Managing Security in Outsourced and Offshored Environments How to safeguard intellectual assets in a virtual business world David Lacey Managing Security in Outsourced and Offshored Environments Managing Security in Outsourced and Offshored Environments How to safeguard intellectual assets in a virtual business world David Lacey First published in the UK in 201 by BSI 389 Chiswick High Road London W4 4AL © British Standards Institution 201 All rights reserved Except as permitted under the Copyright, Designs and Patents Act 988, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior permission in writing from the publisher Whilst every care has been taken in developing and compiling this publication, BSI accepts no liability for any loss or damage caused, arising directly or indirectly in connection with reliance on its contents except to the extent that such liability may not be excluded in law The right of David Lacey to be identified as the author of this Work has been asserted by him in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 988 Typeset in Frutiger by Helius – www.helius.biz Printed in Great Britain by Berforts Group www.berforts.com British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN 978 580 68701 Contents Acknowledgements x Foreword xi Introduction 1 Purpose 1 Audience 1 Scope 1 Limitations Provenance Content and structure 3 Fundamentals of outsourcing The case for and against outsourcing 5 2 What’s special about outsourcing? What changes when we outsource? 10 The implications for information and security governance 13 Key requirements for success 16 Learning points from this chapter 19 Forms of outsourcing and offshoring What we mean by outsourcing and offshoring 20 20 A global industry 20 3 Wide variation in scope 21 Outsourcing options 22 Subcontracted services 22 Outsourced services 27 Offshored services 29 Cloud computing services 31 Learning points from this chapter 32 Managing Security in Outsourced and Offshored Environments v Contents vi Business drivers for outsourcing 34 Planning and preparation 49 Selecting a supplier 89 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.1 4.1 4.1 5.1 5.2 5.3 5.4 5.5 5.6 5.7 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 How business motives shape security expectations Common business motives for outsourcing Cost savings Headcount reduction Moving to a variable cost basis Access to a broader skills base Managing legacy systems and infrastructure Moving data or processes to a new platform Building a global support capability Achieving global network leadership Gaining a quality improvement Learning points from this chapter Security throughout the outsourcing lifecycle Strategic considerations Reviewing the scope of the outsourcing Classifying information assets Conducting a risk assessment Reviewing policies and standards Learning points from this chapter Key questions to consider The selection process The importance of due diligence Conducting security checks on suppliers Independent audits and certificates Questions to ask a supplier Security selection criteria Learning points from this chapter 34 35 35 37 39 40 42 43 43 44 45 46 49 50 53 55 62 71 86 89 89 91 92 94 95 97 99 Managing Security in Outsourced and Offshored Environments Contents Developing and negotiating the contract 01 The importance of a good contract Steps in negotiating the contract 03 Negotiating strategy and tactics 05 Ensuring confidentiality and privacy of data 08 Building flexibility for future change 09 Developing the security schedule 111 7 Customer responsibilities 20 Avoiding common legal pitfalls 21 Learning points from this chapter 24 Implementing the new arrangement 01 27 Planning considerations Critical success factors for security governance 30 The Deming Cycle 31 Risk management 33 Business continuity 35 Audit rights 36 Security investigations 38 8 Learning points from this chapter 39 Managing the relationship 27 42 Building a successful relationship Relationship management M anaging diversity and different cultures 45 Resolving disputes 48 M anaging incidents across organizational boundaries 52 Security improvements 54 Learning points from this chapter 55 Review, termination and exit 1 Planning for a major change Exit and termination strategies Managing Security in Outsourced and Offshored Environments 42 44 57 57 59 vii Contents 11 Information security considerations 61 Learning points from this chapter 65 Security and risk in cloud computing 1 Cloud computing services 67 67 1 Forms of cloud computing services 68 1 A hierarchy of services 69 1 The importance of architecture 71 1 Benefits and risks 71 1 Security services in the cloud 72 1 Security opportunities presented by cloud technologies 72 1 M odels for cloud computing usage 73 1 Risks associated with cloud computing 76 1 Learning points from this chapter 78 Bibliography 81 Index 84 viii Managing Security in Outsourced and Offshored Environments David is one of the rare breed of security professionals, possessing