SlideShare a Scribd company logo

Duncan hine input2_ irm_and_outsourcing

E-Government Center Moldova
E-Government Center Moldova
1 of 16
Download to read offline
Information Security Risk Management IT operation outsourcing A case study
 Based on a real project  Identities protected and altered – does not affect the process that was used  A sensitive defence organisation needs to be more cost effective  Already has long term outsource partner  Mid contract break point drives improvement  Perception that security experts will say no  This is based on current policy
 Research and advice across defence sector  Many highly sensitive contracts and relationships  Key target for traditional and cyber attack  Already outsourced support in many areas but all delivered from inside UK  Urgent need to make more savings  Concept is to move back office processing and support to a low cost labour country
 Use the process to establish threats and exploits  Look at sensitivity of assets affected  See if controls and mitigations can reduce these to acceptable levels  Stop or go ahead and accepts residual risks  Sounds simple but only works if you understand how the exploits will happen
 Move offshore :  No classified material at all  Human resource basic records  Travel expenses fulfilment  Purchase order ledger  Order generation  Payment of suppliers
 Agree some risks to privacy sensitive records  No classified material included so low risk  Bulk data sets to be protected no copying or transport in country  Staff in country to be vetted  Buildings to be secured to higher level  Subcontract suppliers to be vetted  Extra monitoring to be established
 Threats from individuals, petty criminals and other low grade threat actors  Opportunistic not organised  No strategic goal  Security first response is NO  Little explanation but just a risk we don’t need to take
 Leadership want to make the savings  Security role to establish the REAL risks  Then find ways of reducing them  Explain the result to leaders so they can decide if the residual risks are acceptable  Key is to find a way we can all say yes to a desirable initiative not find reasons to say no!
 Threat sources FIS, competitors and sophisticated activist groups  Want to reverse engineer size of cyber defences on new order for sensitive web hosting contract  Purchase order ledger is moved offshore  Use open source to establish likely timing of orders for components and services  Penetrate data centre offshore via traditional human methods or cyber attack  Collect and analyse project identifiers in database  Collect orders and establish scale of servers and defences  Mobilise denial of service resources now known to be able to destroy hosting at will
 Threat actors FIS, crime, competitors  want to identify targets for corruption related to specific contracts  HR and travel expenses moved offshore  Use open source material to identify timing of contract negotiation and award  Target country is known - penetrate data centre or create and remove copy (could acquire rotating backups)  Mine travel expenses to find all trips to target country in window and create long list  Qualify list with HR system look for expensive life, large family, lower bonus etc  Go back to expenses to find detailed behaviours, bar bills, timing, phone call duration ..........  Short list targets and move to more traditional methods
 Open source used to index low grade bulk data  Structure of data is as valuable as the data itself  Mining and profiling used to enrich data  Traditional methods still needed but this improves chance of success significantly  Access to data set or actual system is assumed in target country despite countermeasures  Attacks are cyber used to enhance traditional approaches
 Scramble data before off shoring  Remove structure from orders  Reassemble in UK  Anonymous HR records with numeric identifiers and address data and other pointers removed  Scramble travel expenses and make claim to index number not person  Other similar methods to scramble data and remove structure  All reinserted in secure enclave in UK
 Off shoring can go ahead with residual risk lower than original solution  Savings reduced by about 20% to pay for enclave in UK  Information asset owners much more aware of real high impact risks  Partnership with outsource provider strengthened  Partner takes security function into other customers as expert adviser and secures new business
 Threats from sophisticated sources not well understood by asset owners  Assumption that security will say NO!  Savings reduced but project still went ahead and delivered a large net saving  After solution risks were lower than original solution  Ready for next break point off shoring can now go to any country even very high risk/low cost environments

Recommended

SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
South Tyrol Free Software Conference
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
Digital Transformation EXPO Event Series
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
Phil Huggins FBCS CITP
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
Graham Mann
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Dlp Methodology
Dlp MethodologyDlp Methodology
Dlp Methodology
tbeckwith
 
Security Consulting Methodology
Security Consulting MethodologySecurity Consulting Methodology
Security Consulting Methodology
ciso_insights
 

