Upload
ada-rebhan
View
104
Download
0
Embed Size (px)
Citation preview
Outsourcing Services
Providing the Bridge BetweenCompanies and OutsourcingProviders Around the World.
IT - Security im Rahmen von Outsourcing Verträgen
Outsourcing Services page 2
Table of Contents
Trestle Group - Vorstellung
Outsourcing – Ergebnisse einer Umfrage
IT Security - Framework
IT-Security am Beispiel ASP
Outsourcing Services page 3
Trestle Group - Vorstellung
Service: Fokus auf Offshore Outsourcing Aktivitäten. Beratung bei der Formulierung der Outsourcing Strategie, der Selektion geeigneter Partner Offshore und der tatsächlichen Implementierung des Projektes / BPO.
Was tun wir nicht: Unterstützung in rechtlichen Fragen!
Industrieller Fokus: Telekommunikation, Financial Services, produzierendes Gewerbe.
Standorte: Frankfurt (HQs), Zürich, London, New York und Amman
Outsourcing Services page 4
Table of Contents
Trestle Group - Vorstellung
Outsourcing – Ergebnisse einer Umfrage
IT Security - Framework
IT-Security am Beispiel ASP
Outsourcing Services page 5
OutsourcingAlternativen
Outsourcing Framework
BPO
Infrastruktur, Hardware
Applikationen (ASP)
Aktivität
Outsourcing Praxis
Outsourcing Aktivitäten werden sich in Zukunft in den Bereich BPO verschieben. Gerade in Deutschland findet sich noch viel Potential in den Bereichen Applikationen und Infrastruktur Outsourcing. Selektives Outsourcing scheint sich gegenüber Komplettlösungen durchzusetzen.
Outsourcing Services page 6
Trestle Group Research – Umfrage Sommer 2004
Industrie Scope: Telekommunikation, Financial Services und Manufacturing.
Geographischer Scope: 16 Länder, hauptsächliche EU
GegenwärtigeOutsourcingAktivitäten
Outsourcing Services page 7
Trestle Group Research – Chancen des Outsourcing
Neben dem offensichtlichen Kostenvorteil spielen die Verfügbarkeit von Ressourcen sowie deren höhere Flexibilität eine wichtige Rolle.
Vorteiledes
Outsourcing
Outsourcing Services page 8
Trestle Group Umfrage – Herausforderungen beim Outsourcing
Critical Success Factors: „Gesunde“ Beziehungen der Schlüssel zum Erfolg
Major Challenges: „Legal part“ genießt hohe Priorität v.a. vor dem Hintergrund Offshoring.
Erfolgsfaktoren versus Herausforderungen
Outsourcing Services page 9
Trestle Group Umfrage – Wohin wollen Unternehmen Outsourcen?
Neben etablierten Ländern wie Indien und die Philippinen, etablieren sich weitere, attraktive Alternativen. Die große Auswahl macht eine sorgfältige Selektion notwendig, u.a. unter Berücksichtigung der legalen Rahmenbedingungen
WohinOutsourcen?
Outsourcing Services page 10
Table of Contents
Trestle Group - Vorstellung
Outsourcing – Ergebnisse einer Umfrage
IT Security - Framework
IT-Security am Beispiel ASP
Outsourcing Services page 11
Was ist IT-Security Risk
Customers
Reputation
Capital People
Shareholder Value
“The exposure to loss or damage from the reliance upon information
technology to achieve organizational goals.”
