TLFeBOOK Outsourcing Information Security TLFeBOOK For a complete listing of the Artech House Computer Security Series, turn to the back of this book TLFeBOOK Outsourcing Information Security C Warren Axelrod Artech House Boston • London www.artechhouse.com TLFeBOOK Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress British Library Cataloguing in Publication Data A catalog record for this book is available from the British Library Cover design by Igor Valdman © 2004 ARTECH HOUSE, INC 685 Canton Street Norwood, MA 02062 All rights reserved Printed and bound in the United States of America No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the publisher All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Artech House cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark International Standard Book Number: 1-58053-531-3 10 TLFeBOOK To my own in-house support team: Judy, David, and Elizabeth TLFeBOOK TLFeBOOK Contents xv Foreword Preface xix Acknowledgments xxv Outsourcing and Information Security First … Some Definitions Second … A Clarification Y2K as a Turning Point The Post Y2K Outsourcing Speed Bump Shaky Managed Security Services Providers A Prognosis The Information Security Market References Information Security Risks 11 Threats 11 From Internal Sources 11 From External Sources 13 vii TLFeBOOK viii Outsourcing Information Security Review of Threats 16 Vulnerabilities 17 Computer Systems and Networks 17 Software Development 17 Systemic Risks 18 Operational Risk 19 Operator and Administrator Risk 20 Complexity Risk 21 Life-Cycle Risk 21 Risks of Obsolescence 23 Vendor Viability Risk 24 Risk of Poor Quality Support 24 Conversion Risk 24 Risk of Dependency on Key Individuals 25 Summary 25 References 25 Justifying Outsourcing 27 Professed Reasons to Outsource 27 The Basis for Decision 28 Reasons for Considering Outsourcing 28 Cost Savings 29 Performance 35 Security 37 Expertise 40 Computer Applications 41 Support 43 Financial Arrangements 45 Summary 47 The Other Side of the Outsourcing Decision 48 References 48 Risks of Outsourcing 49 Loss of Control 49 TLFeBOOK Contents ix Viability of Service Providers 50 Reasons for Abandoning Service 54 Relative Size of Customer 55 Quality of Service 56 Tangibles 56 Reliability 56 Responsiveness 57 Assurance 57 Empathy 57 Definitions 59 The Issue of Trust 59 Performance of Applications and Services 62 Lack of Expertise 63 Hidden and Uncertain Costs 63 Limited Customization and Enhancements 66 Knowledge Transfer 66 Shared Environments 67 Legal and Regulatory Matters 67 Summary and Conclusion 68 References 68 Categorizing Costs and Benefits 71 Structured, Unbiased Analysis—The Ideal 71 Costs and Benefits 72 Tangible Versus Intangible Costs and Benefits 72 Objective Versus Subjective Costs and Benefits 72 Direct Versus Indirect Costs and Benefits 73 Controllable Versus Noncontrollable Costs and Benefits 73 Certain Versus Probabilistic Costs and Benefits 73 Fixed Versus Variable Costs and Benefits 73 One-Time Versus Ongoing Costs and Benefits 74 Tangible-Objective-Direct Costs and Benefits 75 TLFeBOOK 236 Outsourcing Information Security Dr Axelrod has chaired and participated in many professional and industry conferences throughout the United States, Europe, and Asia He has published two previous books on computer management and more than 50 articles on many aspects of information technology, including computer and network security, contingency planning, and computer-related risks He has chaired and presented at about 60 conferences for the financial services industry and for computer management, technology, and security professionals Dr Axelrod holds a Ph.D in managerial economics from the Johnson Graduate School of Management at Cornell University in Ithaca, New York He also earned a B.A in electrical engineering and an M.A in economics and statistics, both from the University of Glasgow, Scotland He is certified as a CISSP and CISM TLFeBOOK Index Antivirus software See Information security software, antivirus APL See A Programming Language (APL) Application development, 39, 151–52, 177 Application development outsourcing of, 21, 132 Application service provider (ASP), 32, 41, 181, 182, 183, 184, 185, 190, 191 Applications and systems management, 177 Around-the-clock See round-the-clock ARPAnet, 190 ASP See application service provider (ASP) Assessment of vulnerabilities See