Security For Outsourced IT Contracts


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security For Outsourced IT Contracts

  1. 1. Bill Lisse, CISSP, CISA, CGEIT, PMP, G7799 Corporate Information Security Officer 1/19/2011 Managing Security in Outsourced Information Technologies
  2. 2. Overview <ul><li>Shifting Sands </li></ul><ul><li>Planning </li></ul><ul><li>Source Selection and Award </li></ul><ul><li>Contract Administration </li></ul><ul><li>Termination </li></ul>Risk is always involved when third-party entities are given access to sensitive customer data, privileged business operation details, or intellectual property vulnerable to public or competitor disclosure.
  3. 3. Shifting Sands <ul><li>InfoSec professionals are increasingly being required to manage risks in extended enterprises </li></ul><ul><ul><li>Security in contracting arrangements, especially Cloud Computing, have necessitated increased understanding </li></ul></ul><ul><ul><li>Incidents like Heartland Payment Processing and Microsoft BPOS underscore the risks of outsourced IT </li></ul></ul><ul><li>Increasing use of IT outsourcing </li></ul><ul><ul><li>New capabilities </li></ul></ul><ul><ul><li>Reduced Costs </li></ul></ul><ul><ul><li>Increased Storage </li></ul></ul><ul><ul><li>Highly Automated </li></ul></ul><ul><ul><li>Flexibility </li></ul></ul><ul><ul><li>More Mobility </li></ul></ul><ul><ul><li>Allows IT to Shift Focus </li></ul></ul><ul><ul><li>Improved security – Depends? The focus of our discussion… </li></ul></ul>
  4. 4. Shifting Sands <ul><li>Typical IT Outsourcing Areas </li></ul><ul><ul><li>Network and IT infrastructure management </li></ul></ul><ul><ul><li>Financial processing (such as credit cards and EDI) </li></ul></ul><ul><ul><li>Web (B2B & B2C) portals </li></ul></ul><ul><ul><li>Application development and maintenance </li></ul></ul><ul><ul><li>Help desk services </li></ul></ul><ul><ul><li>Data center management </li></ul></ul><ul><ul><li>Systems integration </li></ul></ul><ul><ul><li>Research and development (R&D) </li></ul></ul><ul><ul><li>Product development </li></ul></ul><ul><ul><li>Managed Security Services and Security Management </li></ul></ul>Information technology outsourcing has grown in popularity as an efficient, cost-effective, and expert solution designed to meet the demands of systems implementation, maintenance, security, and operations.
  5. 5. Planning <ul><li>Business Requirements </li></ul><ul><ul><li>Security & Privacy Requirements </li></ul></ul><ul><li>Market Research </li></ul><ul><ul><li>Capabilities of Potential Offerors (Small vs. Large Supplier) </li></ul></ul><ul><ul><li>Structure of the Market (Number of offerors, typical security offerings) </li></ul></ul><ul><ul><li>Standards and Expectations (ISO 27001, NIST, etc…) </li></ul></ul><ul><ul><li>Due diligence </li></ul></ul><ul><li>Work Breakdown Structure and Schedule </li></ul><ul><ul><li>Basis of comparison and security budgeting </li></ul></ul><ul><ul><ul><li>What is expected? </li></ul></ul></ul><ul><ul><ul><li>When is it expected? </li></ul></ul></ul><ul><li>Risk Assessment </li></ul><ul><ul><li>Inherent Risks (What can go wrong?) and Impact </li></ul></ul>Planning is the most critical phase of IT contract management – information security should be built into the contract at its inception.
  6. 6. Planning <ul><li>Make-Buy Decision </li></ul><ul><ul><li>Can management tolerate the security risks? </li></ul></ul><ul><ul><ul><li>Average breach cost is $6.5 million (USD) </li></ul></ul></ul><ul><li>Acquisition Strategy </li></ul><ul><ul><li>Contract Type </li></ul></ul><ul><ul><ul><li>Traditional or Performance Based Acquisition </li></ul></ul></ul><ul><ul><ul><li>Fixed Price or Cost Reimbursable </li></ul></ul></ul><ul><ul><li>Terms and Conditions </li></ul></ul><ul><ul><ul><li>Security Service Level Agreement </li></ul></ul></ul><ul><ul><ul><li>Indemnification, Limits of Liability, “Right to Audit Clause” </li></ul></ul></ul><ul><li>Source Selection Criteria </li></ul><ul><ul><li>What minimum security requirements must the offeror be able to meet? </li></ul></ul>
  7. 7. Planning <ul><li>Request for Proposal </li></ul><ul><ul><li>Background for security requirements </li></ul></ul><ul><ul><ul><li>Compliance requirements (HIPAA, FERPA, FFIEC, etc…) </li></ul></ul></ul><ul><ul><ul><li>Management’s security requirements </li></ul></ul></ul><ul><ul><ul><li>International requirements </li></ul></ul></ul><ul><ul><li>Instructions for offerors </li></ul></ul><ul><ul><ul><li>Security Interrogatories </li></ul></ul></ul><ul><ul><li>Source selection criteria </li></ul></ul><ul><ul><ul><li>Minimum security requirements </li></ul></ul></ul>
  8. 8. Planning <ul><li>Key Control Considerations </li></ul><ul><ul><li>Control environment </li></ul></ul><ul><ul><li>Security considerations </li></ul></ul><ul><ul><ul><li>Data protection risks </li></ul></ul></ul><ul><ul><ul><li>Security - network, physical, environment, personal and logical access </li></ul></ul></ul><ul><ul><li>System Development Life Cycle (SDLC) controls </li></ul></ul><ul><ul><ul><li>Change management controls </li></ul></ul></ul><ul><ul><ul><li>Business continuity and disaster response </li></ul></ul></ul>Key issues can range from requiring the vendor to maintain specified levels of security through employee awareness training and contractual obligations and company indemnification by the vendor for any breaches.