an encyclopaedic breadth of knowledge about security while, at the same time, having a depth of understanding that you know has been won from long and hard experience What really makes David stand out is that he always has an interesting point of view, often with a fresh perspective on the challenges of security, and is clear about what needs to be done He is also well respected for expressing his views, and can so in a clear and concise way as a blogger, an author, a presenter, or even as a consultant Dr Alastair MacWillson Global Managing Director, Accenture Technology Consulting Outsourcing key business services or moving to cloud computing is not without risk but can be managed David Lacey has drawn upon 20 years’ experience and a significant industry study to write the handbook every manager should read before they sign the contract Professor Paul Dorey Visiting Professor, Royal Holloway, University of London Managing Security in Outsourced and Offshored Environments ix Security and risk in cloud computing Developing an in-house cloud computing service might, at first sight, appear to be a sensible first step towards realizing the benefits of this new form of service delivery In practice, however, it is unlikely to offer the same features and economies of scale as an external service, and such a compromise can introduce an additional set of complex changes on the longer-term journey to a fully externalized service But regardless of the path chosen for the journey from in-house to external computing services, it is likely that, in most cases, enterprises will need to operate a combination of internal and external infrastructure, with complex interfaces and a need to govern and audit systems and services whose custodianship extends across corporate boundaries 1 Risks associated with cloud computing For many organizations, cloud computing introduces a radical shift in thinking about the very nature of governance processes, demanding an acceptance of the concept that custodianship of sensitive data and services can be safely delegated to a remote third party operating an external, invisible infrastructure shared by many other customers From one perspective, we can compare it with the use of everyday electronic banking and e-commerce services, which most of us are comfortable in using without any hesitation But there are key differences between the occasional use of systems designed specifically for e-commerce, and the transfer of critical legacy business systems to a less secure operating environment It is also important to recognize that not every third-party service provider is capable of delivering an equal level of security protection, so this degree of uncertainty needs to be carefully calculated and managed In particular, questions will need to be asked about the degree of segregation of stored and processed data from other users of the cloud service, as well as the level of access granted to service managers, and the range of checks and controls applied to protect against internal and external breaches or misuse of sensitive data The implications for regulatory compliance must also be addressed, as the supplier’s standard terms and conditions might not be sufficient to meet specific legal, compliance or audit requirements Indeed, some cloud services are not suitable for processing credit card transactions, for example, because the service 76 M anaging Security in Outsourced and Offshored Environments Security and risk in cloud computing providers are not able to provide either the access or guarantee of compliance required to meet the Payment Card Industry Data Security Standard If the data that will be stored and processed in the cloud service includes personal data on customers or employees then there will be obligations under European data protection rules for the data controller (the customer organization) to ensure that appropriate security measures are put in place to safeguard the data This is complicated by the fact that the level of security that might be deemed appropriate is not absolute, but depends on the sensitivity of the data and the harm that might arise from a data breach Establishing this will require a risk assessment to be carried out, a review of the security controls applied by the service provider, a contract that specifies an appropriate level of security, and suitable processes to monitor and maintain this level of protection Data protection requirements can also be impacted by a transfer to a different jurisdiction In particular, there are restrictions on transfers of personal data outside of Europe unless an adequate level of protection can be ensured If the data centre is in the U SA, this can be achieved by the service provider adhering to the ‘safe harbour’ framework developed by the U S Department of Commerce and the European Commission Personal data can also be sent outside of the European U nion if a model contract is put in place These methods, however, not allow any sharing