vulnerability assessment Asset classification, 132–33, 140–46 Asset control, 132–33 Assurance See quality measure, assurance AT&T Solutions, 188 ATM cash machine, 199 Attacks purposeful, Auditing, 174 Authentication, 172, 198 using two factors See two-factor authentication Authorization, 172 Availability, 36, 58–59, 62, 123 intrinsic See intrinsic availability Avoidance, 153, 173 24/7 (twenty four by seven) coverage, 45, 158 A Programming Language (APL), 184 Abandoning services reasons for, 54 Accenture See Andersen Consulting Access control, 39, 132–33, 149–51, 176 to applications, 39 to networks, 39 Access management See access control Accuracy measures, 123 ACF2, 200 Acquisitions See mergers and acquisitions Acxiom, 145–46 Administrative costs See costs of administration Administrative fee See surcharge for administrative support ADP, 114 Afghanistan, 64 Aggregation, 192–93 Alert service, 120, 174 Algol 60, 182 Amazon.com, 120 American Airlines, 127 See also SABRE system Analysis structured and unbiased, 71–72 Andersen Consulting, 188 Anthrax, 237 TLFeBOOK 238 Outsourcing Information Security Awareness of security See security awareness Back door, 151 Background checks, 136, 172 Backup, 34, 79, 80 Bait-and-switch tactics, 63 Balance of power, 152 BANI See Bell Atlantic Network Integration (BANI) Bankers Trust, 156 Banking Industry Technology Secretariat (BITS), 38, 39, 112, 168 Bankruptcies, Base rate for service providers, 31–32, 92 Baseline for security See security baseline Batch jobs, 183 Bathtub curve for equipment failures, 22 BCP See business continuity planning (BCP) Bell Atlantic Network Integration (BANI), 188 Benefits certain See certain benefits controllable See controllable benefits direct See direct benefits fixed See fixed benefits for requirements phase, 93 indirect See indirect benefits intangible See intangible benefits noncontrollable See noncontrollable benefits objective See objective benefits of RFI, 96–99 of RFI/RFP to customer, 96–98 of RFI/RFP to service provider, 98–99 of RFP, 96–99 of transition 103–4 one-time See one-time benefits ongoing See ongoing benefits overrated, 103 probabilistic See probabilistic benefits subjective See subjective benefits tangible See tangible benefits tangible-objective-direct See tangibleobjective-direct benefits tangible-objective-indirect See tangibleobjective-indirect benefits variable See variable benefits Benefits costs for employees See costs of employee benefits Best practices, 58 BIA See business impact analysis (BIA) Biometrics, 149 BITS See Banking Industry Technology Secretariat (BITS) Blackberry pager, 205 Breakeven analysis, 108 British Standard (BS) 7799, 132–34 BSP See business service provider (BSP) Business nature of, 121 structure of, 120–21 Business continuity planning (BCP), 34, 36, 39, 64, 78, 132, 134–35, 159–60, 174, 177 Business decision, 112 Business failures, 8, 122 Business impact analysis (BIA), 159 Business life cycle, 112 bankruptcy , 112 declining, 112 maturity, 112 rapid growth, 112 start-up, 112 Business process operations, Business prospects, 117–18 Business recovery, 79 Business requirements, 112–16, 164 Business service provider (BSP), 32, 190 Businessland Inc., 188 CA See certificate authority (CA) CAO See chief administrative officer (CAO) Capacity metrics, 62, 123 CB radio See Citizens Band (CB) radio CBA See cost-benefit analysis (CBA) Certain benefits, 73 Certain costs, 73 Certificate authority (CA), 158 Certification of software, 120 of staff, 31 Certified information security professional (CISSP), 131 TLFeBOOK Index CEUs See continuing education units (CEUs) CFO See chief financial officer (CFO) Checkpoint, 203 Chief administrative officer (CAO), 135 Chief financial officer (CFO), 135 Chief information officer (CIO), 124 Chief information security officer (CISO), 110, 135 Chief operating officer (COO), 135 Chief security officer (CSO), 135 China as an offshore location, 118 outflow of work to,7, 138 CIA See confidentiality, security and integrity (CIA) CIO See chief information officer (CIO) CISO See chief information security officer (CISO) CISSP See certified information security professional (CISSP) CISSP Body of Knowledge, 131–34 Citizens Band (CB) radio, 205 Client-server architecture, 201–2 Cold War, 203 Communications management, 39 Compensation limitations to, 42 Competitive environment, 119–20, 151 Completion time metrics, 123 