Successfully reported this slideshow.

Outsourcing: A Security Perspective

1,333 views

Published on

An introduction to the information security concerns in an outsourcing relationship.

Published in: Business
  • Be the first to comment

Outsourcing: A Security Perspective

  1. 1. Outsourcing: From a Security Perspective Copyright 2003 Seccuris Inc. www.seccuris.com
  2. 2. Introduction • Outsourcing • Basic types & Process • Impact • Management, Technical & Organizational Issues • Risk Measurement • Creating Metrics & Process for Outsourcing • Mitigation • Compensating Controls to protect your interests • Conclusions • Identifying & Measuring risk in your organization Copyright 2003 Seccuris Inc. www.seccuris.com
  3. 3. Outsourcing Business Processes Application Development Infrastructure Services Copyright 2003 Seccuris Inc. www.seccuris.com
  4. 4. Business Processes Outsourcing: • Human Resources • Audit • Payroll Processing • Accounting • Electronic Funds Transfer • Investment Management Copyright 2003 Seccuris Inc. www.seccuris.com
  5. 5. Application Development Outsourcing: • Internal Facing Applications • External Facing Applications • Enhancement Projects • Interface Enhancement Projects • Report Enhancement Projects • Audit Enhancement Projects Copyright 2003 Seccuris Inc. www.seccuris.com
  6. 6. Infrastructure Services Outsourcing: • Desktop / Helpdesk Capabilities • Network Services • Specialized Application Servers • Information Security Monitoring Copyright 2003 Seccuris Inc. www.seccuris.com
  7. 7. Outsourcing • Primary security concerns focus on: • Availability • Integrity • Confidentiality Copyright 2003 Seccuris Inc. www.seccuris.com
  8. 8. Outsourcing Process Outsourcing: PROVISION TERMINATION INTEGRATION SCOPING INITIATION PROVIDER INTERNAL Increased Vendor Reliance Copyright 2003 Seccuris Inc. www.seccuris.com
  9. 9. Outsourcing Process Outsourcing: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service PROVIDER Proposal INTERNAL Requirements Vendor Definition Selection Increased Vendor Reliance Copyright 2003 Seccuris Inc. www.seccuris.com
  10. 10. Outsourcing Process Outsourcing: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service PROVIDER Proposal Scoping Process INTERNAL Requirements Vendor Definition Selection Increased Vendor Reliance Copyright 2003 Seccuris Inc. www.seccuris.com
  11. 11. Outsourcing Process Outsourcing: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service Outsourcing PROVIDER Installation / Integration Proposal Scoping Process INTERNAL Outsourcing Requirements Vendor Installation / Integration Definition Selection Increased Vendor Reliance Copyright 2003 Seccuris Inc. www.seccuris.com
  12. 12. Outsourcing Process Outsourcing: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service Outsourcing Outsourcing Provision PROVIDER Proposal Installation / Integration Scoping Process INTERNAL Outsourcing Outsourcing Requirements Vendor Installation / Integration Management Definition Selection Annual Service Review Increased Vendor Reliance Copyright 2003 Seccuris Inc. www.seccuris.com
  13. 13. Outsourcing Process Outsourcing: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Outsourcing Service Termination Outsourcing Provision PROVIDER Proposal Installation / Integration Process Scoping Process INTERNAL Outsourcing Outsourcing Requirements Vendor Termination Process Installation / Integration Management Definition Selection Annual Service Review Increased Vendor Reliance Copyright 2003 Seccuris Inc. www.seccuris.com
  14. 14. Outsourcing: IMPACT Copyright 2003 Seccuris Inc. www.seccuris.com
  15. 15. Impact • Management Issues • Technical Issues • Operational Risk Copyright 2003 Seccuris Inc. www.seccuris.com
  16. 16. Management Issues Impact: • Trust • Human Resource Issues • Shared Environment • Security controls issues • Hidden Costs • Managing Inevitable Change Copyright 2003 Seccuris Inc. www.seccuris.com
  17. 17. Management Issues Impact: • Lengthy Contracts • Changes to business practice & process • Changes to Management Structure Copyright 2003 Seccuris Inc. www.seccuris.com
  18. 18. Technical Issues Impact: • Potential violations of availability, integrity and confidentiality • Inherit Dependency issues • Transition Risk • Greater technical exposures Copyright 2003 Seccuris Inc. www.seccuris.com