of the data with subcontractors, which can present problems for many cloud service operators The current regulatory trend towards mandatory reporting of any data breaches affecting individuals will also require close cooperation with the service provider, to ensure that such breaches can be promptly identified, reported, investigated and remedied In addition, the fact that data will be spread across a shared infrastructure encompassing a range of legal jurisdictions introduces a range of new risks, ranging from issues raised by legal discovery demands to those presented by confiscations of computer servers as evidence by law enforcement investigators As with all outsourcing arrangements, cloud computing demands careful attention to the contractual conditions to avoid subsequent legal issues, including even the possibility that the supplier might claim rights to the use or ownership of data or intellectual property stored in the cloud For many low-cost, commodity cloud services such contracts might not be negotiable, presenting significant residual risks and liabilities M anaging Security in Outsourced and Offshored Environments 77 Security and risk in cloud computing A further consideration is the impact of a transfer to a cloud service on existing arrangements for information sharing or collaboration with third parties, which can reduce or heighten certain security risks In-house services enable tighter control of third-party access to data, but they can also present a risk to other enterprise systems and infrastructure through the need to open up the network perimeter to external business partners Organizations might view the move to a cloud computing model as a convenient solution to existing infrastructure management problems But in practice this is unlikely to be the case, as system migration issues and the need for new skills are likely to present many demanding short-term and long-term challenges The move to cloud computing presents no less than a radical shift in IT planning, architecture and operational management Service levels associated with cloud computing services might be less guaranteed than the same levels that can be achieved within a private, dedicated network Cloud services, as well as the public networks they rely on, are designed to be readily scalable, but they are also intended to be operated at a much higher level of utilization, presenting a potentially higher risk during periods of peak activity and demand M oving from a devolved set of services to a large, centralized, standardized service can also present a greater risk from single-point failures, for example a security flaw or catastrophic failure in the hypervisor software that manages the underpinning virtualization process, which would result in large-scale disruption of services Areas such as network performance management, business continuity management and the ability to prioritize business applications will become increasingly critical to ensuring the quality and continued delivery of critical business services Transactions within a cloud application service are unlikely to be encrypted to protect them from unauthorized viewing or interception, but the same restriction generally applies to most in-house services What is different is that any decision to incorporate such a safeguard will be largely in the hands of the cloud service provider, who will need to cooperate with such a change, as well as being technically and operationally capable of applying such countermeasures 1 Learning points from this chapter This chapter has explored the security issues associated with cloud computing services Key learning points to note can be summarized as follows 78 M anaging Security in Outsourced and Offshored Environments Security and risk in cloud computing ? Cloud computing is a new approach to IT service delivery, offering greater efficiency and lower costs through sharing of hardware and software resources The user might have no assurances as to where the data resides, or how it is stored and processed, presenting a new set of challenges for security managers ? In previous chapters we have emphasized the need for detailed specifications of security requirements, carefully negotiated contracts, and thorough examination of the outsourcer’s capabilities This does not fit the world of cloud computing, which aims to deliver cheap, generic services through economies of scale ? Cloud services are not usually designed to accommodate tailoring and auditing by individual customers, presenting constraints for due diligence and contract negotiation The ideal solution is for the cloud service providers to provide ongoing, independent security assurances for users and their auditors This justifies the development of a new security standard, as well as a strict standard for the professional skills and capabilities of the auditors ? Cloud services need not be less secure than in-house services, as they can offer more up-to-date security features and employ professional