Docstoc

MWR InfoSecurity PowerPoint Presentation Template 06 June 2006 - PowerPoint

Document Sample
MWR InfoSecurity PowerPoint Presentation Template 06 June 2006 - PowerPoint Powered By Docstoc
					InfoSecurity and
Outsourcing

17 March 2009



Colin Dixon
Head of Risk and
Compliance
        Agenda

    •   The complexities of outsourcing
    •   Brain surgery through binoculars (the wrong way around)
    •   Ways to approach InfoSec in outsourcing
    •   The secret of a good outsourcing arrangement
    •   Some things you really must do
    •   Some things that can help
    •   Questions




2
    Outsourcing

    There are three types of outsourcing



    •   Outsourcing business services
    •   Outsourcing business functions
    •   Outsourcing security services




3
         Possible complications


     •     de-mergers
     •     non-sale divestitures
     •     sell-offs
     •     off-shoring




* Where a significant relationship persists



 4
     Possible complications


    • Outsourcing suppliers have done it before
    • Many outsourcing decisions are political
    • InfoSec people hear about outsourcing at the same time
           as the media
    • InfoSec is rarely at the top of the agenda
    • InfoSec is viewed as negotiable




5
      Possible complications

    I have this…

                           …and I want this




6
     Possible complications

    I have this…


                                      …and I want this




        Plays hell with the metrics
7
     Brain surgery through binoculars (the wrong
     way around)




The complexity of managing risks is significantly increased by
this boundary
 8
         The Taxi analogy




When you get into a Taxi you can do one of three things:

•   Give the driver detailed instructions

•   State the destination and expect the driver to find the way

•   Ask the driver to take you to a (good) restaurant etc.

     9
          The three (main) approaches



•   A very detailed control specification

•   Specification of control objectives rather than controls and
            monitoring for effectiveness

•   Broad specification of controls, providing for evolution of
           the control regime



     10
      The type of contract affects the requirements



Detailed requirements           Broad requirements




  Cheque                                   Web
                 HR System
 printing                              development




 11
     The secret of a good outsourcing arrangement




12
           The secret of a good outsourcing arrangement

  “If you have to resort to the contract the relationship is not working”


                 relationship
                 relationship
                 relationship
 “If you are not working on the
relationship you may very soon             “if the relationship with your
            regret it”                       provider breaks down the
                                                contract is irrelevant”
      13
         Why relationships break down

     •   Expectations differ
     •   A clash of cultures
     •   Perceptions disrupt the relationship
     •   Trust and confidence has not been established




14
     Preparation and Planning




15
         Preparation and Planning
     Information risk assessment of an outsourced business
     function is complex because there are three components




16
          Preparation and Planning

     •   Risk assessment
     •   Due diligence against the outsource company
     •   SAS 70 Pt.2
     •   Determining appropriate control regime
     •   A business issue not a technology issue
     •   Transition
     •   Exit




17
       Change and evolution




     Evolution of the outsourcing arrangement is key to preventing it from
                      becoming irrelevant to the business


18
      Change and evolution




•    Monitor performance against evolution strategy
•    establish a forum to consider evolution plans
•    regularly review evolution plans
•    regularly review architectural issues
•    regularly review change management procedures




19
      Exit strategy
     The exit strategy must be defined before the
     contract is agreed so that suitable provision for
     termination is in place before the outsourcing
     arrangement commences.

     This is because the conditions at the end of the
     outsourcing arrangement may be completely
     different from those which prevail at the
     beginning.

       The exit strategy is as important as the early transition
20
         Exit strategy


     •   Data ownership
     •   Clean transition
     •   Archives
     •   Escrow
     •   IPR
     •   Legal and regulatory




21
           Responsibilities and communication

     •   Skills and knowledge transfer
     •   Address staffing differences immediately
     •   Review roles and responsibilities
     •   Joint strategy for the resolution of security incidents
     •   Regular discussion of information security issues
     •   Work together to agree on the current top ten risks
     •   Agree an approach to managing the current top ten risks.




22
         Monitoring and audit

     •   Monitoring (against SLAs)
     •   Regular security audits
     •   Review of monitoring analysis
     •   Review incident management actions
     •   Corporate governance, regulator and FSA reporting
     •   Contingency preparation check/training
     •   Security management needs to be delivered
          • defined and dedicated methodologies
          • processes
          • delivery staff



23
         SLAs - characteristics of good service items

•   Measurable - in an objective preferably automatic way
•   Specific - expressed unambiguously
•   Repeatable - predictable, controllable service levels
•   Valued - understood by the business, linked to business process
•   Visible - not embedded in the IT architecture




    24
         Incidents and Incident Management


     •   Ensure accountability
     •   Review response to legal issues - privacy etc.
     •   Develop joint strategy for resolution
     •   Review emergency response skills and controls
     •   Review monitoring information for incidents
     •   Ensure that perceptions of criticality are the same
     •   Review incident response procedures
     •   Check training in incident response




25
         Conclusions


     • The contract
     • Benefit from early preparation
     • Infosec is not always able to influence the contract
     • Legal regulatory requirements
     • Termination is far too important to leave to the end of the
            contract
     • Dynamic businesses favour less rigid contracts




26
                                  Questions?




Colin.dixon@mwrinfosecurity.com
        27

				
DOCUMENT INFO