Wednesday, February 25, 2009

Information Security and Privacy class

Thanks so much for everyone who attended my class. I have published notes and links at the Class Notes link below. Please let me know if you have any questions, or need additional information.

Chris

Class Notes
Posted by at No comments:

Monday, February 23, 2009

Outsourcing Risk Management

You’ve heard it before “you can outsource the business process, but you can’t outsource the risk”. SaaS, cloud computing, BPO, or simply external hosting of an internally developed application can open up an organization to a much larger risk appetite than they might have if the data and solutions remained in-house. Of course if an organization’s policies, procedures, and standards are bad enough it could also reduce the risk. Either way, organizations must manage that risk to determine if there are significant changes that need to be addressed. COBiT, ISO 27K, PCI, and most other standards and many regulations call for the proper management and oversight of outsourced providers, so this should be no surprise to organizations or the companies that provide these type of services.

The first place to start is during contract negotiations with the external party. It should be clear what the organization expects, and what standards, policies, and procedures should be met. There should be penalties and consequences if these are not meant, and audit rights should always be present in any obligations. The FFIEC statement on this entitled Risk Management of Outsourced Technology Services.


The following is a good baseline of items that should be included.


  • Service Level Agreements for 10% of the yearly expenditures for each breach of the SLA.

  • The service provider and its agents are prohibited from using or disclosing the institution’s information, except as necessary to or consistent with providing the contracted services, and to protect against unauthorized use (e.g., disclosure of information to institution competitors).

  • All third-party or sub-contractors who will be storing or processing data must be approved.

  • Provider must disclose any known, suspected or future security issues or incidents

  • Any BITS FISAP, SAS 70 Type II, or other external third party audits

  • Qualified information security management must be in place in the organization

  • Regularly scheduled reviews of the third-party’s policies

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)