security management But an additional degree of risk will inevitably be introduced through loss of visibility and direct control over the management of services ? Cloud services can be private, shared or public They can operate at the application or infrastructure level Systems can be protected through private infrastructure or made secure to operate across public networks Most enterprises will need a combination of these options, resulting in complex interfaces and governance processes ? Different cloud service providers can provide varying levels of security protection Questions should be asked about the degree of segregation of data from other users of the cloud service, as well as the level of access granted to service managers, and the range of checks and controls to safeguard against breaches or misuse of data ? Large, centralized, standardized services can also present risks from singlepoint failures, for example a flaw or catastrophic failure of the hypervisor software that manages virtualization process or the external networks that connect users Cloud applications offer many proprietary features to entice Managing Security in Outsourced and Offshored Environments 79 Security and risk in cloud computing new customers, which can present a challenge for fallback and business continuity planning ? Cloud services can also deliver information security services which offer benefits over in-house services, through their broader perspective on threats and incidents across a larger community of users Care should be taken in evaluating the capabilities and motivation of vendors offering such services ? The supplier’s standard terms and conditions might not be sufficient to meet legal, compliance or audit requirements Payment card data will need to be protected to the Payment Card Industry Data Security Standard Personal data on customers or employees will need to be safeguarded in accordance with data protection legislation, which can restrict transfers to different jurisdictions Careful attention is required to contractual conditions, including the possibility that the supplier might claim rights to the use or ownership of data or intellectual property stored in the cloud As a final note, I am reminded of Dr Alastair M acWillson’s warning in his foreword to this book: ‘Organizations must be vigilant when it comes to confirming the security posture of the companies with which they business, especially as business takes them to countries with differing standards for data protection and privacy Always remember the maxim: choose your business partners with care! ’ 80 Managing Security in Outsourced and Offshored Environments Bibliography Allery, Philip: Tolley’s effective Outsourcing: Practice and Procedure, Tottel Publishing, 2004 Benn, Ian & Jill Pearcy: Strategic Outsourcing: Exploiting the Skills of Third Parties, Hodder & Stoughton, 2003 Bravard, Jean-Louis & Robert Morgan: Smarter Outsourcing: An executive guide to understanding, planning and exploiting successful outsourcing relationships, Prentice Hall, 2009 Brudenall, Peter (Editor): Technology and Offshore Outsourcing Strategies , Palgrave Macmillan, 2005 Davies, Paul: What’s this India Business? Offshoring, Outsourcing, and the Global Services Revolution , Nicholas Brealey Publishing, 2004 Fisher, Roger & William Ury: Getting to YES: Negotiating Agreement Without Giving In , Penguin, 991 Heywood, J Brian: The Outsourcing Dilemma – The Search for Competitiveness , Prentice Hall-Gale, 2001 Hofstede, Geert & Gert-Jan Hofstede: Cultures and Organizations – Software of the Mind (2nd ed), McGraw-Hill, 2005 Jenster, Per V & Henrik Stener Pedrersen, Patricia Plackett, David Hussey: Outsourcing Insourcing , The Chartered Institute of Purchasing & Supply, 2005 Kakabadse, Andrew & Nada Kakabadse: Smart Sourcing – International Best Practice , Palgrave MacMillan, 2002 Kobayashi-Hillary, Mark: Outsourcing to India – The Offshore Advantage (2nd ed), Springer, 2005 Lacey, David: Managing the Human Factor in Information Security: How to Win Over Staff and Influence Business Managers, John Wiley, 2009 Lewis, Amanda: Outsourcing Contracts – A Practical Guide , City & Financial Publishing, 2005 Managing Security in Outsourced and Offshored Environments 81 Bibliography McIvor, Ronan: The Outsourcing Process – Strategies for Evaluation and Management, Cambridge U niversity Press, 2005 Nierenberg, Gerard: The Art of Negotiating , Barnes Noble, 968 NISCC Good Practice Guide, Outsourcing: Security Governance Framework for IT Managed Service Provision , National Infrastructure Security Coordination Centre, 2006 (available at www cpni gov uk) Patel, Alpesh B: Outsourcing MacMillan, 2005 Success – The Management Imperative , Palgrave Intellect Data Security and Data Protection Guidelines for Offshoring and Outsourcing , Intellect 2008 (published to members only at Pepper, Bill & Bridget: www intellectuk org) The Outsourcing Handbook – How to Implement a Successful Outsourcing Process, Kogan