1 / 16

Sourcing & Management of Information Security

Sourcing & Management of Information Security. Sébastien BOMBAL 4 th March 2011. Sourcing & information security ?. From outsourcing IT in the 1960s… To “cloud computing” in 2011 Why ? Still same objectives since the 60s Increasing focus on core competencies

vivek
Download Presentation

Sourcing & Management of Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sourcing & Management of Information Security Sébastien BOMBAL 4th March 2011

  2. Sourcing & information security ? • From outsourcing IT in the 1960s… To “cloud computing” in 2011 • Why ? Still same objectives since the 60s • Increasing focus on core competencies • Increasing competitive pressure (optimizing run cost and investment) • Accessing world class capabilities, best practices • Sharing risk…. • What ? From routine and non critical tasks… To strategic processes that directly impact revenues. • Where (is my data) ? From your IT rooms… To a worldwide cyberspace. • Who ? From an identified subcontractor To cascaded subcontracting (chain of trust ?).

  3. Sourcing and common problems for security • Risk : Data theft, leak or unavailability • Data falls in competitors’ hands • Publicized data leakage, thief or unavailability • Objectives not reached (cost, time, effectiveness and efficiency) • Important details to check : • SLA (predefined non-negotiable agreements and negotiated agreements) • Licensing • criteria for acceptable use • service suspension, termination, limitations on liability • privacy policy • modifications to the terms of service • Audit capability • Data ownership and their localizations • Mutualized or dedicated • Measurement of service effectiveness • Compliance with laws and regulations • Use of validated products and vetting of employees • And don’t forget : • Erosion of in-house knowledge

  4. Deploying ISO 27001 - best practices ? • Using a certified ISO 27001 service provider ? • Not really useful… • Tasks : More detailshttp://www.club-27001.fr/supports/2009-06-11_AREVA.pdf • Asset classification • Contracts • Risk management • Audits / reporting • Incidents Management • Dashboards • Awareness Plan Do + Act Check

  5. Classify your assets with an outsourced IS • The longest task is inventory Inventory management is a difficult process • This can be even easier • Case of leasing • Case of ASP, SaaS, PaaS, IaaS, … • Even if everything is outsourced, do not forget your own assets • Human resources, sites, documentation, file servers .

  6. Deploying ISO 27001 - best practices ? • Using a certified ISO 27001 service provider ? • Not really useful… • Tasks : More detailshttp://www.club-27001.fr/supports/2009-06-11_AREVA.pdf • Asset classification • Contracts • Risk management • Audits / reporting • Incidents Management • Dashboards • Awareness Plan Do + Act Check Why not use best practices for contract management ? Like eSCM…

  7. In a very few words : eSCM • The eSourcing Capability Models are best practices • For Client organization : eSCM-CL • For Service provider : eSCM-SP To successfully manage your IT sourcing life cycle. • eSCM-CL a framework with 95 practices (measures) in 17 domains • Through capability levels evaluation : • Level 1 : Performing sourcing  at least you are level 1 • Level 2 : Consistently Managing sourcing • Level 3 : Managing organizational sourcing performance • Level 4 : Proactively enhancing value • Level 5 : Sustaining excellence  at least two consecutive years at level 4 • Maintained and published by ITSQC : http://www.itsqc.org/

  8. Sourcing relationships & Information Security Management (ISM)

  9. Deploying ISO 27001 - feedbacks ? • Use ISO 27001 to reposition security and risk management as a support to the IS Management • Limit the scope & responsibilities : contract, service agreement, RACI, … and by side effect the scope to be certified • Should be done for in-sourcing model • Involve service providers (SP) in your risk management process • Maintain reasonable risk treatment plans • Mix it with the different improvement plans • Audit & control SP commitments and evaluate your operational risk • Define and use dashboards and reports • “Facts and Figures” • Contracts are mostly managed through indicators & KPI

  10. And my cloud ? • What is « Cloud computing » for an IS function ? Just a change of state of mind… not an outsourcing focus. • Providing self-service resources to your business • Standardizing and automating • Providing service catalogue • Tracking resources and cost. • Implementing showback and chargeback processes (ABC1 and ABM2) • Managing capacity planning • And as usual you can “make … or buy” 1 : ABC : Activity Based Costing 2 : ABM : Activity Based Modeling

  11. Managing extended IS COBIT Management system with a PDCA (Plan Do Check Act) approach ISO 9001 ISO 27001 ISO 14001 Security measures comes from ISO 27002, but some of them are redundant or complete ITIL and eSCM ITIL eSCM-CL ISO 27002 Security measure to include in the contract

  12. eSCM-CL practices versus ISO 27002 (1/2) Linked with your ISO 27001 governance security involvement needed Audit and control

  13. eSCM-CL practices versus ISO 27002 (2/2) security involvement needed Linked with your 27001 SOA v At least level 2 maturity for eSCM seems to be enough with a few level 3 measures

  14. In conclusion • Strong accelerating of security awareness in sourcing • new players with cloud computing • loss of view of data location  • ISO 27001 in an outsourced IS • Manage contracts • Limit the scope for the auditor with contracts or agreements • Implement an asset management process to control security … and invoice. • ISO 27001 is complementary with other methods like eSCM-CLbut these methods are not a substitute for continuous improvement of security • eSCM-CL can help you in your ISO 27001 project • Keep things simple ! • Risk management  • Security target.

  15. Bibliography • eSCM official website : www.itsqc.org • NIST : « Guidelines on Security and Privacy in Public Cloud Computing » • Yesser / e-government program of Saudi Arabia : «BEST PRACTICES FOR IT SOURCING» • Gartner – “Sourcing Strategies-Relationship Models And Case Studies”

  16. Questions ? Thanks for your attention sebastien@bombal.org

More Related