InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance.

Slides:

Advertisements

Similar presentations

[Organisation’s Title] Environmental Management System

Advertisements

University of York Planning for Process Review. Using our Vision, Strategy and Medium Term Planning to inform our business and process change agenda..

How Global Can Testing Really Be? BCS – 11 th February 2008.

Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?

Outsourcing – Managing for Success Stuart Payne, Morgan Chambers Copyright © 1999 Morgan Chambers plc Copyright © 1999 Morgan.

Project Management Framework May 2010 Ciaran Whyte Risk Administrator Planning & Strategic Projects Unit.

1 Meeting On The Management Of Statistical Information Systems (MSIS), Oslo, May 18-20, 2009 Shri Narayanan, Economic Systems, TGS Jola Stefanska, STA.

Outsourcing risk Wade Martin Risk Manager - Cbus Super.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

The Australian/New Zealand Standard on Risk Management

By Saurabh Sardesai October 2014.

Human Resource Auditing

1 Outsourcing and Offshoring Sandra Senti University of Chicago May 5, 2005.

Corporate Ethics Compliance *

Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.

Vendor Risk: Effective Management is Essential

Client-Specific, Operational Risk Management, Solution- Building Workshops The following pages show a list of workshops that may be provided individually.

Internal Auditing and Outsourcing

Political context and PPP risk management Training event on risk management in PPP projects 26 May 2008 Twinning Project CZ/2005/IB/FI/04 Mikko AJ Ramstedt.

Effectively applying ISO9001:2000 clauses 5 and 8

Session No. 3 ICAO Safety Management Standards ICAO SMS Framework

Project Human Resource Management

Organisational Change Management Services: Insight and Capabilities

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

The Institutionalization of Business Ethics

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

SLA of an Outsource Process - 1 Service Level Agreements (SLAs) of an Outsource Process Michael Day MBA 731 October 29, 2007.

Quality Directions Australia Improving clinical risk management systems: Root Cause Analysis.

Presentation to Senior Management MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.

James Aiello PricewaterhouseCoopers Africa Utility Week 06 International Good Practice in Procurement.

Certificate IV in Project Management Introduction to Project Management Course Number Qualification Code BSB41507.

Roles and Responsibilities

Audit Advisory Committee Department of Adult Services, Health and Housing: Public health transition risk (DASHH0083) Red risk 13 November 2012.

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

Managing Risks in PPP Project Procurement Claire Phillips Project Director, Partnerships UK 24 March 2005.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

Chapter 4 of the Executive Guide manual

Contract & Commercial Management - the seller side Christian Sandbeck 20 nd October 2009.

Audit Advisory Committee Public health transition update 22 January 2013.

1 Outsourcing and OffShoring January 2004 Sandy Senti.

The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

Technology Transfer Execution Framework. 2 © 2007 Electric Power Research Institute, Inc. All rights reserved. Relationship Between Your EPRI Value and.

Setting Standards for Outsourcing Vivienne Sullivan

1 Managed IT Services Sharing my knowledge and experiences Tom Smyth – Chairman and Managing Director.

Copyright  2005 McGraw-Hill Australia Pty Ltd PPTs t/a Australian Human Resources Management by Jeremy Seward and Tim Dein Slides prepared by Michelle.

WEC MADRID 18 TH MARCH 2004 ASTRAZENECA’S APPROACH TO SUPPLIER RISK MANAGEMENT.

1 © 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.

ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.

Placing Information Security within an Organization

S3: Understanding the Business. Session objective To explain why understanding of the business of the entity is important for the auditor To explain why.

ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.

Kathy Corbiere Service Delivery and Performance Commission

Improving Lives in Our Communities Leading through the CQC Inspection Process.

TOP 10 TECHNOLOGY INITIATIVES Robert G Parker July 12, 2013.

Improving Purchasing of Clinical Services* 21 st October 2005 *connectedthinking 

Be Prepared For Change Are you Prepared?. Be Prepared For Change Are you Prepared?

Qantas/IBM – Transition phase of the outsourcing lifecycle Presented by Goh Kok Min Kelvin Tan Yuean Soo Ho Wee Ming Tan Wei Liang Wang Geng.

Dolly Dhamodiwala CEO, Business Beacon Management Consultants

Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.

Knowledge Sharing and Networking Session IAOP Australian Chapter Business improvement and cost reduction through transformational outsourcing presented.