Page, 2006 Power, Mark J & Kevin Desouza, Carlo Bonifazi: Sajeev, ASM & Sakgasit Ramingwong: ‘M um Effect as an Offshore Outsourcing Risk: A Study of Differences in Perceptions’, Computer Journal, (53: ), Oxford, 201 Sparrow, Elizabeth Anne: A Guide to Global Sourcing – Offshore Outsourcing and Other Global Delivery Models, The British Computer Society, 2004 Standards BS 7858, Security Code of practice screening of individuals employed in a security environment – BS 25999-1 , Business Continuity Management – Code of Practice BS 25999-2, Specification for business continuity management BS EN I SO 9001 , Quality management systems – Requirements BS EN I SO 4001 , guidance for use BS ISO 28000, chain 82 Environmental management systems – Requirements with Specification for security management systems for the supply M anaging Security in Outsourced and Offshored Environments Bibliography BS ISO 28001 , Security management systems for the supply chain – Best practices for implementing supply chain security, assessments and plans – Requirements and guidance BS ISO 28003, Security management systems for the supply chain – Requirements for bodies providing audit and certification of supply chain security management systems BS ISO 28004, Security management systems for the supply chain – Guidelines for the implementation of ISO 28000 BS ISO 31 000, Risk management – Principles and guidelines BS ISO/IEC 20000, Information technology – Service management BS ISO/IEC 27001 , Information technology – Security techniques – Information security management systems – Requirements Information technology – Security techniques – Code of practice for information security management BS ISO/IEC 27002, BS I SO/IEC 27005, Information technology – Security techniques – Information security risk management Control Objectives for Information and related Technology (COBIT) Version , I T Governance I nstitute, 2007 PAS 99, Specification of common management system requirements as a framework for integration Payment Card Industry (PCI) Data Security Standard, PCI Security Standard Council, 2009 PD ISO/IEC Guide 73, standards Risk management – Vocabulary – Guidelines for use in Additional references Statement on Auditing Standard No 70: Service Organizations, The American Institute of Certified Public Accountants, 992 The Information Technology Infrastructure Library (I TIL), TSO, 2007 Managing Security in Outsourced and Offshored Environments 83 Index abstraction, 68 access control, 1 annual fee renewal, 22 asset management, 1 assurance process, au dits, 94 code of practice, 20 reviews, 36 rights, 36 balance, importance of getting it right, 18 big rules, 72 Brooks, Fred, 55 BS 5999, 83 BS 7858, 1 BS EN ISO 9001 , 83 BS EN ISO 4001 , 83 BS ISO 28000, 82 BS ISO 28001 , 83 BS ISO 28003, 83 BS ISO 28004, 83 BS ISO 31 000, 64, 83, 35 BS ISO/IEC 0000, 81 BS ISO/IEC 7000, 82 , 1 BS ISO/IEC 7001 , 77, 98, 32 BS ISO/IEC 27002 , 72, 76, 79, 84, 6, 30 BS ISO/IEC 7005, 63, 66 ISO/IEC 27036, 52, 63, 62 BS ISO/IEC 38500, 85 bu siness agility, loss of, bu siness continu ity, 35 contract requirements, 1 impact of outsourcing on, q uestions to ask, 97 standards, 76, 83 bu siness cycles, speed of, 24 bu siness motives for ou tsou rcing, 34 84 Carnegie-M ellon U niversity Capability M atu rity M od el, 46 cash injection through sale of assets, 36 certificates, 94 change management, 7, 2 change of software/data owner, 21 cloud computing, 31 , 95, 64, 67 associated risks, 71 benefits, 67, 71 forms of service, 68 importance of architectu re, 71 in-sourced or outsou rced services, 75 internal or external services, 74 models for usage, 73 new secu rity opportunities, 72 proprietary or open services, 74 protected or d e-perimeterized applications, 75 security services, 72 single point failu res, 78 Cloud Compu ting Alliance, The, 73 code words, 56 codes of practice, 72 command and control approach to relationships, 34 communication, loss of, communications and operations management, 1 compliance changing landscape, contract requirements, 1 legal considerations, 26 ‘Confidential’ data label, 56 confidentiality and privacy of data, 59, 08 conformance stand ards, 72 contract building flexibility, 09 d eveloping the security schedule, 1 d evelopment and negotiation, 01 M anaging Security in Outsourced and Offshored Environments Index fundamental requirements, general security requirements, 1 impact on relationship, negotiating steps, 03 negotiating strategy and tactics, 05 negotiating styles, 06 rules of engagement, 06 use of external consultants, 02 what makes a good contract, 01 who should draw up the contract, 02 zero-sum game, 07 contract schedules, 02 contractors access policy, 71 access to infrastructure, 24 as ‘soft underbelly’ of large enterprises, 23 controlling levels of access, 25 degree of trust in, 25 motivation and loyalty, 1 risks of using third parties, 23 Control Objectives for Information and related Technology (COBIT), 79, 30 control, loss of, corruption, theft, loss or