Mastering it security issues in outsourcing.
Savii, George ; Neidenbach, Norbert ; Wolf, Edwin 等
1. INTRODUCTION
During the past years the demand for IT (Information Technology)
security has been continuously growing given the more complex
applications as well as the inherent risks (Cisco 2007). At the very
same time the business processes are depending more than ever on an
efficient IT (Phifer 2000). Regarding this very need for action, the IT
decision-makers must also take into consideration some aspects of IT
security related to the question "make or buy". The present
study aimed to develop a method for mastering IT security issues in
outsourcing
2. PARTIAL OUTSOURCING
2.1 Characteristics
The partial outsourcing centers on IT security cost reduction and
control. By translocating some parts of IT security, one can reach
greater efficiency and transparency. By means of partial outsourcing the
IT security personnel-related costs can be avoided. Due to the IT
security outsourcing, the outsourcing service provider can concentrate
more on the central processes of its own company.
All these advantages are possible by using a Managed Security
Service Provider (MSSP) (Cisco 2007, Choi & Seo 2005). Within
Managed Security Services (MSS) one can initially mention the firewall
and Intrusion Prevention Technology operation as well as various
antivirus measures (Ott 2001). The service performance, the quality, the
service availability as well as the support are controlled in the
so-called Service Level Agreement (SLA) which has been previously agreed
upon (Brittain & Matlus 2002).
The services imply activities which go from the sheer client system
monitoring to service operation as well as to service outsourcing
towards dedicated-systems or towards shared-systems. On the European
market, the MSSP is in the initial stage; nevertheless it never seized
to make its presence felt on the American market.
The purpose of outsourcing should harmonize with the general
strategy of the company as well as with the aims, the established Return
of Investment (ROI) and with the Total Cost of Outsourcing (Ott 2001).
2.2 Risks of IT-security outsourcing
The introduction and the implementation of MSSP may have as a
result failure of IT security functions (Alner 2001, Phifer 2000).
A major risk is represented by the fact that one company entrusts
the IT infrastructure protection to another company and thus depends on
an outsourced service provider. In this way expert knowledge and
competence are lost in the process and cannot be recovered again.
The company providing the outsourcing services has a considerable
insight in the company security system. A risk assessment is therefore a
foundation of each and every outsourcing.
At the very beginning of the outsourcing the responsibilities, the
contact persons, the processes, information chains as well as technical
and organizational connections must be harmonized, defined and
documented (Pescatore 2001).
The Information Technology Infrastructure Library (ITIL) is a
framework of best practice approaches intended to facilitate the
delivery of high quality IT services (Van Schaik 2006, van Bon 2002). In
order to avoid risks, all the ITIL processes, especially those processes
in relation with the service-support must be observed. Furthermore there
are response and maintenance intervals, monitoring, reporting which must
be established.
An in-depth analysis of the reported security problems has led to
the conclusion that one also must define the way of handling the demand
as well as the way of harmonizing the knowledge transfer between the
outsourcing provider and the internal IT.
2.3 Security measures
By means of IT security functions outsourcing the costs and the
internal capacities can be saved by the outsourcing provider and in this
way one can achieve a greater quality and a better control.
In this respect one must also asses the risks and the internal
expenses regarding the control of the MSSP and of the necessary in-house
processes. It is therefore of utmost importance to include the results
of the above assessment in the decision.
Higher costs as well as outsourcing inefficiency are the result of
neglecting of these aspects.
In case of a contract negotiation one must:
* observe the security measures
* observe the service providing and SLA provisions
* observe the agreement upon regular auditing reports
* take into consideration the risk minimizing measures
3. TOTAL OUTSOURCING
3.1 Characteristics
In most cases one may choose the outsourcing of the whole IT
security as a consequence of the outsourcing of the operative IT and
this should be distinguished from the outsourcing of individual IT
security functions.
All the operative activities of the IT security are indicated below
and the outsourcing provider is limited to:
* the strategic orientation within the field of IT security
* the service provider control
* to the definition of the security demand on the basis of the
business processes
* to the monitoring of the legal requirements observation (e.g. the
person in charge with data security or revision)
In this respect one must also take into consideration the internal
expenses as well as the tasks resources and the functions within the
general IT outsourcing costs.
3.2 Risks
A total IT outsourcing and implicitly the IT security to a MSSP is
known to present both risks and advantages (Alner 2001, Phifer 2000).