Recommended

SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
South Tyrol Free Software Conference
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
Digital Transformation EXPO Event Series
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
Phil Huggins FBCS CITP
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
Graham Mann
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Dlp Methodology
Dlp MethodologyDlp Methodology
Dlp Methodology
tbeckwith
 
Security Consulting Methodology
Security Consulting MethodologySecurity Consulting Methodology
Security Consulting Methodology
ciso_insights
 
Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!
Spiceworks Ziff Davis
 
DS_Appliance_Datasheet
DS_Appliance_DatasheetDS_Appliance_Datasheet
DS_Appliance_Datasheet
Mike McDermott
 
DS_Appliance_Datasheet
DS_Appliance_DatasheetDS_Appliance_Datasheet
DS_Appliance_Datasheet
Craig (Sparky) Van Valkenburgh
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber Data
Phil Huggins FBCS CITP
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
SensePost
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)
OCTF Industry Engagement
 
Top 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsTop 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPs
Recorded Future
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security Service
F-Secure Corporation
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
Spencer Henderson
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
Jonathan Holman
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
Improve Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasImprove Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These Ideas
Recorded Future
 
Managing security risks in today's digital era
Managing security risks in today's digital eraManaging security risks in today's digital era
Managing security risks in today's digital era
Singtel
 
Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business Continuity
Resolver Inc.
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
NetworkCollaborators
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting Services
sahrens1
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
South Tyrol Free Software Conference
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
Paul Hogan
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)
Alex Yates
 
NCAT's Organic Livestock Workbook: A Guide to Sustainable and Allowed Practices
NCAT's Organic Livestock Workbook: A Guide to Sustainable and Allowed PracticesNCAT's Organic Livestock Workbook: A Guide to Sustainable and Allowed Practices
NCAT's Organic Livestock Workbook: A Guide to Sustainable and Allowed Practices
ElisaMendelsohn
 
Organic Livestock Documentation Forms
Organic Livestock Documentation FormsOrganic Livestock Documentation Forms
Organic Livestock Documentation Forms
ElisaMendelsohn
 

More Related Content

What's hot

DS_Appliance_Datasheet
DS_Appliance_DatasheetDS_Appliance_Datasheet
DS_Appliance_Datasheet
Mike McDermott
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
Spencer Henderson
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
Jonathan Holman
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
centralohioissa
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
Paul Hogan
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)
Alex Yates
 

What's hot (20)

Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!
 
DS_Appliance_Datasheet
DS_Appliance_DatasheetDS_Appliance_Datasheet
DS_Appliance_Datasheet
 
DS_Appliance_Datasheet
DS_Appliance_DatasheetDS_Appliance_Datasheet
DS_Appliance_Datasheet
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber Data
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)
 
Top 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPsTop 6 Sources for Identifying Threat Actor TTPs
Top 6 Sources for Identifying Threat Actor TTPs
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security Service
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
 
DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)DSP-MSSMDR-DataSheet_Final (1)
DSP-MSSMDR-DataSheet_Final (1)
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
 
Improve Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasImprove Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These Ideas
 
Managing security risks in today's digital era
Managing security risks in today's digital eraManaging security risks in today's digital era
Managing security risks in today's digital era
 
Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business Continuity
 
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
Cisco Connect 2018 Malaysia - Cisco incident response services-strengthen you...
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting Services
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)
 

Viewers also liked

A propos de CreativeFeed Paris
A propos de CreativeFeed ParisA propos de CreativeFeed Paris
A propos de CreativeFeed Paris
CreativeFeedParis
 
Pressbook Pourquoi Tu Cours Juillet 2008
Pressbook Pourquoi Tu Cours Juillet 2008Pressbook Pourquoi Tu Cours Juillet 2008
Pressbook Pourquoi Tu Cours Juillet 2008
nous sommes vivants
 
Pressbook Pourquoi Tu Cours Mars 2010 V2
Pressbook Pourquoi Tu Cours Mars 2010 V2Pressbook Pourquoi Tu Cours Mars 2010 V2
Pressbook Pourquoi Tu Cours Mars 2010 V2
nous sommes vivants
 