destruction of data, 61 cost savings, 35 cracked egg analogy, 31 crisis management, 4, 1 9, 35 critical data, 58 crown jewels, 58 cryptography and key management policy, 74 currency exchange rates, 36 customer responsibilities, 20 Cyber Security Knowledge Transfer Network, data Hoover, 64 data leakage prevention technology, 09 Data Protection Act, 29, 23 Davis, Dai, 21 decision points in outsourcing, 49 Deming cycle, 31 Deming, W Edwards seven deadly sins of management, Department of Commerce, 77 disclosure of information, 29 discovery technologies, use of, 55 disputes, 48 diversity, 45 division of labour principle, downsizing, influence on outsourcing, 37 due diligence, 50, 89, 91 , 68 economies of scale, 36 empowerment, 28 environmental management, 83 European Commission, 77 European Economic Area, 29 everything-as-a-service, 22 exit strategy, 58 contract considerations, 09 contract termination, 22 information security considerations, 61 need for review, 63 Field Fisher Waterhouse, Financial Services Authority, 26 food safety standard, 85 force majeure, 22 fraud or sabotage, acts of, 30 Gartner security analyst, 31 globalization achieving global network leadership, 44 building a global support capability, 43 of outsourcers, 20, 45 Golden Triangle, governance critical success factors, 30 impact of outsourcing on, IT governance standard, 85 need for new structures, requirements of management processes, 21 guiding principles, 72 Managing Security in Outsourced and Offshored Environments 85 Index headcount reduction, 37 Health and Safety standard, 85 Heiser, Jay, 31 human resources security, 1 humour, 45 limitations of liability, 22 location, change of physical and environmental threats, 29 loss of face, 46 loyalties, changes, 0, 1 implementation key questions to ask, 28 incidents investigation and response, 1 5, 21 , 38 inclusive costs, 23 Information Systems Audit and Control Association, 79 Information Technology Infrastructure Library (ITIL), 79 Infrastructure-as-a-Service (IaaS), 69 integrated management systems, 84 intellectual property, 59, 08 ‘Internal’ data label, 59 ISO Guide 73, 83 IT Governance Institute, 79 IT service management processes, 86 Machiavelli, Niccolo, 5, 1 MacWillson, Dr Alastair, 80 mediation, 49 memorandum of understanding (MOU), 90 miscalculating demand, impact of, 39 mobile working policy, 74 multi-sourcing, 21 , 27 ‘Mum effect’, 46 Jericho Forum, The, 73 labour arbitrage, 36 language and culture, 30, 45 lawyers how to use lawyers, 03 legacy systems and infrastructure motive for outsourcing, 42 legal common legal pitfalls, 21 data breach notification law, duty of care, 92 export of sensitive personal data, 21 Hedley Byrne & Co Ltd v Heller & Partners Ltd, 92 impact of change in jurisdiction, 29 implications of outsourcing, litigation, 50 Lenin, 92 86 National Institute of Standards and Technology, 73 negligence, risk of claims, 26 network connections, 29 new platform, moving data or processes, 43 Office of Government Commerce, 26 office passes, 28 offshoring, additional risks, contract considerations, 09 definition, 29 growing cost of labour, 30 impact of change in location, 29 organization of information security, 1 outsourcing changes caused by outsourcing, common business motives, 35 definition, 20 downside of outsourcing, hazards of change, irresistible benefits, lifecycle, 49 management challenges, options, 22 variation in scope, 21 what’s special about outsourcing, Managing Security in Outsourced and Offshored Environments Index paperwork, excessive focus on, 31 PAS 99, 84 Payment Card I ndustry Data Secu rity Standard, 54, 77, 78, 77 penetration testing policy, 74 physical and environmental security, 1 Plan, Do, Check, Act – See Deming cycle planning and preparation for outsourcing, 49 Platform-as-a-Service (PaaS), 69 policies and standards conducting a review, 71 dedicated security policies, 74 qu estions to ask, 95 use of British and I nternational Stand ards, 75 writing and presentation style, 71 political instability, risk of, 29 protective markings, 56 quality improvement, 45 quality management, 1 quality of bids, impact of price, 37 quality of services, questions to ask a supplier, 95 Reagan, Ronald, 91 recession, impact on outsourcing, regional conflicts, risk of, 36 regu lators political interests, rise in power, scope and demands, security in supply chains, 26 relationships build ing a successful relationship, 42 fu ndamental requ irements, how business motives shape expectations, 34 key qu estions to ask, 42 the art of relationship management, 44 zero-su m game, 39 request for proposal (RFP), 89 responsibilities allocation of, 1 changes in, ones that not change, 0, 39 qu estions to ask, 95 ‘Restricted’ data label, 59 retained team, optimum size of, 388 retu rn or destruction of information, 61 , 63 risk landscape, changes in, 23 risk management cond ucting a risk assessment, 62 constructing a risk impact chart, 68 downside and upsid e risks, 63 factors that impact risk assessment, 