View
588
Download
0
Category
Preview:
DESCRIPTION
Citation preview
Bill Lisse, CISSP, CISA, CGEIT, PMP, G7799
Corporate Information Security Officer
1/19/2011
Managing Security in Outsourced Information
Technologies
Overview
Shifting SandsPlanningSource Selection and AwardContract AdministrationTermination
2
Risk is always involved when third-party entities are given access to sensitive customer data, privileged business operation details, or intellectual property vulnerable to public or competitor disclosure.
Shifting Sands InfoSec professionals are increasingly being required
to manage risks in extended enterprisesSecurity in contracting arrangements, especially Cloud
Computing, have necessitated increased understandingIncidents like Heartland Payment Processing and Microsoft
BPOS underscore the risks of outsourced IT Increasing use of IT outsourcing
New capabilitiesReduced CostsIncreased StorageHighly Automated FlexibilityMore Mobility Allows IT to Shift FocusImproved security – Depends? The focus of our – Depends? The focus of our
discussion…discussion…3
Shifting SandsTypical IT Outsourcing Areas
Network and IT infrastructure managementFinancial processing (such as credit cards and EDI)Web (B2B & B2C) portalsApplication development and maintenanceHelp desk servicesData center managementSystems integrationResearch and development (R&D)Product developmentManaged Security Services and Security Management
4
Information technology outsourcing has grown in popularity as an efficient, cost-effective, and expert solution designed to meet the demands of systems implementation, maintenance, security, and operations.
PlanningBusiness Requirements
Security & Privacy RequirementsMarket Research
Capabilities of Potential Offerors (Small vs. Large Supplier)
Structure of the Market (Number of offerors, typical security offerings)
Standards and Expectations (ISO 27001, NIST, etc…)Due diligence
Work Breakdown Structure and ScheduleBasis of comparison and security budgeting
What is expected? When is it expected?
Risk AssessmentInherent Risks (What can go wrong?) and Impact
5Planning is the most critical phase of IT contract management – information security should be built into the contract at its inception.
PlanningMake-Buy Decision
Can management tolerate the security risks?Average breach cost is $6.5 million (USD)
Acquisition StrategyContract Type
Traditional or Performance Based AcquisitionFixed Price or Cost Reimbursable
Terms and ConditionsSecurity Service Level Agreement Indemnification, Limits of Liability, “Right to Audit
Clause”Source Selection Criteria
What minimum security requirements must the offeror be able to meet?
6
Planning
Request for ProposalBackground for security requirements
Compliance requirements (HIPAA, FERPA, FFIEC, etc…)
Management’s security requirementsInternational requirements
Instructions for offerorsSecurity Interrogatories
Source selection criteriaMinimum security requirements
7
Planning
• Key Control Considerations • Control environment• Security considerations
– Data protection risks– Security - network, physical, environment,
personal and logical access• System Development Life Cycle (SDLC)
controls• Change management controls• Business continuity and disaster response
8Key issues can range from requiring the vendor to maintain specified levels of security through employee awareness training and contractual obligations and company indemnification by the vendor for any breaches.
Planning
9
Guidance for Small Business ProvidersHow much pain can you take? Risk versus Reward Trade-offMinimum security expectations for any small business
Security Guide for Small Business, Microsoft Corporation, http://download.microsoft.com/download/3/a/2/3a208c3c-f355-43ce-bab4-890db267899b/Security_Guide_for_Small_Business.pdf
National Institute of Standards and Technology, Small Business Corner, http://csrc.nist.gov/groups/SMA/sbc/index.html
Commonsense Guide to Cyber Security for Small Businesses, U.S. Chamber of Commerce, http://www.uschamber.com/reports/commonsense-guide-cyber-security-small-businesses
Internal Control over Financial Reporting – Guidance for Smaller Public Companies, Committee on Sponsoring Organizations of the Treadway Commission, http://www.coso.org/ICFR-GuidanceforSPCs.htm
Source Selection and AwardReviewing Proposals
Independent Assessments (SSAE 16 [SAS 70] and IASE 3402) and CertificationsRelevancy, scope, recent
Minimum Security RequirementsAnswers to questions (pass/fail, scalar ratings, etc…)
Non-Disclosure AgreementsSite Visit and Q&A
Protecting the offeror’s intellectual propertyFacilitate security for visitsDiscussions and negotiations
10
Contract Administration
Post-Award ConferenceKick-off meeting – Security Issues
What we agree will occurDocument and distribute minutes
Internal Control QuestionnaireBaseline / Control Self-Assessment
Internal Control AuditsReview of recurring internal control assessmentsSecurity assessments
Handling Disputes and Non-conformancesContract Modifications – Advise regarding the
necessity, scope, and adequacy of changes
11
Contract Termination
Terminate access physicallogical
Return of company assetsHardwareData
Verify data disposal / retentionCapture lessons learned
12
Don’t neglect contract termination; residuals and loose ends are real security risks.
Conclusion
Shifting SandsPlanningSource Selection and AwardContract AdministrationTermination
13
ReferencesOutsourced IT Environments Audit/Assurance Program,
ISACACloud Computing Management Audit/Assurance
Program, ISACASupervision of Technology Service Providers, IT
Examination Handbook, Federal Financial Institutions Examination Council, http://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/outsourcing_booklet.pdf
Global Audit Technology Guide (GTAG) 7, Information Technology Outsourcing, Institute of Internal Auditors
Standards for Attestation Engagements (SSAE) No. 16., Reporting on the Controls of a Service Organization, American Institute of Certified Public Accountants
Cloud Controls Matrix and Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Security Alliance, http://www.cloudsecurityalliance.org/
14
15
Recommended