Bank Failures and Case Studies
Bank Failures and Case StudiesBank Failures and Case Studies
Bank Failures and Case Studies
Zeeshan Azam
 

Viewers also liked (10)

NCAT's Organic Livestock Workbook: A Guide to Sustainable and Allowed Practices
NCAT's Organic Livestock Workbook: A Guide to Sustainable and Allowed PracticesNCAT's Organic Livestock Workbook: A Guide to Sustainable and Allowed Practices
NCAT's Organic Livestock Workbook: A Guide to Sustainable and Allowed Practices
 
Organic Livestock Documentation Forms
Organic Livestock Documentation FormsOrganic Livestock Documentation Forms
Organic Livestock Documentation Forms
 
A propos de CreativeFeed Paris
A propos de CreativeFeed ParisA propos de CreativeFeed Paris
A propos de CreativeFeed Paris
 
Pawpaw - A "Tropical" Fruit for Temperate Climates
Pawpaw - A "Tropical" Fruit for Temperate ClimatesPawpaw - A "Tropical" Fruit for Temperate Climates
Pawpaw - A "Tropical" Fruit for Temperate Climates
 
Pressbook Pourquoi Tu Cours Juillet 2008
Pressbook Pourquoi Tu Cours Juillet 2008Pressbook Pourquoi Tu Cours Juillet 2008
Pressbook Pourquoi Tu Cours Juillet 2008
 
Organic Pumpkin and Winter Squash Marketing and Production
Organic Pumpkin and Winter Squash Marketing and ProductionOrganic Pumpkin and Winter Squash Marketing and Production
Organic Pumpkin and Winter Squash Marketing and Production
 
Pressbook Pourquoi Tu Cours Mars 2010 V2
Pressbook Pourquoi Tu Cours Mars 2010 V2Pressbook Pourquoi Tu Cours Mars 2010 V2
Pressbook Pourquoi Tu Cours Mars 2010 V2
 
Wiltshire Horn Sheep
Wiltshire Horn SheepWiltshire Horn Sheep
Wiltshire Horn Sheep
 
Northern Rock Case Study 1
Northern Rock Case Study 1Northern Rock Case Study 1
Northern Rock Case Study 1
 
Bank Failures and Case Studies
Bank Failures and Case StudiesBank Failures and Case Studies
Bank Failures and Case Studies
 

Similar to Duncan hine input2_ irm_and_outsourcing

Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
Ulf Mattsson
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
mdagrossa
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptx
alex hincapie
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 

Similar to Duncan hine input2_ irm_and_outsourcing (20)

Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
 
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
ISACA New York Metro, Developing, Deploying and Managing a Risk-Adjusted Data...
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident CostsFirst Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point Final
 
DLP
DLPDLP
DLP
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
 
dlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptxdlp-sales-play-sales-customer-deck-2022.pptx
dlp-sales-play-sales-customer-deck-2022.pptx
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
 
Effective data protection for businesses with multiple locations
Effective data protection for businesses with multiple locationsEffective data protection for businesses with multiple locations
Effective data protection for businesses with multiple locations
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Boards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPRBoards' Eye View of Digital Risk & GDPR
Boards' Eye View of Digital Risk & GDPR
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Network Security
Network SecurityNetwork Security
Network Security
 
Cloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance ChallengesCloud Storage and Security: Solving Compliance Challenges
Cloud Storage and Security: Solving Compliance Challenges
 
Unc charlotte prezo2016
Unc charlotte prezo2016Unc charlotte prezo2016
Unc charlotte prezo2016
 

More from E-Government Center Moldova

The nexus of Social, Mobile, Cloud and Big Data Analytics
The nexus of Social, Mobile, Cloud and Big Data AnalyticsThe nexus of Social, Mobile, Cloud and Big Data Analytics
The nexus of Social, Mobile, Cloud and Big Data Analytics
E-Government Center Moldova
 
Prezentare compartiment securitatea 05 03 2013 p sincariuc
Prezentare compartiment securitatea 05 03 2013 p sincariucPrezentare compartiment securitatea 05 03 2013 p sincariuc
Prezentare compartiment securitatea 05 03 2013 p sincariuc
E-Government Center Moldova
 