64 general or specific risks, 65 gross or net risks, 65 identifying and assessing risks, 67 maintaining a risk register, 67, 69 PESTLE categories, 68 ranking of risks, 66 risk mitigation strategies, 69 standards, 63, 83 use of checklists, 67 what constitutes a risk? , 66 risk profile, impact on, Room, Stewart, Royal Dutch/Shell Group, 77 safe harbour framework, 77 SAS 70, 94, 33 Schwarzenegger, Arnold, scope of outsourcing reviewing, 53 ‘Secret’ d ata label, 60 secu rity architecture, 74 security classifications, 55 colour coding of labels, 61 identifying classified assets, 58 Managing Security in Outsourced and Offshored Environments 87 Index labels, 59 labels for integrity and availability, 60 maintaining a register of classified d ata, 61 policy document, 74 protecting trade secrets, 57 u se in contracts, 09 security education, 1 security expectations how shaped by business motives, 34 security improvements, 54 security incid ents contract requirements, 1 incident management policy, 76 managing incidents across organizational boundaries, 52 q uestions to ask, 96 security investigations, 38 security marks, 94 security objectives, 50 security policy req uirements, 1 security selection criteria, 97 selecting a su pplier qu estions to consider, 95 sensitive data, 91 Shell, Professor G Richard, 06 showstoppers, need for carefu l assessment, 37 skills access to a broader base, 40 ensuring access to best skills, 41 loss of key staff, 93 q uestions to ask, 95 small companies, impact on, social networking policy, 74 88 Software-as-a-Service (SaaS), 22, 95, 69, 70 staff acts of theft, vandalism or disruption, 62 bulk transfer, 28 Stalin, 92 strategic consid erations, 50 ‘Strictly Confid ential’ d ata label, 60 su pply chain security, 82 system integration, subcontracting trend, 24 systems acqu isition, development and maintenance, 1 tax incentives, 36 team room, 89 teamwork, termination – See exit strategy Transfer of U ndertakings (Protection of Employment) Regulations, 58 U S Secu rities Act of 933, 91 value of data, 61 variable cost basis, moving to, 39 vehicle fleet management, 24 Veracod e, 95 vetting of staff, 3, 26, 93 Virgo, Philip, 64 virtual teams, 47 visibility, loss of, , 3, 38 vulnerability management, 74, 78, 98 war, risk of, 36 wireless network policy, 74 Year 000 remediation programmes, 62 M anaging Security in Outsourced and Offshored Environments If you found this book useful, you may also want to buy: In form ation Security Risk Man agemen t: Han dbook for ISO/IEC 27001 Edward Humphreys The focus of this book is based around the concept of having an information security management system (ISMS) as a framework for achieving the effective management of information security risks International standard ISO/IEC 27001 is a world recognized standard for establishing, implementing, monitoring and reviewing, updating and improving an ISMS ISO/IEC 27005 is an ISMS risk management standard that supports the implementation of ISO/IEC 27001 This book is aimed at those business managers and staff involved in ISMS risk management activities It is a practical handbook for the use and application of ISO/IEC 27005 It provides guidance and advice to specifically support the implementation of those requirements specified in ISO/IEC 27001 :2005 that relate to risk management processes and associated activities • • A5 paperback · ISBN 97 80 580 607 45 · 53 pp · £3 95 · April 201 For more details see http: //shop bsigroup com/bip007 Cloud Com putin g: A Pra ctica l In troduction to th e Lega l Issues Renzo Marchini Much is being said about cloud computing, and in particular the benefits (both economic and environmental) and the risks But how are those involved in buying IT to judge the legal issues which arise, and how can contracts maximize the advantages and minimize the disadvantages? How can cloud service providers address the customer’s legal concerns so that the proposition remains viable for the customer and their own business? This book will introduce cloud computing (briefly) for those new to the concept, comparing the development of this new computing paradigm to other ways of buying computing resource It will summarize the legal issues which arise, some of which are unique to cloud, others of which are more general but have a unique application to cloud It will explore these legal issues, covering such areas as security in the cloud, data protection, service levels, and contractual issues It will provide a practical resource for those involved in buying or providing cloud services, setting out practical steps to address legal issues both in the regulatory context and in the context of contracts between customer and suppliers It also deals with issues which arise when the cloud service is used by regulated sectors, such as financial services • • A5 paperback · ISBN 97 580 03 22 · 00pp · £3 00 · November 01 For more details see http: //shop bsigroup com/bip01 Managing Security in Outsourced and Offshored Environments sets out