Slashdot Mirror
Outsourcing Information Security
When it comes to the outsourcing of information security functions specifically, the situation is even worse. Far too few organizations know the inherent risks involved with outsourcing security, and don't properly investigate what they are getting into. The same company that makes it nearly impossible for an employee to enter the office supply closet to get much needed toner cartridge will outsource their intrusion detection, email and firewall systems without a blink.
One of the many reasons companies turn to security outsourcing and managed security services providers (MSSP) is to use their limited internal security staff for more interesting areas such as web development, VPN and e-commerce applications. They will then outsource the boring activities such as firewall and IDS monitoring and maintenance to a MSSP.
Given that activities such as firewall monitoring and administering an IDS in large enterprise requires 24/7 support, it is not unusual for a company to want to outsource such activities; monitoring and administering are not core functions of most organizations.
The trouble comes from the lack of due care often given to choosing a MSSP. With that, Outsourcing Information Security is a long-overdue book that asks the questions that are necessary before an organization decides to outsource any information security function.
The author's general tone is against the outsourcing of information security; but provides readers with the various benefits and risks involved in outsourcing security, and let's them ultimate decide if outsourcing security is right for their organization. It is the reader who must define, evaluate and manage those risks and determine if outsourcing is a viable solution. These include technology, business and legal risks.
The book comprises nine chapters and three appendices totaling a bit under 250 pages. The first two chapters provide a good introduction to and overview of outsourcing and information security, and the associated security risks.
Chapter 3 details various reasons why outsourcing information security makes sense. The chapter includes various tables and references to the many reasons why a company would want to outsource security.
Chapter 4 takes the other side and analyzes the risks of outsourcing. The chapter details the traditional risks, in addition to other factors such as hidden costs, broken promises, phantom benefits and more. The book shows that while many organizations hand over information security responsibility to their MSSP, when things go wrong, they can't effectively blame the MSSP. When things go wrong -- and they will -- all of the fingers in the world can be pointed at the MSSP, but the ultimate responsibility falls on the organization itself. With outsourced security, if something goes wrong, those fingers will point back to the company's security manager, not the incompetent firewall administrator in Bangalore.
The chapter provides a balanced look at the risk of outsourcing, and while calm in its overall approach, the chapter should at least make the person considering outsourcing information security think twice. In fact, the author concludes the chapter by stating "when all of the risks of outsourcing are considered, one wonders how anyone ever makes the decision to use a third party." Nonetheless, there is plenty of evidence that many security activities are indeed outsourced to MSSP, and are often satisfactory from both the buyer's and seller's perspective.
Chapters 5 and 6 provide a thorough summary of the costs and benefits of outsourcing, and provides a method with which to categorize them. The chapter is well suited for a CFO with its discussion of direct vs. indirect costs, controllable vs. non-controllable costs, and much more. These two chapters show that creating meaningful financial numbers to see if outsourcing makes financial sense is not such an easy task. It is important to understand that outsourcing sometimes makes financial sense, but certainly not all the time. For those organizations that don't crunch the numbers seriously at the beginning, these costs can later come back to haunt them in a big way.
Chapters 7 and 8 detail the processes involved in commencing an outsourcing project, from requirements gathering to placing policy against the outsourced company. A mistake many organizations make is failure to ensure that the MSSP is abiding by the client's information security policies, rather than their own.
Similarly, one of the most overlooked areas of outsourcing information security functionality is regulation. A U.S. company may be under numerous regulations, from HIPAA to Sarbanes-Oxley, GLBA, SEC and more; when they outsource their security functionality, the remote technician may not be under the jurisdiction of the SEC; but the corporate data still must be protected according to those regulations.
The main part of the book concludes with chapter 9, which provides a 20-step process to determine if an outsourced security solution is appropriate. In seven pages, the author specifies the various events, tasks and steps that make up the typical outsourcing project.
Appendix A provides a breakdown of the various services that can be outsourced, with Appendices B & C providing brief histories of IT Outsourcing and Information Security.
The only downside to the book is its $85.00 price, which is at the high-end for technology and business books. While the price is high, the book is a huge value for anyone considering outsourcing security. The book asks the questions that are often never asked, and details how the outsourcing of information security is not the slam-dunk that the MSSPs often portray it to be.
For those who know what their security issues are and look to outsource their security functionality to a trusted MSSP, Outsourcing Information Security shows how it can be done. On the other side, for those who are drunk with the panacea that outsourcing security is supposed to provide, Outsourcing Information Security will be a sobering wake-up call.
You can purchase Outsourcing Information Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.
Outsourcing began with the policies of Clinton late in his first term and into his second term. His policies made sense then and they do now. How companies use outsourcing, however, can be a problem for workers. When it gets to the point that companies have laid off enough workers, they will realize that the workers are customers of the economy and without jobs people don't buy much. Outsourcing is not something you can drop at the feet of a president, though.
http://www.busyweather.com/
Contrary to popular belief there is not a cracker/hacker/meanie in the world that actually wants to steal your data. Data is worthless. There is not a single market for it, even stuff that seems to be really valuable.
"But but but, I have lots of top secret plans for our X14 prototype for the new product line..."
Nope, Not Interested. The data on your new product line is a trade secret, and even if your biggest competitor didn't already think thier own product is superior, being caught with the data could cost them thier entire business.
"But but but, I have information on the new merger!"
Nope, same deal. Getting caught by the SEC means JAIL TIME for rich white men. They don't need that. Your competitors do NOT want to see your information.
"But I have millions of credit card numbers!"
So does google.
"But I have..."
No, nobody wants your data, get that through your head!