Can e government work in the cloud reichstaedter
Can e government work in the cloud reichstaedterCan e government work in the cloud reichstaedter
Can e government work in the cloud reichstaedter
E-Government Center Moldova
 
Driving government efficiency and innovation through cloud computing k...
Driving government efficiency and innovation through cloud computing k...Driving government efficiency and innovation through cloud computing k...
Driving government efficiency and innovation through cloud computing k...
E-Government Center Moldova
 
Unleashing the potential of cloud computing in europe francisco garcia moran
Unleashing the potential of cloud computing in europe francisco garcia moranUnleashing the potential of cloud computing in europe francisco garcia moran
Unleashing the potential of cloud computing in europe francisco garcia moran
E-Government Center Moldova
 
Government innovation through cloud computing arthur riel
Government innovation through cloud computing arthur rielGovernment innovation through cloud computing arthur riel
Government innovation through cloud computing arthur riel
E-Government Center Moldova
 

More from E-Government Center Moldova (20)

The new era of smart
The new era of smart The new era of smart
The new era of smart
 
The nexus of Social, Mobile, Cloud and Big Data Analytics
The nexus of Social, Mobile, Cloud and Big Data AnalyticsThe nexus of Social, Mobile, Cloud and Big Data Analytics
The nexus of Social, Mobile, Cloud and Big Data Analytics
 
Digital Transformation by Richard Baird
Digital Transformation by Richard BairdDigital Transformation by Richard Baird
Digital Transformation by Richard Baird
 
Mpay&Mcloud
Mpay&McloudMpay&Mcloud
Mpay&Mcloud
 
Presentation cert gov-md 05.03.2013
Presentation cert gov-md 05.03.2013Presentation cert gov-md 05.03.2013
Presentation cert gov-md 05.03.2013
 
Hannes astok data protection agency
Hannes astok data protection agencyHannes astok data protection agency
Hannes astok data protection agency
 
Prezentare compartiment securitatea 05 03 2013 p sincariuc
Prezentare compartiment securitatea 05 03 2013 p sincariucPrezentare compartiment securitatea 05 03 2013 p sincariuc
Prezentare compartiment securitatea 05 03 2013 p sincariuc
 
Hannes astok policy development
Hannes astok policy developmentHannes astok policy development
Hannes astok policy development
 
Digital security hannes astok
Digital security hannes astokDigital security hannes astok
Digital security hannes astok
 
Assessing cybersecurity_Anto Veldre
Assessing cybersecurity_Anto VeldreAssessing cybersecurity_Anto Veldre
Assessing cybersecurity_Anto Veldre
 
MCloud operational framework
MCloud operational frameworkMCloud operational framework
MCloud operational framework
 
Arhitectura de securitate_MCloud
Arhitectura de securitate_MCloudArhitectura de securitate_MCloud
Arhitectura de securitate_MCloud
 
Ibm smart cloud solutions m-cloud
Ibm smart cloud solutions m-cloudIbm smart cloud solutions m-cloud
Ibm smart cloud solutions m-cloud
 
Ibm security virtual server protection
Ibm security virtual server protectionIbm security virtual server protection
Ibm security virtual server protection
 
Can e government work in the cloud reichstaedter
Can e government work in the cloud reichstaedterCan e government work in the cloud reichstaedter
Can e government work in the cloud reichstaedter
 
Driving government efficiency and innovation through cloud computing k...
Driving government efficiency and innovation through cloud computing k...Driving government efficiency and innovation through cloud computing k...
Driving government efficiency and innovation through cloud computing k...
 