Outsourcing Services page 12
IT Security als Risiko
Information contributes to the achievement of a company’s goals
Risks are anything that endanger the achievement of these goals
Risks to information confidentiality, integrity and availability can threaten a company’s survival
It is essential to
Identify the risks specifically
Assess the impact of these risks
Assess the probability of occurrence of these risks
Institute measures to mitigate risks
Outsourcing Services page 13
IT Security Versagen – Warum, Wer und Was
Common Causes of Damage
Human Error 52%
Fire 15%
Dishonest people 10%
Technical Sabotage 10%
Water 10%
Terrorism 3%
Responsible for Damage:
Current employees81%
Outsiders 13%
Former employees 6%
Types of Computer Crime:
Money theft 44%
Damage of software16%
Theft of information16%
Alteration of data12%
Theft of services10%
Trespass 2%
Source: Datapro Research
Outsourcing Services page 14
IT Security Definition
IT Security is a specific set of risk mitigation measures related to the
confidentiality,
integrity,
availability and
Audit ability
of data and systems. This encompasses manual and system processes, standards and technology-based solutions. It is interrelated to form a coherent control system based on a set of clearly defined policies.
Operational risk covers all risks associated with internal processes, systems and people. Thus, IT Security is a specific subset of Operational Risk.
Outsourcing Services page 15
IT Security Objective - Integrity
Integrity of Data or Systems
Ensuring that information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.
Integrity Confidentiality
Audit ability Availability
Outsourcing Services page 16
IT Security Objective - Confidentiality
Confidentiality of Data or Systems
Protecting the information of customers and the institution against unauthorized access or use.
Integrity Confidentiality
Audit ability Availability
Outsourcing Services page 17
IT Security Objective - Availability
Availability
Ensuring authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.
Integrity Confidentiality
Audit ability Availability
Outsourcing Services page 18
IT Security Objective - Accountability
Accountability
Ability to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.
Integrity Confidentiality
Audit ability Availability
Outsourcing Services page 19
Beispiele von IT-Security Risiken
Ineffective physical securityDestruction, fire, water, physical attack
Intrusion, physical attackIntrusion, physical attackPhysical Facilities
Non-detectionDestruction, theft, fire, waterPhysical attack, damageTheft of codes, e.g. HW encryption
Hardware
Ineffective intrusion detection
Overloads, Spamming, worms
Firewall breech, code changes, backdoors, wiretaps
Hacking, spoofing, masquerading, eavesdropping
Networks
Non-detectionLoss, unrecoverabilityModification, Viruses, Trojan Horses, Worms
Theft, copying, industrial espionage
Raw Data
Non-detectionErasure, Errors, system malfunction, Worms
Changed programs, Trojan Horses, Viruses
Theft of codes, exposure of system entry points
Systems
Non-detectionErasure, loss of backup, obsolete archive copies
Erasure, modification, Masquerading
Exposure, theft, publicity, copying, password exposure
Information
AuditabilityAvailabilityIntegrityConfidentialityAREA
Outsourcing Services page 20
Beispiele von IT-Security Risiken, Controls
Physical security logsHot Site, backup site, outsource
Physical Access control, IDs, Biometrics
Physical Access control, IDs, Biometrics
Physical Facilities
System monitors and alerts
Redundancy, multiple processors
Restrict physical access, dark room operations, etc.
Restrict physical access, dark room operations, etc.
Hardware
Access logging, System performance monitor
Redundancy, Reliability (N, N+1, etc.), DRP, BCP
Firewalls, secure servers, DMZs, Virus control
Restricting physical access, Firewalls, DMZs, IPSec
Networks
Error logging and reporting
Restore, recovery, mirroringAccess controls, restricted physical access
Encryption, physical protection, access controls
Raw Data
Service Level ReporterCheckpointing, system backups, restores
Access controls to programs and systems
Access controls to programs and systems
Systems
System LoggingBackups, ArchivesAccess controls (User-id and password), cards, Biometrics
Encryption, access controls (User-id and password), PKI
Information
AuditabilityAvailabilityIntegrityConfidentialityAREA
Outsourcing Services page 21
Outsourcing and IT-Security
Major considerations:
We are still responsible for safeguarding our assets even if we have outsourced their processing.
