Your SlideShare is downloading. ×
Duncan hine input2_ irm_and_outsourcing
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Duncan hine input2_ irm_and_outsourcing


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Information Security Risk Management IT operation outsourcing A case study
  • 2.  Based on a real project Identities protected and altered – does not affect the process that was used A sensitive defence organisation needs to be more cost effective Already has long term outsource partner Mid contract break point drives improvement Perception that security experts will say no This is based on current policy
  • 3.  Research and advice across defence sector Many highly sensitive contracts and relationships Key target for traditional and cyber attack Already outsourced support in many areas but all delivered from inside UK Urgent need to make more savings Concept is to move back office processing and support to a low cost labour country
  • 4.  Use the process to establish threats and exploits Look at sensitivity of assets affected See if controls and mitigations can reduce these to acceptable levels Stop or go ahead and accepts residual risks Sounds simple but only works if you understand how the exploits will happen
  • 5.  Move offshore : No classified material at all Human resource basic records Travel expenses fulfilment Purchase order ledger Order generation Payment of suppliers
  • 6.  Agree some risks to privacy sensitive records No classified material included so low risk Bulk data sets to be protected no copying or transport in country Staff in country to be vetted Buildings to be secured to higher level Subcontract suppliers to be vetted Extra monitoring to be established
  • 7.  Threats from individuals, petty criminals and other low grade threat actors Opportunistic not organised No strategic goal Security first response is NO Little explanation but just a risk we don’t need to take
  • 8.  Leadership want to make the savings Security role to establish the REAL risks Then find ways of reducing them Explain the result to leaders so they can decide if the residual risks are acceptable Key is to find a way we can all say yes to a desirable initiative not find reasons to say no!
  • 9.  Threat sources FIS, competitors and sophisticated activist groups Want to reverse engineer size of cyber defences on new order for sensitive web hosting contract Purchase order ledger is moved offshore Use open source to establish likely timing of orders for components and services Penetrate data centre offshore via traditional human methods or cyber attack Collect and analyse project identifiers in database Collect orders and establish scale of servers and defences Mobilise denial of service resources now known to be able to destroy hosting at will
  • 10.  Threat actors FIS, crime, competitors want to identify targets for corruption related to specific contracts HR and travel expenses moved offshore Use open source material to identify timing of contract negotiation and award Target country is known - penetrate data centre or create and remove copy (could acquire rotating backups) Mine travel expenses to find all trips to target country in window and create long list Qualify list with HR system look for expensive life, large family, lower bonus etc Go back to expenses to find detailed behaviours, bar bills, timing, phone call duration .......... Short list targets and move to more traditional methods
  • 11.  Open source used to index low grade bulk data Structure of data is as valuable as the data itself Mining and profiling used to enrich data Traditional methods still needed but this improves chance of success significantly Access to data set or actual system is assumed in target country despite countermeasures Attacks are cyber used to enhance traditional approaches
  • 12.  Scramble data before off shoring Remove structure from orders Reassemble in UK Anonymous HR records with numeric identifiers and address data and other pointers removed Scramble travel expenses and make claim to index number not person Other similar methods to scramble data and remove structure All reinserted in secure enclave in UK
  • 13.  Off shoring can go ahead with residual risk lower than original solution Savings reduced by about 20% to pay for enclave in UK Information asset owners much more aware of real high impact risks Partnership with outsource provider strengthened Partner takes security function into other customers as expert adviser and secures new business
  • 14.  Threats from sophisticated sources not well understood by asset owners Assumption that security will say NO! Savings reduced but project still went ahead and delivered a large net saving After solution risks were lower than original solution Ready for next break point off shoring can now go to any country even very high risk/low cost environments