Your SlideShare is downloading. ×
Security For Outsourced IT Contracts
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security For Outsourced IT Contracts

442
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
442
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Bill Lisse, CISSP, CISA, CGEIT, PMP, G7799 Corporate Information Security Officer 1/19/2011 Managing Security in Outsourced Information Technologies
  • 2. Overview
    • Shifting Sands
    • Planning
    • Source Selection and Award
    • Contract Administration
    • Termination
    Risk is always involved when third-party entities are given access to sensitive customer data, privileged business operation details, or intellectual property vulnerable to public or competitor disclosure.
  • 3. Shifting Sands
    • InfoSec professionals are increasingly being required to manage risks in extended enterprises
      • Security in contracting arrangements, especially Cloud Computing, have necessitated increased understanding
      • Incidents like Heartland Payment Processing and Microsoft BPOS underscore the risks of outsourced IT
    • Increasing use of IT outsourcing
      • New capabilities
      • Reduced Costs
      • Increased Storage
      • Highly Automated
      • Flexibility
      • More Mobility
      • Allows IT to Shift Focus
      • Improved security – Depends? The focus of our discussion…
  • 4. Shifting Sands
    • Typical IT Outsourcing Areas
      • Network and IT infrastructure management
      • Financial processing (such as credit cards and EDI)
      • Web (B2B & B2C) portals
      • Application development and maintenance
      • Help desk services
      • Data center management
      • Systems integration
      • Research and development (R&D)
      • Product development
      • Managed Security Services and Security Management
    Information technology outsourcing has grown in popularity as an efficient, cost-effective, and expert solution designed to meet the demands of systems implementation, maintenance, security, and operations.
  • 5. Planning
    • Business Requirements
      • Security & Privacy Requirements
    • Market Research
      • Capabilities of Potential Offerors (Small vs. Large Supplier)
      • Structure of the Market (Number of offerors, typical security offerings)
      • Standards and Expectations (ISO 27001, NIST, etc…)
      • Due diligence
    • Work Breakdown Structure and Schedule
      • Basis of comparison and security budgeting
        • What is expected?
        • When is it expected?
    • Risk Assessment
      • Inherent Risks (What can go wrong?) and Impact
    Planning is the most critical phase of IT contract management – information security should be built into the contract at its inception.
  • 6. Planning
    • Make-Buy Decision
      • Can management tolerate the security risks?
        • Average breach cost is $6.5 million (USD)
    • Acquisition Strategy
      • Contract Type
        • Traditional or Performance Based Acquisition
        • Fixed Price or Cost Reimbursable
      • Terms and Conditions
        • Security Service Level Agreement
        • Indemnification, Limits of Liability, “Right to Audit Clause”
    • Source Selection Criteria
      • What minimum security requirements must the offeror be able to meet?
  • 7. Planning
    • Request for Proposal
      • Background for security requirements
        • Compliance requirements (HIPAA, FERPA, FFIEC, etc…)
        • Management’s security requirements
        • International requirements
      • Instructions for offerors
        • Security Interrogatories
      • Source selection criteria
        • Minimum security requirements
  • 8. Planning
    • Key Control Considerations
      • Control environment
      • Security considerations
        • Data protection risks
        • Security - network, physical, environment, personal and logical access
      • System Development Life Cycle (SDLC) controls
        • Change management controls
        • Business continuity and disaster response
    Key issues can range from requiring the vendor to maintain specified levels of security through employee awareness training and contractual obligations and company indemnification by the vendor for any breaches.
  • 9. Planning
    • Guidance for Small Business Providers
      • How much pain can you take? Risk versus Reward Trade-off
      • Minimum security expectations for any small business
        • Security Guide for Small Business , Microsoft Corporation, http://download.microsoft.com/download/3/a/2/3a208c3c-f355-43ce-bab4-890db267899b/Security_Guide_for_Small_Business.pdf
        • National Institute of Standards and Technology, Small Business Corner , http://csrc.nist.gov/groups/SMA/sbc/index.html
        • Commonsense Guide to Cyber Security for Small Businesses, U.S. Chamber of Commerce , http://www.uschamber.com/reports/commonsense-guide-cyber-security-small-businesses
        • Internal Control over Financial Reporting – Guidance for Smaller Public Companies , Committee on Sponsoring Organizations of the Treadway Commission, http://www.coso.org/ICFR-GuidanceforSPCs.htm
  • 10. Source Selection and Award
    • Reviewing Proposals
      • Independent Assessments (SSAE 16 [SAS 70] and IASE 3402) and Certifications
        • Relevancy, scope, recent
      • Minimum Security Requirements
        • Answers to questions (pass/fail, scalar ratings, etc…)
    • Non-Disclosure Agreements
    • Site Visit and Q&A
      • Protecting the offeror’s intellectual property
      • Facilitate security for visits
      • Discussions and negotiations
  • 11. Contract Administration
    • Post-Award Conference
      • Kick-off meeting – Security Issues
        • What we agree will occur
        • Document and distribute minutes
    • Internal Control Questionnaire
      • Baseline / Control Self-Assessment
    • Internal Control Audits
      • Review of recurring internal control assessments
      • Security assessments
    • Handling Disputes and Non-conformances
    • Contract Modifications – Advise regarding the necessity, scope, and adequacy of changes
  • 12. Contract Termination
    • Terminate access
      • physical
      • logical
    • Return of company assets
      • Hardware
      • Data
    • Verify data disposal / retention
    • Capture lessons learned
    Don’t neglect contract termination; residuals and loose ends are real security risks.
  • 13. Conclusion
    • Shifting Sands
    • Planning
    • Source Selection and Award
    • Contract Administration
    • Termination
  • 14. References
    • Outsourced IT Environments Audit/Assurance Program , ISACA
    • Cloud Computing Management Audit/Assurance Program , ISACA
    • Supervision of Technology Service Providers , IT Examination Handbook, Federal Financial Institutions Examination Council, http://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/outsourcing_booklet.pdf
    • Global Audit Technology Guide (GTAG) 7, Information Technology Outsourcing , Institute of Internal Auditors
    • Standards for Attestation Engagements (SSAE) No. 16 ., Reporting on the Controls of a Service Organization, American Institute of Certified Public Accountants
    • Cloud Controls Matrix and Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Security Alliance, http://www.cloudsecurityalliance.org/

×