Foreword | p. xv |
Preface | p. xix |
Acknowledgments | p. xxv |
1 Outsourcing and Information Security | p. 1 |
First ... Some Definitions | p. 2 |
Second ... A Clarification | p. 2 |
Y2K as a Turning Point | p. 3 |
The Post Y2K Outsourcing Speed Bump | p. 5 |
Shaky Managed Security Services Providers | p. 6 |
A Prognosis | p. 7 |
The Information Security Market | p. 8 |
References | p. 9 |
2 Information Security Risks | p. 11 |
Threats | p. 11 |
From Internal Source | p. 11 |
From External Sources | p. 13 |
Review of Threats | p. 16 |
Vulnerabilities | p. 17 |
Computer Systems and Networks | p. 17 |
Software Development | p. 17 |
Systemic Risks | p. 18 |
Operational Risk | p. 19 |
Operator and Administrator Risk | p. 20 |
Complexity Risk | p. 21 |
Life-Cycle Risk | p. 21 |
Risks of Obsolescence | p. 23 |
Vendor Viability Risk | p. 24 |
Risk of Poor Quality Support | p. 24 |
Conversion Risk | p. 24 |
Risk of Dependency on Key Individuals | p. 25 |
Summary | p. 25 |
References | p. 25 |
3 Justifying Outsourcing | p. 27 |
Professed Reasons to Outsource | p. 27 |
The Basis for Decision | p. 28 |
Reasons for Considering Outsourcing | p. 28 |
Cost Savings | p. 29 |
Performance | p. 35 |
Security | p. 37 |
Expertise | p. 40 |
Computer Applications | p. 41 |
Support | p. 43 |
Financial Arrangements | p. 45 |
Summary | p. 47 |
The Other Side of the Outsourcing Decision | p. 48 |
References | p. 48 |
4 Risks of Outsourcing | p. 49 |
Loss of Control | p. 49 |
Viability of Service Providers | p. 50 |
Reasons for Abandoning Service | p. 54 |
Relative Size of Customer | p. 55 |
Quality of Service | p. 56 |
Tangibles | p. 56 |
Reliability | p. 56 |
Responsiveness | p. 57 |
Assurance | p. 57 |
Empathy | p. 57 |
Definitions | p. 59 |
The Issue of Trust | p. 59 |
Performance of Applications and Services | p. 62 |
Lack of Expertise | p. 63 |
Hidden and Uncertain Costs | p. 63 |
Limited Customization and Enhancements | p. 66 |
Knowledge Transfer | p. 66 |
Shared Environments | p. 67 |
Legal and Regulatory Matters | p. 67 |
Summary and Conclusion | p. 68 |
References | p. 68 |
5 Categorizing Costs and Benefits | p. 71 |
Structured, Unbiased Analysis--The Ideal | p. 71 |
Costs and Benefits | p. 72 |
Tangible Versus Intangible Costs and Benefits | p. 72 |
Objective Versus Subjective Costs and Benefits | p. 72 |
Direct Versus Indirect Costs and Benefits | p. 73 |
Controllable Versus Noncontrollable Costs and Benefits | p. 73 |
Certain Versus Probabilistic Costs and Benefits | p. 73 |
Fixed Versus Variable Costs and Benefits | p. 73 |
One-Time Versus Ongoing Costs and Benefits | p. 74 |
Tangible-Objective-Direct Costs and Benefits | p. 75 |
Tangible-Objective-Indirect Costs and Benefits | p. 78 |
Tangible-Subjective-Direct Costs and Benefits | p. 81 |
Tangible-Subjective-Indirect Costs and Benefits | p. 81 |
Intangible-Objective-Direct Costs and Benefits | p. 82 |
Intangible-Objective-Indirect Costs and Benefits | p. 82 |
Intangible-Subjective-Direct Costs and Benefits | p. 83 |
Intangible-Subjective-Indirect Costs and Benefits | p. 83 |
Next Chapter | p. 83 |
Reference | p. 84 |
6 Costs and Benefits Throughout the Evaluation Process | p. 85 |
Triggering the Process | p. 85 |
Different Strokes | p. 87 |
Analysis of Costs and Benefits | p. 87 |
The Evaluation Process | p. 91 |
Requests for Information and Proposals--Costs | p. 94 |
Costs to the Customer | p. 95 |
Costs to the Service Providers | p. 96 |
Requests for Information/Proposal--Benefits | p. 96 |
Benefits to the Customer | p. 96 |
Benefits to the Service Providers | p. 98 |
Refining the Statement of Work (SOW) | p. 99 |
Service Level Agreement (SLA) | p. 100 |
Implementation | p. 101 |
Transition Phase | p. 101 |
Transferring from In-House to Out-of-House | p. 101 |
Monitoring, Reporting, and Review | p. 104 |
Dispute Resolution | p. 104 |
Incident Response, Recovery, and Testing | p. 105 |
Extrication | p. 105 |
Summary | p. 105 |