Complexity of systems and services, 53 Compliance, 132, 134, 147, 148 with legal requirements, 39 Computer and network costs categories of, 32–35 Computer applications design of See design of computer applications development of See development of computer applications implementation of See implementation of computer applications operation of See operation of computer applications Computer Associates, 200 Computer viruses, 6, 14, 173 MyDoom, Computer worms, 6, 14 239 Code Red, Nimda, Concentration of functions, 124–26 Concentration of power, 124–26 Confidence loss of, 122 Confidential information, 38, 60, 142–44 Confidentiality, 37–38 Confidentiality, security and integrity (CIA), 37 Confirm system, 127 Conglomerate, 120 Contingency planning, 174 offshore, 64–65 Continuing education units (CEUs), 31 Contract negotiation, 58 Control, 51 loss of, 49–50 retention of, 20–21 Controllable benefits, 73 Controllable costs, 73 Conversion to another service See setup COO See chief operating officer (COO) Cornell University, 182, 183 Cosourcing definition, Cost per unit of service, 51 Cost savings, 29–35 from labor, 29–32 Cost-benefit analysis (CBA), 107–8 Costs certain See certain costs controllable See controllable costs direct See direct costs excessive, 103 fixed See fixed costs for requirements phase, 92–93 for RFI, 94–96 for RFI/RFP to customer, 95 for RFI/RFP to service provider, 96 for RFP, 94–96 indirect See indirect costs intangible See intangible costs noncontrollable See noncontrollable costs objective See objective costs of overtime, 29, 32 of administration, 29, 32, 92 TLFeBOOK 240 Outsourcing Information Security Costs (continued) of customization, 43 of employee benefits, 29, 32, 92 of equipment, 32–33, 75–77 of facilities, 29, 32, 34 of furniture and fixtures, 77 of implementation, 93 of integration, 43 of labor, 29–32, 75 of obsolescence, 102 of payroll taxes, 29, 32 of salaries, 29, 32, 92 of security, 34, 39 of software, 32–33, 75–77, 93 of supplies, 93 of telecommunications, 33 of third-party services, 77–78 of training, 30–32 of transition, 102 of travel and accommodation, 29, 32, 92 one-time See one-time costs ongoing See ongoing costs phasing of, 74 probabilistic See probabilitic costs subjective See subjective costs tangible See tangible costs tangible-objective-direct See tangibleobjective-direct costs tangible-objective-indirect See tangibleobjective-indirect costs uncertain See uncertain costs underestimation of, 103 variable See variable costs Costs and benefits analysis of, 87–93 categorization of, 71–83 throughout evaluation process, 85–106 Countermeasures, 16 Credit risk, 80, 116 CRM See customer relationship management (CRM) Cryptography, 132–33, 158 CSO See chief security officer (CSO) Customer requirements of, 107–28 Customer relationship management (CRM), 191 Customer’s policy adoption of, 148 Customization, 66 Customization costs See costs of customization Cyber National Information Center, Cyber security, Cyber terrorism, 15–16 Damage, 11, 152 DARPA See Defense Advanced Research Projects Agency (DARPA) Data creation, 141–46, 173 Data disposal and destruction, 141–46, 173 Data General (DG), 185 Data handling and processing, 141–46, 173, 177 Data owner, 141 Data storage, 141–46, 173 Data transmission, 141–46, 173 DdoS See distributed denial of service (DDoS) DEC See Digital Equipment Corporation (DEC) Defense Advanced Research Projects Agency (DARPA), 190 Defenses penetration of, 11 Defensive measures, 11 Department of Homeland Security (DHS), 6, 119 Dependency on single customer, 121 Design of computer applications, 41 Destruction willful, Deterrence, 11, 153 Deutsche Bank, 156 Development of computer applications, 41 DG See Data General (DG) DHS See Department of Homeland Security (DHS) Digital Equipment Corporation (DEC), 185, 188 Direct benefits, 73 Direct costs, 73, 92 for consultants, 92 Disaster recovery planning (DRP), 64, 78, 132, 134–35, 159–60, 174, 177 Disaster recovery services (DRS), 34, 36, 45, 46 TLFeBOOK Index overbooking of facilities See overbooked resources in DRS facilities Disciplinary action, 172 Discontinuance of service, 52 Discretionary services, 114–15 Diskettes See floppy disks Dispute resolution, 104 Dissatisfaction of customer, 54, 93 Distributed denial of service (DDoS), 6, 173, 203 Distributed systems, 185–86, 200–2 Dot-com bubble, 4, 191 companies, 5, 120 Dow Jones Industrial Index, 188 DRP See disaster recovery planning (DRP) DRS See disaster recovery services (DRS) Due diligence, 7, 110 efforts, 6, 168 evaluation of responses to, 147 questions and requests, 38 Dumb terminal, 185 Dun & Bradstreet, 116 Ease of use, 53 Eastern Europe, 15 eBay, 120 Economic value added (EVA), 109 Economies of scale, 55, 122, 163 Economy health of, 118 Effectiveness, 31 Electronic certificates, 149 Electronic commerce model, 191 E-mail content screening software, 153, 173 Embezzlement, 139 Empathy See quality measure, empathy Encrypted password file, 146 Enhancement See customization Enron, 19, 20, 188 Enterprise resource management (ERM), 191 Environmental security See physical security Equipment costs See costs of equipment ERM See enterprise resource management (ERM) Ethics, 132, 134 Europe, 59, 141, 150, 151 EVA See economic value added (EVA) Expectations meeting of, 123–24 241 Expectations Matrix See IT Service Provider Expectations Matrix Expertise, 40–41, 63 Extrication from agreement, 105 Facilities costs See costs of facilities Facilities manager, 182 Failure impact of See viability of service provider Failure rate curve for software, 22 Failures during off-hours, 36 Feasibility of projects, 46 Federal Reserve Board, 68, 150 Financial difficulty of service provider See viability of service provider Firewalls, 153, 172, 190, 203 Fixed benefits, 73–74 Fixed costs, 73–74 Floppy disks, 204, 205 Fluctuations relating to projects, 43 Forensics, 174 Forrester Research, 117 FORTRAN, 182 Fraud, 139, 152 Frontier-technology products, 112 Function creep, 152 Funding inadequate, 54 Gartner Group, 117, 189 Gates, Bill, 18, 202 Geographic match of customer and outsourcer, 121 Giga Information Group, 117 Glass temples, 198 GLBA See Gramm-Leach-Bliley Act (GLBA) Google, 120 Gramm-Leach-Bliley Act (GLBA), 68, 140, 150 Grid computing, 19, 194 Guards, 136, 172 Guideline for security See security guideline Hacker as criminal, 14, 203 Hacker attacks, 40 TLFeBOOK 242 Outsourcing Information Security Hard money, 183 Hardware costs See costs of equipment Health Insurance Portability and Accountability Act (HIPAA), 140 Help desk, 44, 172 Hidden costs, 27, 50, 63–66 High priests, 198 HIPAA See Health Insurance Portability and Accountability Act (HIPAA) Hiring practices, 38 History of information security, 197–207 History of IT outsourcing, 181–95, 205 Hosting services provider (HSP), 182, 184, 185, 190, 191 HSP, See hosting services provider (HSP) IBM Corporation, 183, 186, 188, 200 IBM World Trade Corporation, 185 Identification codes See identifiers Identifiers, 149, 198 Identity badges, 136 Identity protection, 149–51 IDS See intrusion detection system (IDS) Implementation of computer applications, 41 Implementation of service, 101 Inappropriate disclosure, 152 Incident response, 105, 173, 174 India, 138 outflow of work to, 7, 44, 151 Indirect benefits, 73, 80–81 Indirect costs, 73, 78–79, 92 Information confidential See confidential information Information Coordination Center, Information security, 79–81 Information security outsourcing See outsourcing of information security Information security risks, 11–25 Information security software antivirus, 8, 153 vulnerabilities of, Information technology (IT) outsourcers able to use, 28–29 Information technology (IT) outsourcing clarification of, definition of, Insourcing definition, examples of, 88–91 Intangible benefits, 72 Intangible costs, 72 Intangible-objective-direct benefits, 82 Intangible-objective-direct costs, 82 Intangible-objective-indirect benefits, 82–83 Intangible-objective-indirect costs, 82–83 Intangible-subjective-direct benefits, 83 Intangible-subjective-direct costs, 83 Intangible-subjective-indirect benefits, 83 Intangible-subjective-indirect costs, 83 Integration of systems, Integration costs See costs of integration Integrity of data, 36–37, 58 Intellectual property, 37, 60 151 Intelligent workstation, 185, 186–87 Internal information, 142, 144 Internal rate of return (IRR), 107–9 Internet, 150, 190, 191, 202, 206 research on, 117 Internet economy, 120 Internet service provider (ISP), 158, 190 Intersourcing definition, Intrinsic availability, 59 Intrusion detection system (IDS), 172, 173, 174, 190 Intrusion prevention system (IPS), 172 Investigation, 132, 134, 160 IPS, See intrusion prevention system (IPS) Iraq, 64 Ireland outflow of work to, IRR See internal rate of return (IRR) ISO 17799, 132–34 Isolated data centers, 197–98 Israeli military personnel, 203 IT outsourcing See information technology (IT) outsourcing history of See history of IT outsourcing IT Service Provider Expectations Matrix, 38, 39, 168 J P Morgan Chase, 188 Job security, 137–38 Kidnapping, 136 Knowledge transfer, 50, 66 Kodak, 188 TLFeBOOK Index Labor costs See costs of labor categories of, 29–32 Law, 132, 134, 160 Leap of faith, 164 Leasing of equipment and facilities, 33 Legal and compliance risk, 81, 177 Legal and regulatory measures, 67–68, 163, 174 Licensing of software products, 33 Linux, 186 Liquidity risk, 80 Magnetic card, 149–50, 199 Mainframe computer, 183, 186, 197–200 Malicious code, 18 Managed security monitoring service provider (MSMSP), 190, 191 Managed security services provider (MSSP), 6–7, 46, 50, 116, 153, 157, 163, 190 Management poor, 54 Mandatory services, 114 Market prospects, 117–18 Marketplace segmentation, 118 McNealy, Scott, 202 Mean time between failures (MTBF), 36, 59, 126–27 Mean time to repair (MTTR), 36, 59, 127 Mergers and acquisitions, 54–55, 64 Merrill Lynch, 156, 189 Metrics capacity See capacity metrics performance See performance metrics response time See response time metrics security See security metrics throughput See throughput metrics Microsoft, 18, 158, 202 Microsoft Windows, 186 Millennium turn of, Minicomputer, 185, 200–1, 205 Misrepresentation, 152 Misuse, 152 Mobile computing, 194–95 Monitoring, reporting, review of SLA, 104, 153, 172, 174 Moore, Stephanie, 44 243 Morris, Robert T., 14, 203 MSMSP See managed security monitoring service provider (MSMSP) MSSP See managed security services provider (MSSP) MTBF See mean time between failures (MTBF) MTTR See mean time to repair (MTTR) National Cyber Alarm System, National Cyber Security Division, National differences cultural, political volatility, structural, National Strategy for Critical Infrastructure Assurance, Negotiation of contracts See contract negotiation Net present value (NPV), 107–8, 110 Network operating center (NOC), 157 Network security, 132–58, 177 New economy, New-hire screening, 172 Nice-to-have services, 114–15 NOC See network operating center (NOC) Noncontrollable benefits, 73 Noncontrollable costs, 73 Nonpublic personal information (NPPI), 38, 59–60, 68, 140–41, 149–51 North America, 151 North Korea, 64 Notification service See alert service NPPI See nonpublic personal information (NPPI) NPV See net present value (NPV) Objective benefits, 72–73 Objective costs, 72–73 Obstacle change in strategic direction, 103 expensive to implement, 103 overrated benefits, 103 shift in technology management, 103 underestimation of time and staff, 103 unstable technology, 103 Obstacles to completion of transition, 102–3, 139–40 OCC See Office of the Comptroller of the Currency (OCC) TLFeBOOK 244 Outsourcing Information Security Office equipment, 186 Office of the Comptroller of the Currency (OCC), 150 Offshore move, 188–89 Offshore outsourcing, 8, 151 barriers to, concerns, 64 costs of, 30, 33 Offshore resources, 4, 64 Offshore services, One-time benefits, 74–75 One-time costs, 74–75 for firing personnel, 31, 32 for hiring personnel, 31, 32 for recruiting personnel, 31, 32 Ongoing benefits, 74–75 Ongoing costs, 74–75, 93 Operation of computer applications, 41 of services, 53 Operational readiness, 59 Operational requirements, 164 Operations management, 39, 132, 134, 173, 177 Operations risk, 81, 152–53 Operations security See operations risk Out-of-wallet information, 149 Outsource reasons to, 27–28 Outsourcer financial health of, 42, 116–17 requirements of, 107–28 Outsourcers of information technology See information technology (IT) outsourcers Outsourcing definition, 1, different approaches to, 87 effects of threats and vulnerabilities, 11–25 evaluation process for, 91–93, 107–28 everyday examples, examples of, 88–91 goods and services, justification of, 27–47, 88–91, 114, 164 of information security, 131–61 operational and administrative functions, 20–21 partnership, 17 post Y2K, potential advantages of, 118 reasons to consider, 28–47 relevant decision factors for, 88–91, 164 Outsourcing decision, 41, 64 basis, 28 other side of, 47 Outsourcing process, 163–70 Outsourcing risks, 49–68 Outsourcing triggers See triggers for outsourcing Overbooked resources in DRS facilities, 46 Overhead costs, 29–32, 92 Oversight, 65 Overtime costs