security for outsourced it contracts

15
Bill Lisse, CISSP, CISA, CGEIT, PMP, G7799 Corporate Information Security Officer 1/19/2011 Managing Security in Outsourced Information Technologies

Upload: bill-lisse

Post on 24-Apr-2015

590 views

Category:

Documents


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Security For Outsourced IT Contracts

Bill Lisse, CISSP, CISA, CGEIT, PMP, G7799

Corporate Information Security Officer

1/19/2011

Managing Security in Outsourced Information

Technologies

Page 2: Security For Outsourced IT Contracts

Overview

Shifting SandsPlanningSource Selection and AwardContract AdministrationTermination

2

Risk is always involved when third-party entities are given access to sensitive customer data, privileged business operation details, or intellectual property vulnerable to public or competitor disclosure.

Page 3: Security For Outsourced IT Contracts

Shifting Sands InfoSec professionals are increasingly being required

to manage risks in extended enterprisesSecurity in contracting arrangements, especially Cloud

Computing, have necessitated increased understandingIncidents like Heartland Payment Processing and Microsoft

BPOS underscore the risks of outsourced IT Increasing use of IT outsourcing

New capabilitiesReduced CostsIncreased StorageHighly Automated FlexibilityMore Mobility Allows IT to Shift FocusImproved security – Depends? The focus of our – Depends? The focus of our

discussion…discussion…3

Page 4: Security For Outsourced IT Contracts

Shifting SandsTypical IT Outsourcing Areas

Network and IT infrastructure managementFinancial processing (such as credit cards and EDI)Web (B2B & B2C) portalsApplication development and maintenanceHelp desk servicesData center managementSystems integrationResearch and development (R&D)Product developmentManaged Security Services and Security Management

4

Information technology outsourcing has grown in popularity as an efficient, cost-effective, and expert solution designed to meet the demands of systems implementation, maintenance, security, and operations.

Page 5: Security For Outsourced IT Contracts

PlanningBusiness Requirements

Security & Privacy RequirementsMarket Research

Capabilities of Potential Offerors (Small vs. Large Supplier)

Structure of the Market (Number of offerors, typical security offerings)

Standards and Expectations (ISO 27001, NIST, etc…)Due diligence

Work Breakdown Structure and ScheduleBasis of comparison and security budgeting

What is expected? When is it expected?

Risk AssessmentInherent Risks (What can go wrong?) and Impact

5Planning is the most critical phase of IT contract management – information security should be built into the contract at its inception.

Page 6: Security For Outsourced IT Contracts

PlanningMake-Buy Decision

Can management tolerate the security risks?Average breach cost is $6.5 million (USD)

Acquisition StrategyContract Type

Traditional or Performance Based AcquisitionFixed Price or Cost Reimbursable

Terms and ConditionsSecurity Service Level Agreement Indemnification, Limits of Liability, “Right to Audit

Clause”Source Selection Criteria

What minimum security requirements must the offeror be able to meet?

6

Page 7: Security For Outsourced IT Contracts

Planning

Request for ProposalBackground for security requirements

Compliance requirements (HIPAA, FERPA, FFIEC, etc…)

Management’s security requirementsInternational requirements

Instructions for offerorsSecurity Interrogatories

Source selection criteriaMinimum security requirements

7

Page 8: Security For Outsourced IT Contracts

Planning

• Key Control Considerations • Control environment• Security considerations

– Data protection risks– Security - network, physical, environment,

personal and logical access• System Development Life Cycle (SDLC)

controls• Change management controls• Business continuity and disaster response

8Key issues can range from requiring the vendor to maintain specified levels of security through employee awareness training and contractual obligations and company indemnification by the vendor for any breaches.

Page 9: Security For Outsourced IT Contracts

Planning

9

Guidance for Small Business ProvidersHow much pain can you take? Risk versus Reward Trade-offMinimum security expectations for any small business

Security Guide for Small Business, Microsoft Corporation, http://download.microsoft.com/download/3/a/2/3a208c3c-f355-43ce-bab4-890db267899b/Security_Guide_for_Small_Business.pdf

National Institute of Standards and Technology, Small Business Corner, http://csrc.nist.gov/groups/SMA/sbc/index.html

Commonsense Guide to Cyber Security for Small Businesses, U.S. Chamber of Commerce, http://www.uschamber.com/reports/commonsense-guide-cyber-security-small-businesses

Internal Control over Financial Reporting – Guidance for Smaller Public Companies, Committee on Sponsoring Organizations of the Treadway Commission, http://www.coso.org/ICFR-GuidanceforSPCs.htm

Page 10: Security For Outsourced IT Contracts

Source Selection and AwardReviewing Proposals

Independent Assessments (SSAE 16 [SAS 70] and IASE 3402) and CertificationsRelevancy, scope, recent

Minimum Security RequirementsAnswers to questions (pass/fail, scalar ratings, etc…)

Non-Disclosure AgreementsSite Visit and Q&A

Protecting the offeror’s intellectual propertyFacilitate security for visitsDiscussions and negotiations

10

Page 11: Security For Outsourced IT Contracts

Contract Administration

Post-Award ConferenceKick-off meeting – Security Issues

What we agree will occurDocument and distribute minutes

Internal Control QuestionnaireBaseline / Control Self-Assessment

Internal Control AuditsReview of recurring internal control assessmentsSecurity assessments

Handling Disputes and Non-conformancesContract Modifications – Advise regarding the

necessity, scope, and adequacy of changes

11

Page 12: Security For Outsourced IT Contracts

Contract Termination

Terminate access physicallogical

Return of company assetsHardwareData

Verify data disposal / retentionCapture lessons learned

12

Don’t neglect contract termination; residuals and loose ends are real security risks.

Page 13: Security For Outsourced IT Contracts

Conclusion

Shifting SandsPlanningSource Selection and AwardContract AdministrationTermination

13

Page 14: Security For Outsourced IT Contracts

ReferencesOutsourced IT Environments Audit/Assurance Program,

ISACACloud Computing Management Audit/Assurance

Program, ISACASupervision of Technology Service Providers, IT

Examination Handbook, Federal Financial Institutions Examination Council, http://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/outsourcing_booklet.pdf

Global Audit Technology Guide (GTAG) 7, Information Technology Outsourcing, Institute of Internal Auditors

Standards for Attestation Engagements (SSAE) No. 16., Reporting on the Controls of a Service Organization, American Institute of Certified Public Accountants

Cloud Controls Matrix and Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Security Alliance, http://www.cloudsecurityalliance.org/

14

Page 15: Security For Outsourced IT Contracts

15