  9. 9. Planning <ul><li>Guidance for Small Business Providers </li></ul><ul><ul><li>How much pain can you take? Risk versus Reward Trade-off </li></ul></ul><ul><ul><li>Minimum security expectations for any small business </li></ul></ul><ul><ul><ul><li>Security Guide for Small Business , Microsoft Corporation, </li></ul></ul></ul><ul><ul><ul><li>National Institute of Standards and Technology, Small Business Corner , </li></ul></ul></ul><ul><ul><ul><li>Commonsense Guide to Cyber Security for Small Businesses, U.S. Chamber of Commerce , </li></ul></ul></ul><ul><ul><ul><li>Internal Control over Financial Reporting – Guidance for Smaller Public Companies , Committee on Sponsoring Organizations of the Treadway Commission, </li></ul></ul></ul>
  10. 10. Source Selection and Award <ul><li>Reviewing Proposals </li></ul><ul><ul><li>Independent Assessments (SSAE 16 [SAS 70] and IASE 3402) and Certifications </li></ul></ul><ul><ul><ul><li>Relevancy, scope, recent </li></ul></ul></ul><ul><ul><li>Minimum Security Requirements </li></ul></ul><ul><ul><ul><li>Answers to questions (pass/fail, scalar ratings, etc…) </li></ul></ul></ul><ul><li>Non-Disclosure Agreements </li></ul><ul><li>Site Visit and Q&A </li></ul><ul><ul><li>Protecting the offeror’s intellectual property </li></ul></ul><ul><ul><li>Facilitate security for visits </li></ul></ul><ul><ul><li>Discussions and negotiations </li></ul></ul>
  11. 11. Contract Administration <ul><li>Post-Award Conference </li></ul><ul><ul><li>Kick-off meeting – Security Issues </li></ul></ul><ul><ul><ul><li>What we agree will occur </li></ul></ul></ul><ul><ul><ul><li>Document and distribute minutes </li></ul></ul></ul><ul><li>Internal Control Questionnaire </li></ul><ul><ul><li>Baseline / Control Self-Assessment </li></ul></ul><ul><li>Internal Control Audits </li></ul><ul><ul><li>Review of recurring internal control assessments </li></ul></ul><ul><ul><li>Security assessments </li></ul></ul><ul><li>Handling Disputes and Non-conformances </li></ul><ul><li>Contract Modifications – Advise regarding the necessity, scope, and adequacy of changes </li></ul>
  12. 12. Contract Termination <ul><li>Terminate access </li></ul><ul><ul><li>physical </li></ul></ul><ul><ul><li>logical </li></ul></ul><ul><li>Return of company assets </li></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>Data </li></ul></ul><ul><li>Verify data disposal / retention </li></ul><ul><li>Capture lessons learned </li></ul>Don’t neglect contract termination; residuals and loose ends are real security risks.
  13. 13. Conclusion <ul><li>Shifting Sands </li></ul><ul><li>Planning </li></ul><ul><li>Source Selection and Award </li></ul><ul><li>Contract Administration </li></ul><ul><li>Termination </li></ul>
  14. 14. References <ul><li>Outsourced IT Environments Audit/Assurance Program , ISACA </li></ul><ul><li>Cloud Computing Management Audit/Assurance Program , ISACA </li></ul><ul><li>Supervision of Technology Service Providers , IT Examination Handbook, Federal Financial Institutions Examination Council, </li></ul><ul><li>Global Audit Technology Guide (GTAG) 7, Information Technology Outsourcing , Institute of Internal Auditors </li></ul><ul><li>Standards for Attestation Engagements (SSAE) No. 16 ., Reporting on the Controls of a Service Organization, American Institute of Certified Public Accountants </li></ul><ul><li>Cloud Controls Matrix and Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Security Alliance, </li></ul>