FEATURE:Outsourcing = bad security?

PREVIOUSLY : FALSE SENSE OF SECURITY

CHAPTER SIX : CAVEAT EMPTOR (Let the buyer beware)

For those organizations who simply can not afford the investment in resources (both people & technology), be sure of what services you are buying and specifically what exclusions there are in any outsource contract. Frequently, outsourcers offer low bids to get the business and then try to make it up for it in change or out-of-scope orders. But we now know that running IT security three years from now the way you run it today will not work. Threats, vulnerabilities and mitigation procedures have changed dramatically over the years and you must be able to adapt your contract and the underlying security architectures used to keep pace.

If you have questions about the service level commitments or the verbiage in the contract, consult a trusted advisor. A technology partner, independent auditor or legal counsel can help navigate through the complexities. For international and multi-national organizations, it is important to seek advice on compliance requirements in each country you do business in and find out how your service provider is addressing those requirements. Once you understand what the outsourcer is going to do, you need to figure out how you are going to fill the gaps.

Things to consider if you are going to outsource security, either in its entirety or as part of a bigger infrastructure outsource contract:

1. Note that compliance is the responsibility of the company, not the outsourcer;
2. How does the service you are buying enable you to better manage risk?
3. What are the terms of the agreement? Check SLAs, limitations and exclusions so you know exactly what you are getting for your investment;
4. Be prepared to respond when incidents occur – this means you need an incident response plan and someone to handle the response. You must require the contractor to support post-incident review.
5. Verify that your outsourcer is compliant with all relevant legislation where you do business and verify the security procedures and security best practices deployed by your service provider
6. Define security-related roles and responsibilities clearly and completely and specify clear security objectives in the SLA for integrity, confidentiality, availability, accountability and use control.
7. Appoint a security officer even if it is a secondary role to start. The security officer should have a direct reporting line to an executive empowered to address tough questions and make decisions that impact the risk exposure of the company.
8. Retain the ability to monitor and audit the outsourcer's environment to independently verify fulfillment of all the objectives and expectations.
9. Ensure contract terms are flexible enough to allow you to adapt to a rapidly changing threat landscape and to avoid being throttled by organizational walls that outsourcing erects and the difficulty of anticipating all the contingencies in a contract.
10. Measure contractor performance through security metrics such as number of incidents, time to respond to incidents, best practices benchmarking etc.
11. Even if you're using best practices frameworks such as the IT Infrastructure Library (ITL) or CoBIT for SLAs, make sure you don't rely on them for security - use security specific frameworks such as ISO 17799:2005 instead.

NEXT : MAKING A CAREFUL SELECTION ON SERVICE PROVIDER

NOTE : Thanks to Chris Thatcher from our North American practice for assisting with this chapter

CATEGORIES : 1feature, 1outsourcing, 1best practices, 1advice