© 2005 Windelberg Consulting, LLC EDUCAUSE Mid-Atlantic Regional Conference January 12-14, 2005 Outsourcing: Look Before You Marjorie Windelberg, Ph.D.

TCF: The Way Forward Nausicaa Delfas Head of Department FSA Freshfields client seminar 26 March 2009.

Service Design.

Roles and Responsibilities of the IRO. Role and Responsibilities of IRO When consulted about the guidance, children and young people were clear what they.

Welcome HEADTEACHERS AND CHAIRS WORKING TOGETHER WORKSHOP.

Contract management beyond financial close

Current ‘Hot Topics’ in Information Security Governance Auditing

Presentation transcript:

InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance

2 Agenda The complexities of outsourcing Brain surgery through binoculars (the wrong way around) Ways to approach InfoSec in outsourcing The secret of a good outsourcing arrangement Some things you really must do Some things that can help Questions

3 There are three types of outsourcing Outsourcing Outsourcing business services Outsourcing business functions Outsourcing security services

4 de-mergers non-sale divestitures sell-offs off-shoring Possible complications * Where a significant relationship persists

5 Outsourcing suppliers have done it before Many outsourcing decisions are political InfoSec people hear about outsourcing at the same time as the media InfoSec is rarely at the top of the agenda InfoSec is viewed as negotiable Possible complications

6 I have this… …and I want this Possible complications

7 I have this… …and I want this Possible complications Plays hell with the metrics

8 Brain surgery through binoculars (the wrong way around) The complexity of managing risks is significantly increased by this boundary

9 The Taxi analogy When you get into a Taxi you can do one of three things: Give the driver detailed instructions State the destination and expect the driver to find the way Ask the driver to take you to a (good) restaurant etc.

10 A very detailed control specification Specification of control objectives rather than controls and monitoring for effectiveness Broad specification of controls, providing for evolution of the control regime The three (main) approaches

11 Detailed requirementsBroad requirements The type of contract affects the requirements Cheque printing Web development HR System

12 The secret of a good outsourcing arrangement

13 “If you have to resort to the contract the relationship is not working” “If you are not working on the relationship you may very soon regret it” relationship The secret of a good outsourcing arrangement “if the relationship with your provider breaks down the contract is irrelevant”

14 Expectations differ A clash of cultures Perceptions disrupt the relationship Trust and confidence has not been established Why relationships break down

15 Preparation and Planning

16 Preparation and Planning Information risk assessment of an outsourced business function is complex because there are three components

17 Preparation and Planning Risk assessment Due diligence against the outsource company SAS 70 Pt.2 Determining appropriate control regime A business issue not a technology issue Transition Exit

18 Change and evolution Evolution of the outsourcing arrangement is key to preventing it from becoming irrelevant to the business

19 Monitor performance against evolution strategy establish a forum to consider evolution plans regularly review evolution plans regularly review architectural issues regularly review change management procedures Change and evolution

20 The exit strategy must be defined before the contract is agreed so that suitable provision for termination is in place before the outsourcing arrangement commences. This is because the conditions at the end of the outsourcing arrangement may be completely different from those which prevail at the beginning. Exit strategy The exit strategy is as important as the early transition

21 Exit strategy Data ownership Clean transition Archives Escrow IPR Legal and regulatory

22 Skills and knowledge transfer Address staffing differences immediately Review roles and responsibilities Joint strategy for the resolution of security incidents Regular discussion of information security issues Work together to agree on the current top ten risks Agree an approach to managing the current top ten risks. Responsibilities and communication

23 Monitoring (against SLAs) Regular security audits Review of monitoring analysis Review incident management actions Corporate governance, regulator and FSA reporting Contingency preparation check/training Security management needs to be delivered defined and dedicated methodologies processes delivery staff Monitoring and audit

24 Measurable - in an objective preferably automatic way Specific - expressed unambiguously Repeatable - predictable, controllable service levels Valued - understood by the business, linked to business process Visible - not embedded in the IT architecture SLAs - characteristics of good service items

25 Ensure accountability Review response to legal issues - privacy etc. Develop joint strategy for resolution Review emergency response skills and controls Review monitoring information for incidents Ensure that perceptions of criticality are the same Review incident response procedures Check training in incident response Incidents and Incident Management

26 Conclusions The contract Benefit from early preparation Infosec is not always able to influence the contract Legal regulatory requirements Termination is far too important to leave to the end of the contract Dynamic businesses favour less rigid contracts

27 Questions?