Your SlideShare is downloading. ×
Duncan hine input2_ irm_and_outsourcing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Duncan hine input2_ irm_and_outsourcing

256
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
256
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Information Security Risk Management IT operation outsourcing A case study
  • 2.  Based on a real project Identities protected and altered – does not affect the process that was used A sensitive defence organisation needs to be more cost effective Already has long term outsource partner Mid contract break point drives improvement Perception that security experts will say no This is based on current policy
  • 3.  Research and advice across defence sector Many highly sensitive contracts and relationships Key target for traditional and cyber attack Already outsourced support in many areas but all delivered from inside UK Urgent need to make more savings Concept is to move back office processing and support to a low cost labour country
  • 4.  Use the process to establish threats and exploits Look at sensitivity of assets affected See if controls and mitigations can reduce these to acceptable levels Stop or go ahead and accepts residual risks Sounds simple but only works if you understand how the exploits will happen
  • 5.  Move offshore : No classified material at all Human resource basic records Travel expenses fulfilment Purchase order ledger Order generation Payment of suppliers
  • 6.  Agree some risks to privacy sensitive records No classified material included so low risk Bulk data sets to be protected no copying or transport in country Staff in country to be vetted Buildings to be secured to higher level Subcontract suppliers to be vetted Extra monitoring to be established
  • 7.  Threats from individuals, petty criminals and other low grade threat actors Opportunistic not organised No strategic goal Security first response is NO Little explanation but just a risk we don’t need to take
  • 8.  Leadership want to make the savings Security role to establish the REAL risks Then find ways of reducing them Explain the result to leaders so they can decide if the residual risks are acceptable Key is to find a way we can all say yes to a desirable initiative not find reasons to say no!
  • 9.  Threat sources FIS, competitors and sophisticated activist groups Want to reverse engineer size of cyber defences on new order for sensitive web hosting contract Purchase order ledger is moved offshore Use open source to establish likely timing of orders for components and services Penetrate data centre offshore via traditional human methods or cyber attack Collect and analyse project identifiers in database Collect orders and establish scale of servers and defences Mobilise denial of service resources now known to be able to destroy hosting at will
  • 10.  Threat actors FIS, crime, competitors want to identify targets for corruption related to specific contracts HR and travel expenses moved offshore Use open source material to identify timing of contract negotiation and award Target country is known - penetrate data centre or create and remove copy (could acquire rotating backups) Mine travel expenses to find all trips to target country in window and create long list Qualify list with HR system look for expensive life, large family, lower bonus etc Go back to expenses to find detailed behaviours, bar bills, timing, phone call duration .......... Short list targets and move to more traditional methods
  • 11.  Open source used to index low grade bulk data Structure of data is as valuable as the data itself Mining and profiling used to enrich data Traditional methods still needed but this improves chance of success significantly Access to data set or actual system is assumed in target country despite countermeasures Attacks are cyber used to enhance traditional approaches
  • 12.  Scramble data before off shoring Remove structure from orders Reassemble in UK Anonymous HR records with numeric identifiers and address data and other pointers removed Scramble travel expenses and make claim to index number not person Other similar methods to scramble data and remove structure All reinserted in secure enclave in UK
  • 13.  Off shoring can go ahead with residual risk lower than original solution Savings reduced by about 20% to pay for enclave in UK Information asset owners much more aware of real high impact risks Partnership with outsource provider strengthened Partner takes security function into other customers as expert adviser and secures new business
  • 14.  Threats from sophisticated sources not well understood by asset owners Assumption that security will say NO! Savings reduced but project still went ahead and delivered a large net saving After solution risks were lower than original solution Ready for next break point off shoring can now go to any country even very high risk/low cost environments