Presentation is loading. Please wait.

Presentation is loading. Please wait.

InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance.

Published byMartin George Modified over 9 years ago

Similar presentations

Presentation on theme: "InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance."— Presentation transcript:

1 InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance

2 2 Agenda The complexities of outsourcing Brain surgery through binoculars (the wrong way around) Ways to approach InfoSec in outsourcing The secret of a good outsourcing arrangement Some things you really must do Some things that can help Questions

3 3 There are three types of outsourcing Outsourcing Outsourcing business services Outsourcing business functions Outsourcing security services

4 4 de-mergers non-sale divestitures sell-offs off-shoring Possible complications * Where a significant relationship persists

5 5 Outsourcing suppliers have done it before Many outsourcing decisions are political InfoSec people hear about outsourcing at the same time as the media InfoSec is rarely at the top of the agenda InfoSec is viewed as negotiable Possible complications

6 6 I have this… …and I want this Possible complications

7 7 I have this… …and I want this Possible complications Plays hell with the metrics

8 8 Brain surgery through binoculars (the wrong way around) The complexity of managing risks is significantly increased by this boundary

9 9 The Taxi analogy When you get into a Taxi you can do one of three things: Give the driver detailed instructions State the destination and expect the driver to find the way Ask the driver to take you to a (good) restaurant etc.

10 10 A very detailed control specification Specification of control objectives rather than controls and monitoring for effectiveness Broad specification of controls, providing for evolution of the control regime The three (main) approaches

11 11 Detailed requirementsBroad requirements The type of contract affects the requirements Cheque printing Web development HR System

12 12 The secret of a good outsourcing arrangement

13 13 “If you have to resort to the contract the relationship is not working” “If you are not working on the relationship you may very soon regret it” relationship The secret of a good outsourcing arrangement “if the relationship with your provider breaks down the contract is irrelevant”

14 14 Expectations differ A clash of cultures Perceptions disrupt the relationship Trust and confidence has not been established Why relationships break down

15 15 Preparation and Planning

16 16 Preparation and Planning Information risk assessment of an outsourced business function is complex because there are three components

17 17 Preparation and Planning Risk assessment Due diligence against the outsource company SAS 70 Pt.2 Determining appropriate control regime A business issue not a technology issue Transition Exit

18 18 Change and evolution Evolution of the outsourcing arrangement is key to preventing it from becoming irrelevant to the business

19 19 Monitor performance against evolution strategy establish a forum to consider evolution plans regularly review evolution plans regularly review architectural issues regularly review change management procedures Change and evolution

20 20 The exit strategy must be defined before the contract is agreed so that suitable provision for termination is in place before the outsourcing arrangement commences. This is because the conditions at the end of the outsourcing arrangement may be completely different from those which prevail at the beginning. Exit strategy The exit strategy is as important as the early transition

21 21 Exit strategy Data ownership Clean transition Archives Escrow IPR Legal and regulatory

22 22 Skills and knowledge transfer Address staffing differences immediately Review roles and responsibilities Joint strategy for the resolution of security incidents Regular discussion of information security issues Work together to agree on the current top ten risks Agree an approach to managing the current top ten risks. Responsibilities and communication

23 23 Monitoring (against SLAs) Regular security audits Review of monitoring analysis Review incident management actions Corporate governance, regulator and FSA reporting Contingency preparation check/training Security management needs to be delivered defined and dedicated methodologies processes delivery staff Monitoring and audit

24 24 Measurable - in an objective preferably automatic way Specific - expressed unambiguously Repeatable - predictable, controllable service levels Valued - understood by the business, linked to business process Visible - not embedded in the IT architecture SLAs - characteristics of good service items

25 25 Ensure accountability Review response to legal issues - privacy etc. Develop joint strategy for resolution Review emergency response skills and controls Review monitoring information for incidents Ensure that perceptions of criticality are the same Review incident response procedures Check training in incident response Incidents and Incident Management

26 26 Conclusions The contract Benefit from early preparation Infosec is not always able to influence the contract Legal regulatory requirements Termination is far too important to leave to the end of the contract Dynamic businesses favour less rigid contracts

27 27 Questions? Colin.dixon@mwrinfosecurity.com

Download ppt "InfoSecurity and Outsourcing 17 March 2009 Colin Dixon Head of Risk and Compliance."

Similar presentations

[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
University of York Planning for Process Review. Using our Vision, Strategy and Medium Term Planning to inform our business and process change agenda..

University of York Planning for Process Review. Using our Vision, Strategy and Medium Term Planning to inform our business and process change agenda..
How Global Can Testing Really Be? BCS – 11 th February 2008.

How Global Can Testing Really Be? BCS – 11 th February 2008.
Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?

Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?
Outsourcing – Managing for Success Stuart Payne, Morgan Chambers Copyright © 1999 Morgan Chambers plc Copyright © 1999 Morgan.

Outsourcing – Managing for Success Stuart Payne, Morgan Chambers Copyright © 1999 Morgan Chambers plc Copyright © 1999 Morgan.
Project Management Framework May 2010 Ciaran Whyte Risk Administrator Planning & Strategic Projects Unit.

Project Management Framework May 2010 Ciaran Whyte Risk Administrator Planning & Strategic Projects Unit.
1 Meeting On The Management Of Statistical Information Systems (MSIS), Oslo, May 18-20, 2009 Shri Narayanan, Economic Systems, TGS Jola Stefanska, STA.

1 Meeting On The Management Of Statistical Information Systems (MSIS), Oslo, May 18-20, 2009 Shri Narayanan, Economic Systems, TGS Jola Stefanska, STA.
Outsourcing risk Wade Martin Risk Manager - Cbus Super.

Outsourcing risk Wade Martin Risk Manager - Cbus Super.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
Human Resource Auditing

Human Resource Auditing
1 Outsourcing and Offshoring Sandra Senti University of Chicago May 5, 2005.

1 Outsourcing and Offshoring Sandra Senti University of Chicago May 5, 2005.
Corporate Ethics Compliance *

Corporate Ethics Compliance *
Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.

Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Client-Specific, Operational Risk Management, Solution- Building Workshops The following pages show a list of workshops that may be provided individually.

Client-Specific, Operational Risk Management, Solution- Building Workshops The following pages show a list of workshops that may be provided individually.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Political context and PPP risk management Training event on risk management in PPP projects 26 May 2008 Twinning Project CZ/2005/IB/FI/04 Mikko AJ Ramstedt.

Political context and PPP risk management Training event on risk management in PPP projects 26 May 2008 Twinning Project CZ/2005/IB/FI/04 Mikko AJ Ramstedt.

Similar presentations

Ads by Google