See costs of overtime Password, 149–50, 198 Patching of programs, 120, 174 Payback period (PP), 107–8 Payroll processing, 114 Payroll taxes costs See costs of payroll taxes PC See personal computer (PC) PDA See personal digital assistant (PDA) Penetration testing, 120 Pentagon attack on See September 11, 2001 Performance, 35–37 improvement of, 35 intangible aspects of, 37 integrity See integrity of computer applications, 41–43, 62–63 quality of service See quality of service reliability See reliability security See security service level, 35, 62–63 Performance metrics, 168–69 Perimeter scanning, 120 Perkin-Elmer, 185 Personal computer (PC), 185, 186–87 Personal digital assistant (PDA), 205 Personal identification number (PIN), 150, 199 Personnel highly qualified, 40 Personnel security, 39, 132, 136–37, 172, 176 Physical security, 39, 79–81, 132–33, 155–56, 172, 176 TLFeBOOK Index Physical well-being, 136 PIN See personal identification number (PIN) Pinnacle Alliance, 188 PKI See public key encryption (PKI) Policy regarding security See security policy Portals, 192–93 Portfolio of customers, 118 Portfolio approach to outsourcing investments, 109 Positive net benefit, 107 PP See payback period (PP) Practices best See best practices essential See TruSecure Corporation, essential practices Precision of requirements, 93 Preferred vendor, 167 Presidential Decision Directive 63, Prevention, 153, 173 Prime Computer, 185 Privacy, 37 Private information See nonpublic personal information (NPPI) Probabilistic benefits, 73 Probabilistic costs, 73 Procedure for security See security procedure Productivity, 31 Projects feasibility of See feasibility of projects Proprietary information, 37, 60, 139 Protection of customer information, 60 against identity theft See identity protection Protective measures, 11, 67, 153, 177 Public information, 142, 144 Public key encryption (PKI), 154, 158 Quality of outsourced work, Quality measure assurance, 56, 57 empathy, 56, 57 reliability See reliability responsiveness, 56, 57, 153 tangibles, 56 245 Quality of service, 37, 51, 56–59, 123 RACF, 200 Readiness operational See operational readiness Recovery, 79, 80, 105 Redundancy of systems and networks, 122, 125 Relationship managers, 30 Relative size large customer, small outsourcer, 121–22 large outsourcer, large customer, 122–23 large outsourcer, small customer, 122 small outsourcer, small customer, 123 Reliability, 36, 59, 125 Remediation of Y2K applications, 3, 151 Remote access, 198–200 Remote job entry (RJE), 182–83 Reputation and goodwill damage to, 54, 93 Reputation risk, 80 Request for information (RFI), 94–99, 165, 169 Request for proposal (RFP), 94–99, 165–67, 169 Requirements gathering of, 111 Resiliency of systems and networks, 125 Response time metrics, 62, 123 Responsiveness See quality measure, responsiveness Retention of staff, 41 Return on investment (ROI), 107–8 Revenue new opportunities, 43 RFI See request for information (RFI) RFI/RFP process Documentation, 97 RFP See request for proposal (RFP) Ricin, Risk administrator, 20–21 complexity, 21 conversion, 24–25 credit See credit risk dependency on key individuals, 25 from SDLC, 21 TLFeBOOK 246 Outsourcing Information Security Risk (continued) legal and compliance See legal and compliance risk life cycle, 21–23 liquidity See liquidity risk operational, 19 operations See operations risk operator, 20–21 quality of support, 24 reputation See reputation risk vendor viability, 24 Risk analysis, 64 Risk preferences of management, Risk profile, 152 Risk reduction from RFI/RFP exercise, 96 Risks, information security, 11–25 See also information security risks of outsourcing See outsourcing risks systemic, 19 RJE See remote job entry (RJE) ROI See return on investment (ROI) Round-the-clock work, Russia, 15 SABRE system, 127 Salary costs See costs of salaries SARS See severe acute respiratory syndrome (SARS) SAS 70 Report, 20 Satisfaction of customer, 123–24 Satisfactory service customer view of, 126–27 SB 1386 See State of California Scalability of systems and services, 53 Scorecards See performance metrics SDLC See System Development Life Cycle (SLDC) Secret information, 143, 145 Secure coding training, 174 Secure programming standards, 174 Securities and Exchange Commission, 68, 150 Security, 37–40 of information See information security of personnel See personnel security of physical plant and equipment