  19. 19. Technical Issues Impact: • Greater technical exposures • You are only as secure as the weakest point. • Does the outsourcing vendor have adequate: • Physical Protection • Policies & Procedures • Information Systems Safeguards • Information handling procedures • Change Control Processes Copyright 2003 Seccuris Inc. www.seccuris.com
  20. 20. Operational Risk Impact: • Changes to operation practices occur • Shift in internal & external dependencies • Shift in internal Competencies • Increase in IT related operational risk • Shift in overall operational risk toward outsourced function Copyright 2003 Seccuris Inc. www.seccuris.com
  21. 21. Outsourcing: Measurement Copyright 2003 Seccuris Inc. www.seccuris.com
  22. 22. Measurement • Protecting our interests through assessment PROVISION TERMINATION INTEGRATION SCOPING INITIATION Outsourcing Service Termination Outsourcing Provision PROVIDER Proposal Installation / Integration Process Scoping Process INTERNAL Outsourcing Outsourcing Requirements Vendor Termination Process Installation / Integration Management Definition Selection Annual Service Review Copyright 2003 Seccuris Inc. www.seccuris.com
  23. 23. Outsourcing Process Measurement: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service Outsourcing Termination Outsourcing Provision PROVIDER Installation / Integration Proposal Process Scoping Process INTERNAL Outsourcing Outsourcing Requirements Vendor Termination Process Installation / Integration Management Selection Definition Annual Service Review Copyright 2003 Seccuris Inc. www.seccuris.com
  24. 24. Initiation Process Measurement: • Original Competencies Suppo rti ng Suppo rti ng Co mpet ency Co mpet ency CORE COMPETENCY Suppo rti ng Suppo rti ng Co mpet ency Co mpet ency Copyright 2003 Seccuris Inc. www.seccuris.com
  25. 25. Initiation Process Measurement: • Lost Competencies due to Outsourcing Suppo rti ng Suppo rti ng Co mpet ency Co mpet ency CORE COMPETENCY Vend or Vend or Suppo rti ng Suppo rti ng Out sou rced Out sou rced Co mpet ency Co mpet ency Offering Offering VENDOR COMPETENCY Vend or Vend or Out sou rced Out sou rced Offering Offering Copyright 2003 Seccuris Inc. www.seccuris.com
  26. 26. Initiation Process Measurement: • Managed Competencies in Outsourcing Suppo rti ng Suppo rti ng Co mpet ency Co mpet ency CORE COMPETENCY Vend or Vend or Suppo rti ng Suppo rti ng Out sou rced Out sou rced Co mpet ency Co mpet ency Offering Offering Vend or Vend or Out sou rced Out sou rced Offering Offering Copyright 2003 Seccuris Inc. www.seccuris.com
  27. 27. Initiation Process Measurement: INITIATION Service PROVIDER Proposal INTERNAL Requirements Vendor Definition Selection • Key Failures • INT: Poor Definition of Internal Requirements • EXT: Weak or incomplete proposal of services (SLAs) • INT: Improper requirements for vendor selection Copyright 2003 Seccuris Inc. www.seccuris.com
  28. 28. Initiation Process Measurement: • Internal • Does Outsourcing support core objectives? • What is the importance of the process? • What requirements are key for success? • What controls are necessary for asset protection? Copyright 2003 Seccuris Inc. www.seccuris.com
  29. 29. Initiation Process Measurement: • Vendor • Experience in delivering requirements • Operations & Controls • Financial Condition & Audit Reports Copyright 2003 Seccuris Inc. www.seccuris.com
  30. 30. Outsourcing Process Measurement: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service Outsourcing Termination Outsourcing Provision PROVIDER Installation / Integration Proposal Process Scoping Process INTERNAL Outsourcing Outsourcing Requirements Vendor Termination Process Installation / Integration Management Selection Definition Annual Service Review Copyright 2003 Seccuris Inc. www.seccuris.com
  31. 31. Scoping Process Measurement: SCOPING PROVIDER Scoping Process INTERNAL • Key Failures • INT: Poor Scope Definition • Both: Incomplete discussion of success metrics • Both: Undefined, misunderstood, or immeasurable SLAs Copyright 2003 Seccuris Inc. www.seccuris.com
  32. 32. Scoping Process Measurement: • Scope of Service • Provide assurance of performance, reliability, security & reporting • Required for Service Level Agreements (SLAs) Copyright 2003 Seccuris Inc. www.seccuris.com
  33. 33. Scoping Process Measurement: • Security & Confidentiality • Technical Controls • Legal Responsibilities • Audit Requirements • BCP/DR Plans Copyright 2003 Seccuris Inc. www.seccuris.com
  34. 34. Scoping Process Measurement: • Sub-Contractor Requirements • Assignment • “No” should not be a turn off! Copyright 2003 Seccuris Inc. www.seccuris.com
