Transcript Document

6 - Outsourcing
Outsourcing
1
Outsourcing
Dealing with issues when a portion or all of the provision of technology
services is performed outside of the entity’s normal service delivery envelope.
• Loss of control (Priority, timing, effort, changing deadlines, etc.)
• Additional security risks (Lack of understating of outsourcer’s security
procedures, lack of knowledge of their consistent application)
• Concern over the inadequacy of IT governance procedures (Within the
organization and at the outsourcer)
• Contract terms and service level agreements are not consistently met
(Poor/inadequate contract management, lack of contract metrics and
lack of timely reporting)
• Re-outsourcing of services to another third party (Concern despite
contractual agreements, use of cloud computing by outsourcer, etc.)
© Robert G Parker – UW-CISA 2010
S-2
Outsourcing
Renaissance in USA
Industrial manufacturing
by 2015
2015-China only 10% to
15% Cheaper than the USA
2010 – Caterpillar opening
600,000 sq-ft. manufacturing
facility in Texas
© Robert G Parker – UW-CISA 2010
S-3
Outsourcing
Source-Canwest Times Colonist- May 28, 2008
Emerging Economies
Outsourcing
Outsourcing Risks
• UCSF outsourced the processing of its medical transcripts to a U.S.-based
company that outsourced the records to yet another company in the U.S.
• The second outsourcing company, in turn, sent the transcripts to a company
in Pakistan for processing.
• A Pakistani data entry clerk attempted to extort money from the
University of California at San Francisco’s (UCSF) Medical
Center.
• The Pakistani clerk was having trouble getting paid for her work,
so she directly contacted the University, attached some of the
medical data she had as proof, and demanded payment,
threatening that she would post all of the medical records on the
Internet if she did not receive the money.
• The UCSF Medical Center asserted it was not even aware that
sensitive medical records were processed offshore.
© Robert G Parker – UW-CISA 2010
S-5
6 - Outsourcing
Business Risks
• Increasing labour rates in Asia
• Increasing transportation rates between North America and Asia
• Security concerns over intellectual property
• Lack of ‘hands-on’ control
• Language and cultural differences
• Regulating laws
• Cultural differences
© Robert G Parker – UW-CISA 2010
S-6
6 - Outsourcing
Outsourcing Risk Management
• Implement more sophisticated automated manufacturing processes
in North America
• Reduce transportation volume between North America and Asia
• Increase use of lockable/destructable software code vs. mechanical
controls to protect intellectual property
• Repatriate ‘hands-on’ control (Your people in their land)
• Implement two way cultural training
• Establish all laws to be in country exporting the work or technology
© Robert G Parker – UW-CISA 2010
S-7
7 - Public Trust
Public Trust
8
7 - Public Trust
With warnings about viruses, worms, Trojan horses, phishing, identity theft,
hackers, and an ever increasing prevalence of malware, users of Information
Technology have expressed legitimate concerns. With the business need to
reduce costs, technology provides an enticing opportunity for eBilling,
payments, distribution of newsletters, product information, and any number of
product support scenarios. Users want assurance that their information is safe
and that they are dealing with a legitimate business
Technology Appears to Present a Threat to Society
• Hackers, Security Breaches, Identity Theft, Viruses, Worms, etc.
• Concerns Over Data Theft, Confidentiality of Personal Information
• Concerns over Identity Management, Credit Card Fraud and
Unauthorized Access or Sharing of Information
© Robert G Parker – UW-CISA 2010
S-9
Public Trust
The Attacks Increase
10
Public Trust
The Attacks Increase
77 Million
User
Accounts
11
Public Trust
Canada Is Not In An Enviable Position
12
Public Trust
Information security management was reported to be third on ISACA's 2011 Survey
of Top Business/Technology Issues.
The survey attributed the finding to a combination of high profile breaches and the
large investment in security technologies.
Most significant issue were the unknown security threats or those security threats
that are not fully assessed. Other issues in order of ranking, that likely contribute to
the a lack of public trust include:
• Information security controls are not regularly assessed for performance and
effectiveness.
• Top management is not involved "in setting direction and objectives for
information security ".
• “Lack of enterprise-wide information security awareness and training ".
• Perception that security is owned by Technology.
• Lack of integration of information security into the culture of the organization.
13
IT Governance
Business Reaction
319% should be a wake up call to businesses and professionals
Cyber risks must be taken seriously
Increased senior management involvement is security and the security
message
Initiation of an enterprise-wide security program
C-suite responsibility and direction for the security program
Public Trust Risk Management
Lack of enterprise wide training and awareness of The risks
Lack of enterprise level ownership of the risk
Lack of ownership, accountability and responsibility
Lack of a security culture
14