Title:
Outsourcing information security
Personal Author:
Publication Information:
Norwood, MA : Artech House, 2004
ISBN:
9781580535311
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010082496 | QA76.9.A25 A93 2004 | Open Access Book | Book | Searching... |
Searching... | 30000010178926 | QA76.9.A25 A93 2004 | Open Access Book | Book | Searching... |
Searching... | 30000010219376 | QA76.9.A25 A93 2004 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
This comprehensive and timely resource examines security risks related to IT outsourcing, clearly showing you how to recognize, evaluate, minimize, and manage these risks. Unique in its scope, this single volume offers you complete coverage of the whole range of IT security services and fully treats the IT security concerns of outsourcing. The book helps you deepen your knowledge of the tangible and intangible costs and benefits associated with outsourcing IT and IS functions. Moreover, it enables you to determine which information security functions should be performed by a third party, better manage third-party relationships, and ensure that any functions handed over to a third party meet good security standards.
Table of Contents
Foreword | p. xv |
Preface | p. xix |
Acknowledgments | p. xxv |
1 Outsourcing and Information Security | p. 1 |
First ... Some Definitions | p. 2 |
Second ... A Clarification | p. 2 |
Y2K as a Turning Point | p. 3 |
The Post Y2K Outsourcing Speed Bump | p. 5 |
Shaky Managed Security Services Providers | p. 6 |
A Prognosis | p. 7 |
The Information Security Market | p. 8 |
References | p. 9 |
2 Information Security Risks | p. 11 |
Threats | p. 11 |
From Internal Source | p. 11 |
From External Sources | p. 13 |
Review of Threats | p. 16 |
Vulnerabilities | p. 17 |
Computer Systems and Networks | p. 17 |
Software Development | p. 17 |
Systemic Risks | p. 18 |
Operational Risk | p. 19 |
Operator and Administrator Risk | p. 20 |
Complexity Risk | p. 21 |
Life-Cycle Risk | p. 21 |
Risks of Obsolescence | p. 23 |
Vendor Viability Risk | p. 24 |
Risk of Poor Quality Support | p. 24 |
Conversion Risk | p. 24 |
Risk of Dependency on Key Individuals | p. 25 |
Summary | p. 25 |
References | p. 25 |
3 Justifying Outsourcing | p. 27 |
Professed Reasons to Outsource | p. 27 |
The Basis for Decision | p. 28 |
Reasons for Considering Outsourcing | p. 28 |
Cost Savings | p. 29 |
Performance | p. 35 |
Security | p. 37 |
Expertise | p. 40 |
Computer Applications | p. 41 |
Support | p. 43 |
Financial Arrangements | p. 45 |
Summary | p. 47 |
The Other Side of the Outsourcing Decision | p. 48 |
References | p. 48 |
4 Risks of Outsourcing | p. 49 |
Loss of Control | p. 49 |
Viability of Service Providers | p. 50 |
Reasons for Abandoning Service | p. 54 |
Relative Size of Customer | p. 55 |
Quality of Service | p. 56 |
Tangibles | p. 56 |
Reliability | p. 56 |
Responsiveness | p. 57 |
Assurance | p. 57 |
Empathy | p. 57 |
Definitions | p. 59 |
The Issue of Trust | p. 59 |
Performance of Applications and Services | p. 62 |
Lack of Expertise | p. 63 |
Hidden and Uncertain Costs | p. 63 |
Limited Customization and Enhancements | p. 66 |
Knowledge Transfer | p. 66 |
Shared Environments | p. 67 |
Legal and Regulatory Matters | p. 67 |
Summary and Conclusion | p. 68 |
References | p. 68 |
5 Categorizing Costs and Benefits | p. 71 |
Structured, Unbiased Analysis--The Ideal | p. 71 |
Costs and Benefits | p. 72 |
Tangible Versus Intangible Costs and Benefits | p. 72 |
Objective Versus Subjective Costs and Benefits | p. 72 |
Direct Versus Indirect Costs and Benefits | p. 73 |
Controllable Versus Noncontrollable Costs and Benefits | p. 73 |
Certain Versus Probabilistic Costs and Benefits | p. 73 |
Fixed Versus Variable Costs and Benefits | p. 73 |
One-Time Versus Ongoing Costs and Benefits | p. 74 |
Tangible-Objective-Direct Costs and Benefits | p. 75 |
Tangible-Objective-Indirect Costs and Benefits | p. 78 |
Tangible-Subjective-Direct Costs and Benefits | p. 81 |
Tangible-Subjective-Indirect Costs and Benefits | p. 81 |
Intangible-Objective-Direct Costs and Benefits | p. 82 |
Intangible-Objective-Indirect Costs and Benefits | p. 82 |
Intangible-Subjective-Direct Costs and Benefits | p. 83 |
Intangible-Subjective-Indirect Costs and Benefits | p. 83 |
Next Chapter | p. 83 |
Reference | p. 84 |
6 Costs and Benefits Throughout the Evaluation Process | p. 85 |
Triggering the Process | p. 85 |
Different Strokes | p. 87 |
Analysis of Costs and Benefits | p. 87 |
The Evaluation Process | p. 91 |
Requests for Information and Proposals--Costs | p. 94 |