In case of litigation, we are still liable for violations of data privacy (Bundesdatenschutzgesetz), even if the data is hosted by another company
Intellectual Property resident in an outsourced facility may have a higher risk of being compromised
Data essential to company survival hosted in an outsourcing facility may pose a higher risk to the company
Outsourcing Services page 22
Legal issues
Accountability for Security clearly defined in outsourcing contract
Legal enforceability of measures, e.g. monitoring of staff keystrokes
Compliance to legal statutes and regulations, e.g. electronic signatures, Data privacy, encryption of cross-border data traffic, Tax and, in some cases, Transfer Pricing
Sanctions for Info Security violations may not be enforceable, e.g. forcing an outsourcing provider to fire a staff for security violations may not be so easy
Retain the right to regular audit and recurring due diligence
Detection mechanisms to monitor security violations may be hard to enforce, e.g. video monitoring would be too expensive if outsourcing facility is thousands of miles away
Mitigation measures may be illegal in the outsourcing provider’s country, e.g. vetting employees, requiring disclosure of assets, etc.
Proving violations may be difficult
Enforcing liability claims may be difficult
Different laws, e.g. some countries do not have data privacy laws
Outsourcing Services page 23
Table of Contents
Trestle Group - Vorstellung
Outsourcing – Ergebnisse einer Umfrage
IT Security - Framework
IT Security am Beispiel ASP
Outsourcing Services page 24
Am Beispiel – Applikation Service Providing
ASP Service Provider (ASP) sind Unternehmen, die Geschäftsanwendungen oder Programmfunktionalitäten über Netzwerke bereitstellen. Im Gegensatz zum Applikation Hosting mit eigens für einen Kunden bereitgestellten Applikationen, greifen beim Applications Service Providing mehrere Nutzer auf die in Datenzentren bereitgestellten Applikationen zu.
Rahmenvertrag: Klassische Bestandteile sind Partner, Produkt, Preismodell, Vertragslaufzeit, Kapazitätsplanung, Strafe bei Minderleistung / Nichterfüllung, Installation, etc.
SLA‘s: Klassische Unterteilung nach Applikation, Netzwerk und Hosting. IT Security als Querschnittsthema findet sich in allen Teilbereichen.
Outsourcing Services page 25
Applikation – IT Security Relevanz
Applikation: Festlegung der Applikationsfunktionalitäten
IT Security Aspekte:
Schutz vor unberechtigtem Zugriff und Gewährleistung des Zugriffs für autorisierte Personen. Einrichtung von Rollenprofilen zum selektiven Zugriff über ein fundiertes Berechtigungskonzept.
Schutz der Applikation vor externen Angriffen.
Sicherstellung der Stabilität der Applikation.
Outsourcing Services page 26
Netwerk – IT Security Relevanz
Netzwerk: Netzverbindung zwischen ASP und Kunden
IT Security Aspekte:
Verschlüsselung der Daten beim Transfer über öffentlichen Leitungen.
Kein Datenverlust beim Übertragen von Informationen
Installierung eines VPN (Virtual Private Network) mit Hilfe verschlüsselter TCP/IP Verbindungen. Eventueller Zielkonflikt zwischen Sicherheit und Performanz
Eventuell redundante Auslegung der Leitung
Outsourcing Services page 27
Hosting – IT Security Relevanz
Hosting: Definition der Anforderungen an Service und Infrastruktur.
IT Security Aspekte:
Beschreibung der Verfügbarkeit und maximalen Störzeiten.
Datensicherung durch regelmäßige Backups des Betreibers.
Gewährleistung der physischen Sicherheit z.B. durch Brandschutzdefinitionen
Outsourcing Services
Thank you for your attention
Switzerland: The World Trade Center Leutschenbachstrasse, 958050 Zurich
Germany: An der Welle 4, 60422 Frankfurt am Main
UK: Ropemaker Street, EC2Y 9HT London
USA: 245 Park Avenue, 10167 New York, NY
Jordan: Hayek Building 1st Circle Road, Amman
Contact us
TRESTLE [email protected]
Offices:Zurich: +41 1 308 3972 Frankfurt: +49 69 759 38461 London: +44 207 153 1006 New York: +1 212 672 1740 Amman: +962 79 666 6014