Duncan hine input2_ irm_and_outsourcing

492 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
492
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Duncan hine input2_ irm_and_outsourcing

  1. 1. Information Security Risk Management IT operation outsourcing A case study
  2. 2.  Based on a real project Identities protected and altered – does not affect the process that was used A sensitive defence organisation needs to be more cost effective Already has long term outsource partner Mid contract break point drives improvement Perception that security experts will say no This is based on current policy
  3. 3.  Research and advice across defence sector Many highly sensitive contracts and relationships Key target for traditional and cyber attack Already outsourced support in many areas but all delivered from inside UK Urgent need to make more savings Concept is to move back office processing and support to a low cost labour country
  4. 4.  Use the process to establish threats and exploits Look at sensitivity of assets affected See if controls and mitigations can reduce these to acceptable levels Stop or go ahead and accepts residual risks Sounds simple but only works if you understand how the exploits will happen
  5. 5.  Move offshore : No classified material at all Human resource basic records Travel expenses fulfilment Purchase order ledger Order generation Payment of suppliers
  6. 6.  Agree some risks to privacy sensitive records No classified material included so low risk Bulk data sets to be protected no copying or transport in country Staff in country to be vetted Buildings to be secured to higher level Subcontract suppliers to be vetted Extra monitoring to be established
  7. 7.  Threats from individuals, petty criminals and other low grade threat actors Opportunistic not organised No strategic goal Security first response is NO Little explanation but just a risk we don’t need to take
  8. 8.  Leadership want to make the savings Security role to establish the REAL risks Then find ways of reducing them Explain the result to leaders so they can decide if the residual risks are acceptable Key is to find a way we can all say yes to a desirable initiative not find reasons to say no!
  9. 9.  Threat sources FIS, competitors and sophisticated activist groups Want to reverse engineer size of cyber defences on new order for sensitive web hosting contract Purchase order ledger is moved offshore Use open source to establish likely timing of orders for components and services Penetrate data centre offshore via traditional human methods or cyber attack Collect and analyse project identifiers in database Collect orders and establish scale of servers and defences Mobilise denial of service resources now known to be able to destroy hosting at will
  10. 10.  Threat actors FIS, crime, competitors want to identify targets for corruption related to specific contracts HR and travel expenses moved offshore Use open source material to identify timing of contract negotiation and award Target country is known - penetrate data centre or create and remove copy (could acquire rotating backups) Mine travel expenses to find all trips to target country in window and create long list Qualify list with HR system look for expensive life, large family, lower bonus etc Go back to expenses to find detailed behaviours, bar bills, timing, phone call duration .......... Short list targets and move to more traditional methods
  11. 11.  Open source used to index low grade bulk data Structure of data is as valuable as the data itself Mining and profiling used to enrich data Traditional methods still needed but this improves chance of success significantly Access to data set or actual system is assumed in target country despite countermeasures Attacks are cyber used to enhance traditional approaches
  12. 12.  Scramble data before off shoring Remove structure from orders Reassemble in UK Anonymous HR records with numeric identifiers and address data and other pointers removed Scramble travel expenses and make claim to index number not person Other similar methods to scramble data and remove structure All reinserted in secure enclave in UK
  13. 13.  Off shoring can go ahead with residual risk lower than original solution Savings reduced by about 20% to pay for enclave in UK Information asset owners much more aware of real high impact risks Partnership with outsource provider strengthened Partner takes security function into other customers as expert adviser and secures new business
  14. 14.  Threats from sophisticated sources not well understood by asset owners Assumption that security will say NO! Savings reduced but project still went ahead and delivered a large net saving After solution risks were lower than original solution Ready for next break point off shoring can now go to any country even very high risk/low cost environments

×