Star storage m cloud week
Star storage m cloud weekStar storage m cloud week
Star storage m cloud week
 
Unleashing the potential of cloud computing in europe francisco garcia moran
Unleashing the potential of cloud computing in europe francisco garcia moranUnleashing the potential of cloud computing in europe francisco garcia moran
Unleashing the potential of cloud computing in europe francisco garcia moran
 
Government innovation through cloud computing arthur riel
Government innovation through cloud computing arthur rielGovernment innovation through cloud computing arthur riel
Government innovation through cloud computing arthur riel
 
4 francisco garcia_moran_moldova_2013
4 francisco garcia_moran_moldova_20134 francisco garcia_moran_moldova_2013
4 francisco garcia_moran_moldova_2013
 

Duncan hine input2_ irm_and_outsourcing

  • 1. Information Security Risk Management IT operation outsourcing A case study
  • 2.
  • 3. Based on a real project  Identities protected and altered – does not affect the process that was used  A sensitive defence organisation needs to be more cost effective  Already has long term outsource partner  Mid contract break point drives improvement  Perception that security experts will say no  This is based on current policy
  • 4.
  • 5. Research and advice across defence sector  Many highly sensitive contracts and relationships  Key target for traditional and cyber attack  Already outsourced support in many areas but all delivered from inside UK  Urgent need to make more savings  Concept is to move back office processing and support to a low cost labour country
  • 6. Use the process to establish threats and exploits  Look at sensitivity of assets affected  See if controls and mitigations can reduce these to acceptable levels  Stop or go ahead and accepts residual risks  Sounds simple but only works if you understand how the exploits will happen
  • 7. Move offshore :  No classified material at all  Human resource basic records  Travel expenses fulfilment  Purchase order ledger  Order generation  Payment of suppliers
  • 8. Agree some risks to privacy sensitive records  No classified material included so low risk  Bulk data sets to be protected no copying or transport in country  Staff in country to be vetted  Buildings to be secured to higher level  Subcontract suppliers to be vetted  Extra monitoring to be established
  • 9. Threats from individuals, petty criminals and other low grade threat actors  Opportunistic not organised  No strategic goal  Security first response is NO  Little explanation but just a risk we don’t need to take
  • 10. Leadership want to make the savings  Security role to establish the REAL risks  Then find ways of reducing them  Explain the result to leaders so they can decide if the residual risks are acceptable  Key is to find a way we can all say yes to a desirable initiative not find reasons to say no!
  • 11. Threat sources FIS, competitors and sophisticated activist groups  Want to reverse engineer size of cyber defences on new order for sensitive web hosting contract  Purchase order ledger is moved offshore  Use open source to establish likely timing of orders for components and services  Penetrate data centre offshore via traditional human methods or cyber attack  Collect and analyse project identifiers in database  Collect orders and establish scale of servers and defences  Mobilise denial of service resources now known to be able to destroy hosting at will
  • 12. Threat actors FIS, crime, competitors  want to identify targets for corruption related to specific contracts  HR and travel expenses moved offshore  Use open source material to identify timing of contract negotiation and award  Target country is known - penetrate data centre or create and remove copy (could acquire rotating backups)  Mine travel expenses to find all trips to target country in window and create long list  Qualify list with HR system look for expensive life, large family, lower bonus etc  Go back to expenses to find detailed behaviours, bar bills, timing, phone call duration ..........  Short list targets and move to more traditional methods
  • 13. Open source used to index low grade bulk data  Structure of data is as valuable as the data itself  Mining and profiling used to enrich data  Traditional methods still needed but this improves chance of success significantly  Access to data set or actual system is assumed in target country despite countermeasures  Attacks are cyber used to enhance traditional approaches
  • 14. Scramble data before off shoring  Remove structure from orders  Reassemble in UK  Anonymous HR records with numeric identifiers and address data and other pointers removed  Scramble travel expenses and make claim to index number not person  Other similar methods to scramble data and remove structure  All reinserted in secure enclave in UK
  • 15. Off shoring can go ahead with residual risk lower than original solution  Savings reduced by about 20% to pay for enclave in UK  Information asset owners much more aware of real high impact risks  Partnership with outsource provider strengthened  Partner takes security function into other customers as expert adviser and secures new business
  • 16. Threats from sophisticated sources not well understood by asset owners  Assumption that security will say NO!  Savings reduced but project still went ahead and delivered a large net saving  After solution risks were lower than original solution  Ready for next break point off shoring can now go to any country even very high risk/low cost environments