What they DO want, however, is your hardware. The VAST majority of hacking occours because someone wants to own your machines so they can be used as zombies in DDOS attacks and to send spam. Forget about protecting your useless data, but SECURE YOUR MACHINES, damn it.
There is a big debate in Canada about outsourcing to US based companies due to the fact that the Patriot Act allows the FBI access to databases. Canada has fairly strict privacy laws and the liability of sending this information to the US could be big since there is no way for a US company to refuse the FBI access. The British Columbian government is still thinking of going ahead with sending of medical information down to the United States. It should be an interesting election day issue come next April when the voters go to the polls for the local elections...
As such, I can understand that due to lack of really phenomenal success, and due to some colossal failures, it's hard NOT to laugh at morons who push off-shoring as the ultimate solution.
I like paying taxes. With them I buy civilization -- Oliver Wendell Holmes
Note that social security numbers are silly anyway - at least as proof of I.D. - they are publically known to a large numbers of government employees and other members of the public, and you have the same one for life. A string of symbols that follows you around like that has a name: "name". An SSN is a funny kind of government-allocated numeric NAME.
It's NOT a password. A password is a shared secret. It should be hard to guess, known only to the parties authenticating, and regularly and easily changeable. An SSN has none of those qualities (at least legitimately...).
Same for a credit-card number: The bank tells you to keep your number secret... but you have to give it to random people to pay for stuff. The security flaw is thus built into the system itself, and no amount of privacy law will fix it.
I don't really care that much, except for the fact that misguided privacy laws design to apply band-aids to the broken systems and general shut-barn-door-after-horse-bolted DON'T really increase my security - fixing the braindead security protocols of countless real-world interactions might, if only more people were intelligent enough to handle name vs. password ideas. Instead, privacy laws increase the power of ruling elites - They are above the law, and thus can spy on me anyway... but I'm subject to the law, and thus can't spy on them anymore. Each new privacy law is, ironically, a triumph for Big Brother.
Is not about providing better cheaper IT security services. It is about shifting liability.
People who bite the hand that feeds them usually lick the boot that kicks them
And in the end, does it really matter?
/ c/ a/2003/10/22/MNGCO2FN8G1.DTL
Anyone remember the story about how a Pakistani medical services person was holding up some records for ransom? Turned out that an SF hospital had outsourced their medical record transcription to a Sausalito (just north of SF) firm which outsourced some of this work to a Florida company which outsourced some of this work to a Texas company which outsourced some of this work to this Pakistani person.
No, seriously, think I'm engaging in hyperbole here? Check this out:
http://www.sfgate.com/cgi-bin/article.cgi?file=
So if you asked UCSF Medical Center "do you outsource information processing to China or India?" they'd honestly be able to say say "Oh, hell no! In fact, we even require our contractors not outsource anything to those countries or to anyone who outsources anything to those countries!"
Bleh.
Losers.. for the nth time understand the difference between outsource and off-shore..
Where the fuck was all this anti-offshoring movement when nike / reebok was selling you cheaper shoes (made in india/china), most of your apparel is made by the asian-tigers and a third world country like bangladesh. Now that you are losing your jobs (in the IT industry) you think it's not fair??? where were you when the others were losing their jobs???
First elect a president who is more concerned for america rather than unsuccessfully being world-police. Maybe things will change for you in due time.
and once again (n+1).. Outsourcing is not equal to off-shoring
Outsourcing is a part of a natural, healthy global capitalist economy.
The problem is that we do not have a natural, healthy global capitalist economy. We have a divided economy with a few rich and many poor countries with underdeveloped economies.
Aside from the problems for the rich countries (social division), a major consequence of imposed globalism now is that those underdeveloped economies will never be properly structured as they can't develop on their own.
Marxist evolution is just N generations away!
"No, Bush jr. isn't like Hitler; he's more like that clown, Mussolini.
That's why I call him 'Il Douche'
Bush is a lot like Mussolini in that Mussolini wanted fascism to be the combination of state and corporation. Bush's espoused ideology is communitarianism which when analyzed using semiotics is shown to be highly similar to fascism. Not totalitarianism, fascism.
I work for a large company (about 2500 employees in IT alone). Our policy is to do very little outsourcing. We only out source the types of tasks that are well defined, most of it in legacy support. Out sourcing works very well in these situations. Any new development is kept in house where it can be better managed, and changes can be made faster when requirements change.
Out sourcing has it's place, but it should only be used in certain situations.
See my Home Theater
... I did an outsourcing gig earlier this year. I was flogging my resume trying to find work when this recruiter called me and asked me to do a weekend job doing an upgrade rollout at a major bank.
I was told to show up on Friday afternoon and that I'd be working with a group pretty much all weekend. No one took a look at my ID, or had me sign anything. They believed me that I was eligible to work in the US even though most of my resume was working outside of the states. Asking around I found that this was the case with most of the forty odd nerds they had rounded up for the job.
We were all working for a subcontractor of a subcontractor of a major IT firm from Texas. We were all given pretty much free reign of the executive offices and all shared the same username and password. There was basically no supervision what so ever.
It would have been so easy to install a good deal of malicious software... heck, it wouldn't have been that hard to swap out the master image to take over pretty much every machine on the network.
I don't even want to think of what goes on in third world countries. That weekend really made me second guess what goes on in the US. If the bank had it's own IT staff, seven people who could work together could have done the same job that it took about sixty including supervisors and honchos and I am sure the cost of their salaries for a year was less than was wasted on that crew. The upside was they did buy us good pizza!!!
I'm actually making more money since I get OT while at a client's facility but I'm liking my work less. It doesn't look like things will be changing any time soon.... the US corporate world at its best!