  35. 35. Outsourcing Process Measurement: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service Outsourcing Termination Outsourcing Provision PROVIDER Installation / Integration Proposal Process Scoping Process INTERNAL Outsourcing Outsourcing Requirements Vendor Termination Process Installation / Integration Management Selection Definition Annual Service Review Copyright 2003 Seccuris Inc. www.seccuris.com
  36. 36. Integration Process Measurement: INTEGRATION Outsourcing PROVIDER Installation / Integration INTERNAL Outsourcing Installation / Integration • Key Failures • Both: Improper level of access given • Both: Failure to implement required safeguards • Both: Failure to implement required policies & metrics Copyright 2003 Seccuris Inc. www.seccuris.com
  37. 37. Integration Process Measurement: • Duration • Dispute Resolution • Control Integration Copyright 2003 Seccuris Inc. www.seccuris.com
  38. 38. Outsourcing Process Measurement: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service Outsourcing Termination Outsourcing Provision PROVIDER Installation / Integration Proposal Process Scoping Process INTERNAL Outsourcing Outsourcing Requirements Vendor Termination Process Installation / Integration Management Selection Definition Annual Service Review Copyright 2003 Seccuris Inc. www.seccuris.com
  39. 39. Provision Process Measurement: PROVISION Outsou rcing Provision PROVIDER INTERNAL Outsourcing Management Annual Service Review • Key Failures • EXT: Failure to deliver services • Both: Poor communication • Both: Inadequate change control processes • Both: Ineffective measurement of service Copyright 2003 Seccuris Inc. www.seccuris.com
  40. 40. Provision Process Measurement: • Monitor Vendor Condition • Assess Quality of Service & Support • Monitor Contract Compliance • BCP/DR plan maintenance Copyright 2003 Seccuris Inc. www.seccuris.com
  41. 41. Outsourcing Process Measurement: PROVISION TERMINATION INTEGRATION SCOPING INITIATION Service Outsourcing Termination Outsourcing Provision PROVIDER Installation / Integration Proposal Process Scoping Process INTERNAL Outsourcing Outsourcing Requirements Vendor Termination Process Installation / Integration Management Selection Definition Annual Service Review Copyright 2003 Seccuris Inc. www.seccuris.com
  42. 42. Termination Process Measurement: TERMINATION Termination PROVIDER Process INTERNAL Termination Process • Key Failures • EXT: Failure to migrate all functions • Both: Failure to document process • INT: Failure to continue all functions internally Copyright 2003 Seccuris Inc. www.seccuris.com
  43. 43. Termination Process Measurement: • Transfer of knowledge • Transfer of Control • Audit Requirements Copyright 2003 Seccuris Inc. www.seccuris.com
  44. 44. Outsourcing: Mitigation Copyright 2003 Seccuris Inc. www.seccuris.com
  45. 45. Mitigation • Contractual Controls • Policy & Procedures • Technical Controls Copyright 2003 Seccuris Inc. www.seccuris.com
  46. 46. Contractual Controls Mitigation: • Liability Controls • Develop Contingency Plans • Detailed SLAs • Ensure contract revision abilities are utilized and reviewed • Detailed Termination Requirements Copyright 2003 Seccuris Inc. www.seccuris.com
  47. 47. Policy & Procedures Mitigation: • Create and accept review Outsourcing Management Policies • Ensure key individuals from the outsourced function are responsible for outsourcing oversight. • Build conflict resolution and escalation procedures from specific & clear policy. Copyright 2003 Seccuris Inc. www.seccuris.com
  48. 48. Policy & Procedures Mitigation: • Create and accept review Outsourcing Management Policies • Ensure cross-functional business teams review outsourcing arrangements for effectiveness. • Provide Information Security & Audit personnel unhindered review and communication processes. Copyright 2003 Seccuris Inc. www.seccuris.com
  49. 49. Technical Controls Mitigation: • Ensure BCP/DRP controls exist • Ensure Audit controls exist • Create proactive reporting mechanisms • Maintain service logging, reporting & review capabilities Copyright 2003 Seccuris Inc. www.seccuris.com
  50. 50. Conclusions • Clearly define requirements up front • Scope and agree on SLAs • Prevision for change • Allow for communication & escalation • Maintain process oversight • Plan for worst (BCP/DRP) • Create a clear termination process Copyright 2003 Seccuris Inc. www.seccuris.com

×