See physical security Security administration, 172 Security and trust, 38–40 Security architecture, 132–33, 153 Security awareness, 38, 154, 172 Security baseline, 146–48, 171 Security costs See costs of security Security framework, 153–55 Security guideline, 147–48, 171 Security infrastructure, 153, 175 Security management practices, 132–40 Security metrics, 58 Security operating center (SOC), 157 Security organization, 132–36 Security policy, 39, 61, 132–33, 146–48, 171, 175 Security policy enforcement, 154, 172 Security procedure, 147–48, 171 Security services, 153–55 outsourcing candidates for, 171–79 Security standard, 146–48, 171 Security testing, 174 Security tokens, 149–50 Sensitive personal information, 143, 145 September 11, 2001, 15, 64, 119, 137 Service requirements of, 123–27 Service agreement See service level agreement (SLA) Service contracting definition, Service level agreement (SLA), 40, 49–50, 58, 62, 100–5, 123, 126, 168 Service provider application See application service provider (ASP) business See business service provider (BSP) Internet See Internet service provider (ISP) model, See also outsourcer Service provider’s policy adoption of, 148 Service requirements, 164 Service standards, 62, 123 Services by third party, Setup, 52 TLFeBOOK Index Severance pay, 139 Severe acute respiratory syndrome (SARS), 64 Shared environments, 67 Short list of contenders, 167 Singapore outflow of work to, 7, 151 Size of customer, 50, 55–56, 121–23 of outsourcer, 121–23 relative See relative size SLA See service level agreement (SLA) Smart card, 199 SOC See security operating center (SOC) Software costs See costs of software SOW See statement of work (SOW) Specialists, 1, 40 Specialization degree of, Speed to market, 43, 93 Standard for security See security standard State of California, 150 Statement of work (SOW), 99–100 Stern Stewart & Co., 109 STP See straight through processing (STP) Straight through processing (STP), 194 Strategic direction change of, 103 Strong authentication, 199 Subcontractors, 61 Subjective benefits, 72–73 Subjective costs, 72–73 Subsecond response time, 126 Sun Microsystems, 202 Support relative to performance, 43 Surcharge for administrative support, 29–30 System Development Life Cycle (SDLC), 21, 174 Systems development, 39, 151–52 Systems maintenance, 39 Systrust, 20 Tangible benefits, 72 Tangible costs, 72 Tangible-objective-direct benefits, 75–78 Tangible-objective-direct costs, 75–78 Tangible-objective-indirect benefits, 78–81 247 Tangible-objective-indirect costs, 78–81 Tangible-subjective-direct benefits, 81 Tangible-subjective-direct costs, 81 Tangible-subjective-indirect benefits, 81–82 Tangible-subjective-indirect costs, 81–82 Technical support, 45, 61, 123 Technology instability of, 103 Technology management change of, 103 Telecommunications companies, costs See costs of telecommunications security, 132–33, 156–58 Teletype machine, 185 Tenure See job security Terrorist attacks, Theft, 152 Threat from cyber terrorists, 15 from disgruntled employees, 12, 138 from hackers and crackers, 13, 146 from inadvertent destroyers, 12 from insiders, 12 from opportunists, 12 from spies, 15 from virus creator, 14 Threats, 8, 11–17 from external sources, 13–16 from internal sources, 11–13 review of, 16, 120 Throughput metrics, 62, 123 Time differences for offshore outsourcing, Time value of money, 108 Time-sharing, 184–85 Top secret information, 143, 145 Top Secret software product, 200 Training costs See costs of training Transfer of knowledge See knowledge transfer Transferring for in-house to out-of-house, 101–4 Transition completion of, 103 Transition phase, 101, 168 Travel-related costs See costs of travel Treatment of customer, 55 TLFeBOOK 248 Outsourcing Information Security Triggering evaluation process, 85–87, 163 Triggers for outsourcing, 112 acquisition of customer, 113 acquisition of service provider, 113 cost-related, 113 dissatisfaction with service, 113 dissolution of customer, 113 dissolution of service provider, 113 downturn in business, 113 end of term of agreement, 112, 169 event-related, 112–14 increase in costs, 113 negative information about other deals, 113 performance-related, 113 positive information about other deals, 113 time-related, 112 Trojan horse, 14 TruSecure Corporation Enterprise Certification, 20 essential practices, 58 Trust, 59–62 Trust-e, 20 Trustworthy Computing