It is of utmost importance to create a universal security
management in collaboration with the IT provider and to establish this
contractually in the SLAs. Under these circumstances the feasibility of
such a security management is also very important. The risks presented
by IT outsourcing can be reduced by means of evaluation and efficiency
which also guarantees a strong bond between the outsourcing provider and
the client.
3.3 Managed Security Services Process (MSS) in case of the client
The Managed Security Services (MSS) are based on the security
requirements of the business processes, on the general conditions of the
IT strategy as well as on the risk management (among others general
security directives) and legal prescriptions.
The identification of business process requirements regarding the
availability, the privacy and the integrity is to be carried out by
means of a risk assessment which must be in conformity with the general
risk management of the client.
Figure 1 presents an example of the risk classes'
representation of an IT service, based on the risk assessment.
The IT service classification in risk classes and a risk potential
assessment of the business processes can occur by means of IT service
client consultation.
Of utmost importance is the risk and expenses analysis by means of
which the measures for risk minimization with regard to the expenses can
be assessed.
The expenses inherent to the security measures must be assessed in
relation to the prejudices in case of a security event.
In order to verify the measures implementation a client reporting
form (for the revision and the as well as for the data security in
charge personnel) must be drawn up. By automating the reporting the
expenses are reduced and the relevance is ensured.
The security issues are thus transparently rendered and can also be
efficiently highlighted.
[FIGURE 1 OMITTED]
3.4 Managed Security Services Process at the Service Provider
The IT-Service provider must comply to the requests of the client
by IT-security measures and persevering processes.
To allow standardization and a practical transition, it is a good
choice to implement organizational, technical and physical measures for
the adopted protection class in the form of guidelines or process
directives. These will be later tailored on the individual systems.
The full implementation of the measures of a security norm can
later lead to the certification of the IT infrastructure.
To prove the implemented measures, a reporting must be done, for
internal use, for the customer (IT-department, data security
responsible, etc.) and also for the possible revisions. This reporting
must be automated as much as possible, so the costs will be minimized,
the updating and the necessary transparency assured.
4. CONCLUSIONS
The analysis of the IT outsourcing processes and markets allowed
the highlighting of the most important inherent security aspects related
to IT outsourcing and to propose some measures for their implementation.
As important aspects, the risks related to outsourced IT security, the
integration of outsourced IT security in the business processes and
control means within an outsourced IT security were presented and
analyzed.
The universal and unitary process starting with the risk evaluation
and up to the risk reduction measures presented in the paper makes
possible to avoid the process gaps, to minimize the losses and to
economically and efficiently operate in the IT security domain.
By means of the proposed methods, the IT security performance can
be fully controlled even if this occurs within an outsourcing project.
Moreover the risks can be held at bay.
5. REFERENCES
Alner, M. (2001) The Effects of Outsourcing on Information
Security. Information Systems Security, Auerbach Publications, CRC Press
LLC, May/June 2001, ISSN 1065-898X.
Brittain, K. & Matlus, R. Road Map for IT Service-Level
Management. Gartner Article Top View, 28 January 2002.
Cisco (2007) Managed Security for the Small and Medium-Sized
Business--The Benefits of Out-Tasking Security Services to a Qualified
Service Provider, White Paper, Cisco Systems, Inc.
Choi, Y.S. & Seo, D.I. (2005) An analysis of ISP's role as
managed security service providers (MSSPs), The 7th International
Conference on Advanced Communication Technology, ICACT 2005, Volume 1,
pp. 624-626, ISBN: 8955191235, Korea, February 2005, Phoenix Park.
Ott, J. L. (2001) Managed Security Services, Information Systems
Security, Vol 10, No 4, (September/October 2001), 299-321, ISSN
1065-898X.
Pescatore, J. (2001) Choosing a Managed Security Services Provider.
Gartner Research Note, 31 August 2001.
Phifer, L. (2000) Outsourcing Security Needs to a Managed Security
Service Provider. Available from: http://
searchsecurity.techtarget.com/onlineEventsTranscript/0,289
691,sid14_gci511332,00.html. Accessed: 2002-02-15.
van Bon, J. (Ed.) (2002), The guide to IT service management,
Addison Wesley, ISBN 0-201-73792-2.
Van Schaik, E. A. (2006) A Management system for the Information
Business, Red Swan Publishing, ISBN: 1-933703-03-2.