References | p. 106 |
7 The Outsourcing Evaluation Process--Customer and Outsourcer Requirements | p. 107 |
Investment Evaluation Methods | p. 107 |
Including All Costs | p. 109 |
Structure of the Chapter | p. 111 |
The Gathering of Requirements | p. 111 |
Business Requirements | p. 112 |
Viability of Service Provider | p. 116 |
Financial Analysis | p. 116 |
Marketplace and Business Prospects | p. 117 |
Health of the Economy | p. 118 |
Marketplace Matters | p. 118 |
Competitive Environment | p. 119 |
Structure of the Business | p. 120 |
Nature of the Business | p. 121 |
Relative Sizes of Organizations | p. 121 |
Service Requirements | p. 123 |
Meeting Expectations | p. 123 |
Concentration and Dispersion of Business Operations and Functions | p. 124 |
Customer View of Satisfactory Service | p. 126 |
Technology Requirements | p. 127 |
The "Bleeding" Edge | p. 127 |
References | p. 128 |
8 Outsourcing Security Functions and Security Considerations When Outsourcing | p. 131 |
Security Management Practices | p. 134 |
Security Organization | p. 134 |
Personnel Security | p. 136 |
Other Human-Related Concerns of the Company | p. 137 |
Ameliorating the Concerns of Workers | p. 140 |
Asset Classification and Control | p. 140 |
Information Security Policy | p. 146 |
Adopt Customer Policy | p. 147 |
Adopt Service Provider's Policy | p. 147 |
Evaluate Responses to Due-Diligence Questionnaire | p. 147 |
Enforcement and Compliance | p. 147 |
Access Control and Identity Protection | p. 149 |
Application and System Development | p. 151 |
Operations Security and Operational Risk | p. 152 |
Security Models and Architecture | p. 153 |
Security Services--Framework | p. 153 |
Security Infrastructure | p. 153 |
Security Management and Control | p. 154 |
Framework | p. 154 |
Application to Service Providers | p. 154 |
Physical and Environmental Security | p. 155 |
Telecommunications and Network Security | p. 156 |
Cryptography | p. 158 |
Disaster Recovery and Business Continuity | p. 159 |
Business Impact Analysis | p. 159 |
Planning | p. 159 |
Implementation and Testing | p. 159 |
Legal Action | p. 160 |
Summary | p. 160 |
References | p. 161 |
9 Summary of the Outsourcing Process--Soup to Nuts | p. 163 |
Appendix A Candidate Security Services for Outsourcing | p. 171 |
Appendix B A Brief History of IT Outsourcing | p. 181 |
The Early Days | p. 181 |
Remote Job Entry | p. 182 |
Time-Sharing | p. 184 |
Distributed Systems | p. 185 |
Personal Computers and Workstations | p. 186 |
The Advent of Big-Time Outsourcing | p. 187 |
The Move Offshore | p. 188 |
And Now Security | p. 189 |
Networked Systems and the Internet | p. 190 |
The Brave New World of Service Providers | p. 191 |
The Electronic Commerce Model | p. 191 |
Portals, Aggregation, and Web Services | p. 192 |
Straight-Through Processing (STP) and Grid Computing | p. 194 |
Mobile Computing | p. 194 |
References | p. 195 |
Appendix C A Brief History of Information Security | p. 197 |
The Mainframe Era | p. 197 |
Isolated Data Centers | p. 197 |
Remote Access | p. 198 |
Distributed Systems | p. 200 |
Minicomputers | p. 200 |
Client-Server Architecture | p. 201 |
The Wild World of the Web | p. 202 |
The Wireless Revolution | p. 205 |
Where IT Outsourcing and Security Meet | p. 205 |
References | p. 207 |
Selected Bibliography | p. 209 |
Annotated References and Resources | p. 209 |
Books | p. 210 |
Newspapers, Journals, and Magazines | p. 211 |
Computer-Related Publications | p. 211 |
Security Publications | p. 219 |
Business and Business/Technology Publications | p. 220 |
Web-Based Resources | p. 222 |
Web-Based Resources Related to Specific Publications | p. 225 |
Conferences and Seminars | p. 226 |
Publications from Professional Associations and Academic Institutions | p. 228 |
Government Sources: Legal and Regulatory | p. 229 |
Vendors and Service Providers | p. 231 |
Education and Certification | p. 232 |
About the Author | p. 235 |
Index | p. 237 |