Home  |  Newsletter | Feedback | Advertise - Online  | Help
Google
Web dqindia.com
Search by issue  | Sitemap

• Visit pcquest.com to know all about the business benefits of IT infrastructure outsourcing • Ad : Play and Plug ERP by IBM

 
 RSS |  Follow Us on twitter
Home > Industry > Focus

Managing Outsourcing Risks
A necessity for every organization, the IT security framework requires to be considered as a business process and not just a technology deployment
Tuesday, March 27, 2007
Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter

Security follows a basic principle-as the supply chain and lines of communication become longer, the opportunity to attack them increases. The adage that a chain is only as strong as its weakest link, often applies to securing computer networks as complexity increases by routing through multiple providers. Operating an effective IT security framework today has become a necessity for every organization and requires to be considered as an essential 'Business Process' rather than just a technology deployment.

Symantec Corporation Internet Security Threat Report analysis (July-December 2004) has indicated few alarming findings. One of the most serious threats from and to outsourcing is remotely controlled Trojans and bots constituting 33% of the top malware attacks. Specifically, 1,403 new vulnerabilities (more than 54 new vulnerabilities per week) were detected. Out of these, 97% were considered moderately or highly severe, indicating that successful exploitation of the vulnerability could result in a partial or complete compromise of the targeted system.

Outsourcing is usually done to minimize expense, but assessments should compare total expense for both a given level of performance and a given level of risk or protection. Till date, the comparisons have often been at the performance and cost level without due consideration to the risk factor.

Co-sourcing security monitoring and management to an expert Managed Security Services Provider (MSSP), offers the best of both worlds-a service with higher quality at a lower price than in-house management. It provides for 24x7 monitoring, shared resources allow for reduced costs, shared customer base allows for augmented security knowledge, constant vigil by experts, and proactive approach to security can find patterns in anomalies otherwise unnoticed. It also gives an independent perspective on the security posture of an organization and helps maintain a system of checks and balances with in house personnel.

According to Gartner, a research and IT consulting company, Managed Security Services (MSS) is one of the fastest growing segments in the security marketplace. In terms of some reported market trends, Gartner reports that 60% of enterprises will outsource the monitoring of at least one network boundary security technology by 2005.

The first and foremost step for any MSSP to service global clients should be building a secure setup for itself, with special focus on their Operations Management Center (OMC), keeping the importance of both technological and process re-engineering requirements in mind.

Defense in Depth
A practical strategy for achieving information assurance, it includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities for information, interactions, and infrastructure. This is a best practices strategy in a way that it relies on the intelligent application of techniques and technologies existing today. The 'Defense in Depth' strategy works by building multiple layers of security, compartmentalizing the network and ultimately allowing for specific security settings to be applied to individual network elements. The strategy has been used for recommending a balance between the protection capability and cost, performance, and operational considerations.

Certification and Compliance
Take a proactive approach, building an over-arching security framework, and minimize risk

A security framework allows companies to have a structured approach to addressing their total security requirements. For example ISO 27001 provides organizations with a set of best practices and a methodology for developing an information security management system. The framework should be a comprehensive approach to security from physical security to security of software development. Once a framework is adopted, the next step is to put in a series of security policies that protect the company against resource misuse, theft of information, virus/worm outbreaks and targeted attacks. The policy will also address the legislative requirements mandated by that industry. Outsourcing selected MSS by forming a partnership with a MSSP from a remote location, is often a good starting point. Although the organization still owns information security risk and business risk, a contract with an MSSP allows it to share risk management and mitigation approaches and enables to maintain checks and balances.

Service providers and outsourcing companies should focus more into the Audits and Assessments for process compliance and improvements. The audit should include all the ongoing projects and closed projects within six months, and support functions including key persons like functional heads and project managers.

ISO 9001:2000-Quality system Audit: For example, at HCL, a reputed certified company conducts Quality system audit every six months, starting with certification/re-certification audit followed by surveillance audits every six months for three years as a continuous process.

BS7799: Information Security Management System: A reputed certified company conducts Information Security Management System audit periodically, which started with a certification audit and is followed by surveillance audits in the 6th, 16th, 26th and 36th months for three years as a continuous process. Internal audits are conducted under the supervision of the CISO. This exercise is carried out at an interval of six months and the performance against this reviewed by the top management. The top management body specified for this purpose is the Security Apex Forum, comprising of designated members within the ISMS. The technology used within the OMC and ODCs are backed up with procedures to ensure that the security features are properly managed and configured to derive the security that the technology is capable of delivering.

Sarbanes-Oxley requires the right to audit outsourcers.
Companies should not just accept the suppliers' defined security plan and should check to see if they live up to it.

However, this strategy is not limited to the use of technology controls alone. This is in recognition of the fact that the entire framework can collapse and fail to meet the desired objective of containment, surveillance and resilience without streamlining the people and operations and aligning them to the Information Security Assurance mission.

Page(s)   1  2  

Print Comment Email DiggDigg DeliciousDel.icio.us RedittReddit TwitterTwitter



ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice





Collective Intelligence @ Work

Analysts: Guiding Stars or Shepherds?

How's the 'pitch' looking?

What's your Everest?

 

 

 

 

 

 

Magazine Subscription | Sitemap | Contact Us | About Us | Advertising Print | Mediakit Print | jobs@cybermedia
Other CyberMedia web sites
  [Voice&Data]  [CIOL]  [PCQuest]  [Living Digital]  [IDC India]
  [CIOL Shop]  [DQ Channels]  [DQweek]  [CyberMedia Events]
  [Cybermedia Digital]  [CyberMedia India]   [Cyber Astro
  [Global Services Media ]  [BioSpectrum]  [BioSpectrum Asia]

Copyright © CyberMedia. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Usage of this web site is subject to terms and conditions.