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance. Agenda. The complexities of outsourcing Brain surgery through binoculars (the wrong way around) Ways to approach InfoSec in outsourcing The secret of a good outsourcing arrangement

hamilton-case
Download Presentation

InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. InfoSecurity and Outsourcing17 March 2009Colin DixonHead of Risk and Compliance

  2. Agenda • The complexities of outsourcing • Brain surgery through binoculars (the wrong way around) • Ways to approach InfoSec in outsourcing • The secret of a good outsourcing arrangement • Some things you really must do • Some things that can help • Questions

  3. Outsourcing There are three types of outsourcing • Outsourcing business services • Outsourcing business functions • Outsourcing security services

  4. Possible complications • de-mergers • non-sale divestitures • sell-offs • off-shoring * Where a significant relationship persists

  5. Possible complications • Outsourcing suppliers have done it before • Many outsourcing decisions are political • InfoSec people hear about outsourcing at the same time as the media • InfoSec is rarely at the top of the agenda • InfoSec is viewed as negotiable

  6. Possible complications I have this… …and I want this

  7. Possible complications I have this… …and I want this Plays hell with the metrics

  8. Brain surgery through binoculars (the wrong way around) The complexity of managing risks is significantly increased by this boundary

  9. The Taxi analogy • When you get into a Taxi you can do one of three things: • Give the driver detailed instructions • State the destination and expect the driver to find the way • Ask the driver to take you to a (good) restaurant etc.

  10. The three (main) approaches • A very detailed control specification • Specification of control objectives rather than controls and monitoring for effectiveness • Broad specification of controls, providing for evolution of the control regime

  11. The type of contract affects the requirements Detailed requirements Broad requirements Cheque printing Web development HR System

  12. The secret of a good outsourcing arrangement

  13. The secret of a good outsourcing arrangement “If you have to resort to the contract the relationship is not working” relationship relationship relationship “If you are not working on the relationship you may very soon regret it” “if the relationship with your provider breaks down the contract is irrelevant”

  14. Why relationships break down • Expectations differ • A clash of cultures • Perceptions disrupt the relationship • Trust and confidence has not been established

  15. Preparation and Planning

  16. Preparation and Planning Information risk assessment of an outsourced business function is complex because there are three components

  17. Preparation and Planning • Risk assessment • Due diligence against the outsource company • SAS 70 Pt.2 • Determining appropriate control regime • A business issue not a technology issue • Transition • Exit

  18. Change and evolution Evolution of the outsourcing arrangement is key to preventing it from becoming irrelevant to the business

  19. Change and evolution • Monitor performance against evolution strategy • establish a forum to consider evolution plans • regularly review evolution plans • regularly review architectural issues • regularly review change management procedures

  20. Exit strategy The exit strategy must be defined before the contract is agreed so that suitable provision for termination is in place before the outsourcing arrangement commences. This is because the conditions at the end of the outsourcing arrangement may be completely different from those which prevail at the beginning. The exit strategy is as important as the early transition

  21. Exit strategy • Data ownership • Clean transition • Archives • Escrow • IPR • Legal and regulatory

  22. Responsibilities and communication • Skills and knowledge transfer • Address staffing differences immediately • Review roles and responsibilities • Joint strategy for the resolution of security incidents • Regular discussion of information security issues • Work together to agree on the current top ten risks • Agree an approach to managing the current top ten risks.

  23. Monitoring and audit • Monitoring (against SLAs) • Regular security audits • Review of monitoring analysis • Review incident management actions • Corporate governance, regulator and FSA reporting • Contingency preparation check/training • Security management needs to be delivered • defined and dedicated methodologies • processes • delivery staff

  24. SLAs - characteristics of good service items • Measurable - in an objective preferably automatic way • Specific - expressed unambiguously • Repeatable - predictable, controllable service levels • Valued - understood by the business, linked to business process • Visible - not embedded in the IT architecture

  25. Incidents and Incident Management • Ensure accountability • Review response to legal issues - privacy etc. • Develop joint strategy for resolution • Review emergency response skills and controls • Review monitoring information for incidents • Ensure that perceptions of criticality are the same • Review incident response procedures • Check training in incident response

  26. Conclusions • The contract • Benefit from early preparation • Infosec is not always able to influence the contract • Legal regulatory requirements • Termination is far too important to leave to the end of the contract • Dynamic businesses favour less rigid contracts

  27. Questions? Colin.dixon@mwrinfosecurity.com

More Related