guidance, best practice and critical success factors for managing security risks associated with outsourcing and offshoring of IT and business services The highly accessible content is structured in a logical sequence reflecting the lifecycle of outsourcing, from initial inception through to final contract completion Building on real-life experience of designing and managing large-scale outsourcing programmes, as well as research sponsored by the UK Government Cyber Security Knowledge Transfer Network, the author sets out practical guidelines that address the major areas of risk In particular, the book focuses on critical ‘softer’ management issues, such as strategy, risk assessment and relationship management, which ultimately determine the success of a major outsourcing programme Managing Security in Outsourced and Offshored Environments is an invaluable guide for business O managers, CIOs, security managers, risk managers, auditors, procurement managers, legal advisers, consultants, as well as university students studying IT, information security or business studies David Lacey is an IT and Security Director, with experience in large organizations such as the Royal Dutch/Shell Group and the Royal Mail Group He is a member of the Infosecurity Europe ‘Hall of Fame’ His achievements include developing the original content of British Standard BS 7799, Information security management systems – Guidelines for information security risk management, achieving the world’s first accredited BS 7799 certification, and jointly founding the Jericho Forum He is also the author of the book Managing the Human Factor in Information Security An interesting and informative read on an extremely important, topical subject Professor Fred Piper, Information Security Group, Royal Holloway, University of London Outsourcing and offshoring have, for a long time now, been a concern to the information security community Implementing effective information security management principles in this difficult environment is key to the well being of many organizations David Lacey provides valuable leadership and insights with this timely contribution to this important area John Colley, CISSP, Managing Director, (ISC)2 EMEA David combines superb practical guidance gained from his wealth of experience This is a must-have comprehensive reference of essential standards, controls and legislation Geoff Harris, President of the Information Systems Security Association (ISSA) – UK BSI order ref: BIP 01 BSI Group Headquarters 389 Chiswick High Road London W4 4AL www.bsigroup.com d Offshored Environments sets out guidance, best practice and critical risks associated with outsourcing and offshoring of IT and business t is structured in a logical sequence reflecting the lifecycle of rough to final contract completion esigning and managing large-scale outsourcing programmes, as well as nment Cyber Security Knowledge Transfer Network, the author sets out major areas of risk In particular, the book focuses on critical ‘softer’ risk assessment and relationship management, which ultimately sourcing programme d Offshored O Environments is an invaluable guide for business isk managers, auditors, procurement managers, legal advisers, ents studying IT, information security or business studies The British Standards Institution is incorporated by Royal Charter ector, with experience in large organizations such as the Royal l Group He is a member of the Infosecurity Europe ‘Hall of Fame’ His e original content of British Standard BS 7799, Information security r information security risk management, achieving the world’s first jointly founding the Jericho Forum He is also the author of the book mation Security ormative read on an extremely important, topical subject mation Security Group, Royal Holloway, University of London ve, for a long time now, been a concern to the information security ective information security management principles in this difficult g of many organizations David Lacey provides valuable leadership this timely contribution to this important area and lley, CISSP, Managing Director, (ISC) EMEA Professor Fred Piper, Information Security Group, Royal Holloway, University of London guidance gained from his wealth ofand experience Thishave, is a must-have Outsourcing for a long time now, been a concern to the information security erence of essential standards, controlsImplementing andoffshoring legislation community effective information security management principles in this difficult David Lacey provides valuable leadership and insights with this timely contribution to this important area of the Information Systems Security Association environment is key to the well(ISSA) being– UK of many organizations John Colley, CISSP, Managing Director, (ISC) EMEA David combines superb practical guidance gained from his wealth of experience This is a must-have Managing Security in Outsourced H ow toEnvironments safeguard intellectu al assets in a and Offshored virtual busin ess world