Initiative, 202 Two-factor authentication, 149 Tyco, 19 U.S banks, 152 Unauthorized access, 152 Uncertain costs, 63–66 United Kingdom, 59, 141, 150 United States, 59, 60, 118, 119, 141 Unix, 186 User authentication software, 154 User registration software, 154 Variable benefits, 73–74 Variable costs, 73–74 Venture capitalists, 63–64 VeriSign, 158, 189 Viability of customer, 52, 122 of service provider, 35, 50–55, 63, 116–23 Video cameras, 136 Voice over Internet Protocol (VoIP), 121 Vulnerabilities, 8, 11, 17–25, 120 from systemic risks, 18 See also risks, systemic of computer systems and networks, 17 of software development, 17–18 relating to risks of obsolescence, 23–24 relating to complexity risk, 21 relating to conversion risk, 24–25 relating to dependency on key individuals, 25 relating to life-cycle risk, 21–23 relating to operational risk, 19 See also risk, operational relating to operator and administrator risk, 20–21 See also risk, operator and risk, administrator relating to poor quality support, 24 relating to vendor viability risk, 24 Vulnerability assessment, 120 War Games, 13 Web services, 18–19, 192–93 Web site blocking software, 153, 173 Web sites, 150 WebTrust, 20 What you are, 199 What you have, 199 What you know, 199 Wireless revolution, 205 World Trade Center See September 11, 2001 World Wide Web, 190, 194, 202–4 WorldCom, 19 XSP, 190 Y2K, 3–6, 197 as a turning point, contingency planning, outsourcing, related computer applications, remediation effort, 3, 189 Zero sum game, 138 TLFeBOOK Recent Titles in the Artech House Computer Security Series Rolf Oppliger, Series Editor Bluetooth Security, Christian Gehrmann, Joakim Persson and Ben Smeets Computer Forensics and Privacy, Michael A Caloyannides Computer and Intrusion Forensics, George Mohay, et al Defense and Detection Strategies against Internet Worms, Jose Nazario Demystifying the IPsec Puzzle, Sheila Frankel Developing Secure Distributed Systems with CORBA, Ulrich Lang and Rudolf Schreiner Electric Payment Systems for E-Commerce, Second Edition, Donel O'Mahony, Michael Peirce, and Hitesh Tewari Evaluating Agile Software Development: Methods for Your Organization, Alan S Koch Implementing Electronic Card Payment Systems, Cristian Radu Implementing Security for ATM Networks, Thomas Tarman and Edward Witzke Information Hiding Techniques for Steganography and Digital Watermarking, Stefan Katzenbeisser and Fabien A P Petitcolas, editors Internet and Intranet Security, Second Edition, Rolf Oppliger Java Card for E-Payment Applications, Vesna Hassler, Martin Manninger, Mikail Gordeev, and Christoph Müller Multicast and Group Security, Thomas Hardjono and Lakshminath R Dondeti Non-repudiation in Electronic Commerce, Jianying Zhou Outsourcing Information Security, C Warren Axelrod Privacy Protection and Computer Forensics, Second Edition, Michael A Caloyannides TLFeBOOK Role-Based Access Controls, David F Ferraiolo, D Richard Kuhn, and Ramaswamy Chandramouli Secure Messaging with PGP and S/MIME, Rolf Oppliger Security Fundamentals for E-Commerce, Vesna Hassler Security Technologies for the World Wide Web, Second Edition, Rolf Oppliger Techniques and Applications of Digital Watermarking and Content Protection, Michael Arnold, Martin Schmucker, and Stephen D Wolthusen For further information on these and other Artech House titles, including previously considered out-of-print books now available through our In-Print-Forever ® (IPF ) program, contact: ® Artech House Artech House 685 Canton Street 46 Gillingham Street Norwood, MA 02062 London SW1V 1AH UK Phone: 781-769-9750 Phone: +44 (0)20 7596-8750 Fax: 781-769-6334 Fax: +44 (0)20 7630-0166 e-mail: artech@artechhouse.com e-mail: artech-uk@artechhouse.com Find us on the World Wide Web at: www.artechhouse.com TLFeBOOK ... Intersections of Outsourcing and Security The Outsourcing The Security …of Outsourcing Subcontracted IT services Secure IT services …of Security Subcontracted security services Secure security services... Prognosis The Information Security Market References Information Security Risks 11 Threats 11 From Internal Sources 11 From External Sources 13 vii TLFeBOOK viii Outsourcing Information Security Review... Edge 127 References 128 Outsourcing Security Functions and Security Considerations When Outsourcing 131 Security Management Practices 134 Security Organization 134 Personnel Security 136 Other Human-Related