272 ◾ Security Strategy: From Requirements to Reality
3. Review your corporate data destruction standards to determine what data destruction capa-
bilities will be required for your providers.
4. Review your service areas (e.g., U.S., EU, Asia, etc.) to determine the best outsource data
storage and processing scheme. Make sure your storage and processing scheme does not
subject you to any additional statutory or regulatory compliance requirements.
5. Garner the support and participation of key security stakeholders. Get their help defi ning
the objectives for each security outsourcing solution. Also get their help fi lling the policies
and procedure gaps and modifying processes to accommodate security outsourcing risks.
6. Modify existing processes for vetting potential providers and managing contracted provid-
ers (engagement process) to include security specifi c checks.
7. Prepare the materials (forms, questionnaires, surveys, etc.) required for the vetting, contract-
ing, and engagement processes.
Conclusion
King George’s outsourcing eff orts ultimately failed (he lost the war), although history would tell
us it wasn’t the service provider’s fault. By all accounts, the Hessians were well-trained, disciplined,
and valiant soldiers. If anything could be blamed, it was the language barrier between the British
and Hessian commands and the arrogance of their commanders. ey discounted the will and
determination of the rag-tag continental army. Hopefully, in our outsourcing eff orts we won’t
make the same mistakes.
Outsourcing portions of IT operations is a fairly standard practice. From a security standpoint,
most outsourcing has defensive objectives. Data security is always a major concern when outsourc-
ing, but cost savings is the major driver, followed by better business focus and increased productiv-
ity. Risk mitigation is a distant fourth. Outsourcing supports the security principles of economy,
redundancy, and preparedness through lower control and personnel costs, high reliability, and
staff expertise. If your organization depends on excellence in observation and response timeliness,
outsourcing may not work well for you.
In this chapter we examined outsourcing from two perspectives: general IT services outsourc-
ing and security services outsourcing. e general requirements and risks are applicable to all IT
outsourcing; security outsourcing has some additional risks to address. e majority of IT out-
sourcing arrangements create a hybrid or shared infrastructure; some services remain in-house,
whereas others are external. is cross connection of computing enclaves creates shared risks that
must be mitigated. It is important to remember that you can transfer data and processing to a service
provider, but you cannot transfer responsibility; you are ultimately responsible for the protection of the
data resources entrusted to your care.
Small and medium companies seem to realize the biggest benefi t from outsourcing because
they get to use the latest versions of software and have access to advanced technologies they
couldn’t aff ord to keep in-house. ey also benefi t from reduced labor costs because they do not
need to retain in-house expertise. Companies have the best success when outsourcing commod-
ity IT services (such as e-mail, instant messaging, and conferencing) and expert assistance (i.e.,
incident support, consulting, security monitoring). Firms that outsource management functions
haven’t fared as well.
e biggest security challenges in outsourcing are data protection and compliance. Companies
can mitigate the risks associated with external processing and storage by carefully managing data
location, limiting the types of services used, or encrypting sensitive information before sending
TAF-K11348-10-0301-C013.indd 272TAF-K11348-10-0301-C013.indd 272 8/18/10 3:12:27 PM8/18/10 3:12:27 PM