Costs to the Customer | p. 95 |
Costs to the Service Providers | p. 96 |
Requests for Information/Proposal--Benefits | p. 96 |
Benefits to the Customer | p. 96 |
Benefits to the Service Providers | p. 98 |
Refining the Statement of Work (SOW) | p. 99 |
Service Level Agreement (SLA) | p. 100 |
Implementation | p. 101 |
Transition Phase | p. 101 |
Transferring from In-House to Out-of-House | p. 101 |
Monitoring, Reporting, and Review | p. 104 |
Dispute Resolution | p. 104 |
Incident Response, Recovery, and Testing | p. 105 |
Extrication | p. 105 |
Summary | p. 105 |
References | p. 106 |
7 The Outsourcing Evaluation Process--Customer and Outsourcer Requirements | p. 107 |
Investment Evaluation Methods | p. 107 |
Including All Costs | p. 109 |
Structure of the Chapter | p. 111 |
The Gathering of Requirements | p. 111 |
Business Requirements | p. 112 |
Viability of Service Provider | p. 116 |
Financial Analysis | p. 116 |
Marketplace and Business Prospects | p. 117 |
Health of the Economy | p. 118 |
Marketplace Matters | p. 118 |
Competitive Environment | p. 119 |
Structure of the Business | p. 120 |
Nature of the Business | p. 121 |
Relative Sizes of Organizations | p. 121 |
Service Requirements | p. 123 |
Meeting Expectations | p. 123 |
Concentration and Dispersion of Business Operations and Functions | p. 124 |
Customer View of Satisfactory Service | p. 126 |
Technology Requirements | p. 127 |
The "Bleeding" Edge | p. 127 |
References | p. 128 |
8 Outsourcing Security Functions and Security Considerations When Outsourcing | p. 131 |
Security Management Practices | p. 134 |
Security Organization | p. 134 |
Personnel Security | p. 136 |
Other Human-Related Concerns of the Company | p. 137 |
Ameliorating the Concerns of Workers | p. 140 |
Asset Classification and Control | p. 140 |
Information Security Policy | p. 146 |
Adopt Customer Policy | p. 147 |
Adopt Service Provider's Policy | p. 147 |
Evaluate Responses to Due-Diligence Questionnaire | p. 147 |
Enforcement and Compliance | p. 147 |
Access Control and Identity Protection | p. 149 |
Application and System Development | p. 151 |
Operations Security and Operational Risk | p. 152 |
Security Models and Architecture | p. 153 |
Security Services--Framework | p. 153 |
Security Infrastructure | p. 153 |
Security Management and Control | p. 154 |
Framework | p. 154 |
Application to Service Providers | p. 154 |
Physical and Environmental Security | p. 155 |
Telecommunications and Network Security | p. 156 |
Cryptography | p. 158 |
Disaster Recovery and Business Continuity | p. 159 |
Business Impact Analysis | p. 159 |
Planning | p. 159 |
Implementation and Testing | p. 159 |
Legal Action | p. 160 |
Summary | p. 160 |
References | p. 161 |
9 Summary of the Outsourcing Process--Soup to Nuts | p. 163 |
Appendix A Candidate Security Services for Outsourcing | p. 171 |
Appendix B A Brief History of IT Outsourcing | p. 181 |
The Early Days | p. 181 |
Remote Job Entry | p. 182 |
Time-Sharing | p. 184 |
Distributed Systems | p. 185 |
Personal Computers and Workstations | p. 186 |
The Advent of Big-Time Outsourcing | p. 187 |
The Move Offshore | p. 188 |
And Now Security | p. 189 |
Networked Systems and the Internet | p. 190 |
The Brave New World of Service Providers | p. 191 |
The Electronic Commerce Model | p. 191 |
Portals, Aggregation, and Web Services | p. 192 |
Straight-Through Processing (STP) and Grid Computing | p. 194 |
Mobile Computing | p. 194 |
References | p. 195 |
Appendix C A Brief History of Information Security | p. 197 |
The Mainframe Era | p. 197 |
Isolated Data Centers | p. 197 |
Remote Access | p. 198 |
Distributed Systems | p. 200 |
Minicomputers | p. 200 |
Client-Server Architecture | p. 201 |
The Wild World of the Web | p. 202 |
The Wireless Revolution | p. 205 |
Where IT Outsourcing and Security Meet | p. 205 |
References | p. 207 |
Selected Bibliography | p. 209 |
Annotated References and Resources | p. 209 |
Books | p. 210 |
Newspapers, Journals, and Magazines | p. 211 |
Computer-Related Publications | p. 211 |
Security Publications | p. 219 |
Business and Business/Technology Publications | p. 220 |
Web-Based Resources | p. 222 |
Web-Based Resources Related to Specific Publications | p. 225 |
Conferences and Seminars | p. 226 |
Publications from Professional Associations and Academic Institutions | p. 228 |
Government Sources: Legal and Regulatory | p. 229 |
Vendors and Service Providers | p. 231 |
Education and Certification | p. 232 |
About the Author | p. 235 |
Index | p. 237 |