IT Security Outsourcing Models – I

i have received few queries and comments on various models of IT security outsourcing. well, in the next few posts, i will try and share my opinion and experiences on this topic.

i will not be discussing how to assess the state of the service provider’s information security related controls.

to start with, let me share my thoughts on state of security operations outsourced in total outsourcing vs discreet out sourcing engagements. therafter i would move to a more tactical subject of various outsourcing models available for exploration for an enterprise.

Security outsourcing in total IT outsourcing engagements

in total outsourcing, the entire IT function is outsourced to a service provider (which may also include the financial ownership of the assets).  the customer may still maintain control over certain policies like – asset refresh cycle, technology standards etc. however in most of such cases, even these decisions can be driven by the service provider.

the service provider is hence responsible for – maintaining the existing controls and ensure that the controls framework (asessment, adequacy and functioning etc) is kept upto date to mitigate the new risks as they emerge, on behalf of the customer.

if you look from ITIL point of view, in total outsourcing, service strategy, design, transition, operations and continuous improvement are all service provider responsibilities. some customers would still (and should) like to be involved or be informed about the service strategy and design activities related to information security.

depending upon the structure of service delivery within the service provider’s organization, the security operations may or may not be performed by a dedicated security function in the service provider’s organization. the way i have seen the outsourcing deal structure, the traditional security operational  responsibilities are now dispersed to respective technology towers (firewalls are part of network team, end user computing teams are responsible for content management etc). the overall security and compliance functions are cross tower areas as it impacts multiple teams and hence, responsibility for the same lies with the team responsible for similar functions like governance, program management, finance management etc.

i have seen many customers take a hands off approach when it comes to outsourcing of security function in an total outsourcing deal. they are not involved with the service provider in risk assessment, service strategy & deisgn phase for information security. i don’t think its a wise approach. many outsourcing rfp’s do not mention clearly how the IT risk, especially due to information security risk would be handled. it is presumed (and at times without much thoughts on the actual “how-to”) that the IT governance function would also report on the risks and subsequent risk management approaches.

what is important is the awareness and acknowledgement by the customers of the fact that they have just outsourced the operations to manage the risk but not the overall ownership of the risk itself. in case there is an incident, it will be the customer who will still have to absorb the impact and pay up any penalty. the customer may have the right to terminate the relationship with the service provider but it would depend how the legal and contract documents are drawn.

Security outsourcing in discreet IT outsourcing engagements

in discreet outsourcing, there are a group of service providers, each responsible for a particular piece of the IT function. there is usually an aggregator role (either retained by the customer or another service provider) to consolidate and manage the other service providers who are also delivering services to the same customer. the service aggregator then becomes responsible to the customer for the delivery of all of the outsourced IT services.

in discreet outsourcing, usually each service provider delivers the security operations for the technology/tower it is responsible for. for example, the network service provider will be responsible for monitoring and managing the firewalls only.

the service aggregator is usually responsible for the enforcement of security policies and ensuring customer’s regulatory and compliance requirements are met. this role also requires tracking the OLA (operational level agreements) between service providers also. for example – network service provider can report high utilization of network and using the logs from routers/firewalls, can point out the source of the traffic to an infected desktop. the provider then opens a ticket on the end user computing team to have the desktop cleaned/removed.

in such an engagement, one of the most important processes that needs to be tracked is the “Incident Management” since it would involve multiple parties in efficient resolution/closure of an incident. along with Incident Management, tracking the enforcement of customer security policies to meet compliance & regulatory requirements across various service provider teams and infrastructure is also a challenge in such an engagement. in my opinion, the service aggregator needs to being in experience and necessary tools to be able to track the OLA’s, track enforcement of policies and deviations.

usually the open ended question, in this type of arrangement is also around the ownership and accountability of driving the overall information security strategy. many a times, it lies with the service aggregator only. but like i mentioned earlier, the customer must get involved in the strategy and risk assessment and mitigation planning phase at-least.

yawn….more…in the next post on the same topic!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: