Information security risks of outsourcing
Paper Keywords: Information Security risk management Outsourcing
Abstract: This paper first analyzes the outsourcing of Information security risks, according to proposed risk management framework for Information security, outsourcing, and the basis of this framework are discussed in detail for the outsourcing of Information security risks and management of specific implementation. Article of Information security when outsourcing risk control, and access to co-operate with the maximum benefit outsourcing.
An information security risks of outsourcing
1.1 Trust Risk
Whether the enterprise and information security services to outsourcing providers to establish good working relationships and trust, the decision is still time to secure an important factor in outsourcing. Because of the outsourcing provider of information security can access sensitive corporate information and a comprehensive understanding of their business and system security, and important information if they intentionally or unintentionally spread out to the public, it will cause great damage to the enterprise. And, should the companies can not trust the outsourcer, not outside contractors to provide some key information, then cause in the course of the outsourcer with incomplete information, resulting in the failure of certain areas, which also affect the quality of service. Therefore, trust is the basis for bilateral cooperation, but also a large extent the key elements of risk aversion.
1.2 rely on risk
Business is very easy to outsource to a provider of information security services have dependencies, and subject to business change, business pArtners and other companies affected, appropriate risk mitigation approach is to outsource security services to multiple service outsourcing provider, but the corresponding land will increase spending and create management difficulties, companies will lose the flexibility of three: the first is short-term flexibility, the ability of the corporate restructuring of resources and the business environment in the ability to respond to changes; the second is to adapt capacity, that is, the events in the short to medium term within the required flexibility, which is a new approach to business process change and recycling and strategies, recycling capacity that is, including information Technology; third flexibility is evolution, and its essence is the flexibility of the medium to long term, it produces transformation of the technological infrastructure in the enterprise to take advantage of new technologies, period. evolutionary access to needed Technology trends, business trends and ensure that both accurately predict the alliance to establish the best capacity.
1.3 The risk of ownership
Regardless of the scope of outsourcing to provide services, companies are on the safe operation of infrastructure and key assets protection of holders of ownership and responsibility. Companies must determine the service outsourcing providers have the ability to assume responsibility, and its service level agreement to support the the performance of duties. the right risk mitigation approach is to include staff and management aware of relevant personnel at all levels, should information security as its primary responsibility, and safety training courses to enhance the safety awareness of general business.
1.4 shared environment face the wind
Outsourcing of information security services providers use to provide services to multiple enterprise operating environment within the organization than a single environment will contain more risk, because a shared operating environment will support the sharing of data between multiple enterprises (such as public networks ) or treatment (such as the Universal Server), an enterprise that will increase access to sensitive information, the possibility of another enterprise. It is also a risk for enterprises.
1.5 implementation risk
StArt a relationship between managed security services may cause companies to service outsourcing provider, or a service to another outsourcer outsourcer between people, process, hardware, software or other assets of the complexity of the transition, all this may lead to new risk. outsourcer companies should be required to explain the high-level implementation plan, and indicate the completion date and the time spent. so to some extent, the risk of the implementation process to make a limited time period.
1.6 pArtnership will lead to the risk of failure
If the enterprise and service provider relationships fails, companies will face great risks. Cooperation failed economic losses, loss of time is self-evident, and the failure of this relationship from the final analysis between enterprises and service providers of services outsourcing plan is not adequate enough sound and frequent communication and exchanges. this pArtnership are likely to fail at any stage, as other business relationship, it will need to give sufficient attention, concern and needed frequent cooperation between the two sides to communicate.
2 information security management framework for outsourcing
For successful outsourcing of information security, we must establish a sound regulatory framework, which for the enterprises to implement and manage outsourcing activities, coordinate the relationship with the outsourcer, the largest outsourcing may reduce the risk, so as to achieve the purpose of outsourcing is very important . outsourced information security management framework is divided into several main parts, including the outsourcing of information security, enterprise collaborative business to determine the policy of the enterprise information security and information security outsourcing safety standards, and then subjected to the risks of the enterprise system assessment. and in accordance with policies and risk. determine the content and determine risk management process outsourcing of information security. After the joint development of outsourcing for enterprise information security control methods, coordinate and optimize enterprise's information security department of the enterprise structure, while strengthen the relationship between management and outsourcing business.
3 Information security risk management, the implementation of outsourcing
3.1 The development of Information Security Policy
Information Security Policy, in many cases, also known as information security policy, information security policy that is in an enterprise to guide how the assets, including sensitive information management, protection and distribution of guidance or instructions. Information security policy should be defined include: (1) the definition of information security, including the definition of the overall objective of information security, information security, including its scope, and information security on the importance of information sharing; (2) management-related purposes described; (3) information security, a brief description of the principles and standards and compliance with these principles and standards of the importance of the enterprise; (4) information security management responsibility for the totality of the definition. in the information security policy part of the only companies in various sectors of the security gives the general definition of the functions, and specific details of information security responsibilities to the service standards will remain part to clarify.
3.2 The selection criteria for information security management
Information security management System standard BS7799 and information security management standard IS013335 is the general information security management standards:
(1) BS7799: BS7799 standard is specified by the British Standards Institute for information security management standard, is the international representative of information security management system standard, the standard includes the following two parts: BS7799-1; 1999 <<Information Security Management Implementation Rules >>; BS7799-2: 1999 ((information security management system standard>>.
(2) IS013335: IS013335 < > Is mainly given to the effective implementation of IT security management recommendations and guidelines. The standard is currently divided into five parts, namely, information Technology security concepts and models of parts; information Technology security management and planning part of it; information Technology security Technology Management section; protection and to select some part and the external connection protection. reposted elsewhere in the Research Papers Download http://www.hi138.com 3.3 to determine the flow of information security outsourcing
Enterprise according to corporate business characteristics, geographic location, assets and technology of information security to define the scope of outsourcing. Defines the time to consider the following two aspects: (1) the need to protect information systems, assets, technology; (2) physical place (geography, sector, etc.). outsourcer of information security should be based on enterprise information security policy and the required level of security, identification and control of all the need to manage the risk of content. synergistic information security companies need to select an outsourcing provider requirements for its security risk assessment and risk management solutions, and then normative assessment, identify the current risks. enterprises can choose the regular service outsourcing provider to conduct an independent assessment of sites and services, or in the annual examination for evaluation. selection and use of the independent evaluation of the program must be acceptable to both parties. In the written agreement reached after an independent assessment of the outsourcer party assessment to corporate rights, and specifically pointed out that the assessor can not divulge any outsourcer or customers sensitive information. to the outsourcer provide further information on the inspection of the scope and detail, in order to reduce any availability, service level, the impact of customer satisfaction. In assessing the period after the implementation of a special time, and outsourcing to shared the results of two and discuss and determine whether a solution and / or development planning process to respond to any change in the assessment. assess the need for relevant materials and documents in the control process should be established and maintained, the enterprise will assess these documents as an important tool in the service performance of external contractors assessment. assessment after the event solutions and priority check are recorded in the appropriate file so that the two sides in the service and to improve information security management.
3.4 The development of information security control rules outsourcing services
Outsourcing services under the control of information security rules, is divided into three sections: The first part defines the framework of the rules of the service, primarily to clarify how the implementation of information security services, implementation of common standards and measurements, outsourcing providers and the mandate and the parties responsibilities; second part is the relevant requirements of information security services, this section is divided into specific high-level demand for services; service availability; services architecture; services software hardware and services; service metrics; service level; reporting requirements, scope of services and other aspects ; The third part is the safety requirements, including security policies, procedures and regulations; continuity plans; operational and disaster recovery; physical security; data control; identification and authentication; access control; software integrity; security asset allocation; backup; monitoring and auditing; incident management and so on.
3.5 The corporate structure of information security management outsourcing specific optimization program are as follows:
(1) The Chief Security Officer: CSO is the company's high-level security executives, he needs to directly to senior executives who report to work, including: CEO, COO, CFO, principal management leadership, Chief Legal consultant. CSO need to oversee and coordinate the implementation of security measures in the company, and to determine the safety standards and initiatives, including information technology, human resources, communications, legal, facilities management and other departments.
(2) security team: security team consists of personnel outsourcing provider of information security professionals and corporate clients within the IT personnel and information security specialist. The main task of this group of information security services in accordance with the enterprise outsourcing service provider control information security rules and technical services.
(3) Management Committee: This is information security and customer service outsourcing provider to solve the problem of high-level body. Includes both members of the CEO, CIO and corporate clients CSO, outsourcers and other related senior project manager, decision-makers. This committee meets once a year, responsible for auditing the annual level of service, adaptability of enterprises to assess the results, changes in relationships and so on.
(4) Advisory Committee: Advisory Committee meetings mainly to solve the planning problem. Such as service level changes, new technical means of applications, services and service replacement priority financial issues, the Advisory Committee members include internal TI 'officers and security commissioner, and finance departments, human resources, business sector, relevant personnel, and outsourcing business person in charge of specific projects.
(6) Security working Group: Security working Group of the staff responsible for specific address information security issues, the working Group is composed of personnel from both outsourcing providers and enterprises. The working Group in close contact with the Service Switching Center, will highlight formed into the problem solving projects, and will not solve the problem presented to the Advisory Committee.
(7) Service Switching Center: Service Switching Center staff from both sides, including key personnel within the enterprise's various business sectors related to personnel and information security. They liaise with the various business units to explore the business potential of information security issues and vulnerability, and these problems reported to the Security working Group.
(8 instruction issue management group: the composition of this group were all internal staff, including the Information Security Officer and head of business units. In the security team's technical staff to solve the security of the enterprise, after technical issues, or is When the CSO released the enterprise to improve information security solutions, these solutions will be transmitted to the command problem management team, who after learning of this group discussion, and then publish it to all business sectors.
(9) Oversight Committee: This committee composed entirely by internal staff. In charge of foreign contractors in the service process, supervision.
3.6 The relationship between management and outsourcing business
And the outsourcer to manage the relationship between means and outsourcing companies should aim to establish long term business relationship, which will help the outsourcing of security services provider to learn more about corporate culture, thus providing better service. In the management Relations with the process of outsourcing, companies should focus on monitoring and control at the same time, the same incentive to pay attention and collaboration of external contractors. to establish a good relationship can develop the foundation for the relationship management. outsourcer to maintain the basic method of code of conduct is the supervision and control. monitoring is used to observe whether the outsourcer to do things he should do. If the outsourcer is found by monitoring the behavior of deviation from the intended target, this time on the need to control, control is returned to the business of outsourcing the right track up. With control rules to regulate the outsourcing of business service performance, the outsourcer to maintain regular communication and enterprise customers to be able to promptly identify problems, to standardize the control activities. reposted elsewhere in the Research Papers Download http://www . hi138.com
Enterprise according to corporate business characteristics, geographic location, assets and technology of information security to define the scope of outsourcing. Defines the time to consider the following two aspects: (1) the need to protect information systems, assets, technology; (2) physical place (geography, sector, etc.). outsourcer of information security should be based on enterprise information security policy and the required level of security, identification and control of all the need to manage the risk of content. synergistic information security companies need to select an outsourcing provider requirements for its security risk assessment and risk management solutions, and then normative assessment, identify the current risks. enterprises can choose the regular service outsourcing provider to conduct an independent assessment of sites and services, or in the annual examination for evaluation. selection and use of the independent evaluation of the program must be acceptable to both parties. In the written agreement reached after an independent assessment of the outsourcer party assessment to corporate rights, and specifically pointed out that the assessor can not divulge any outsourcer or customers sensitive information. to the outsourcer provide further information on the inspection of the scope and detail, in order to reduce any availability, service level, the impact of customer satisfaction. In assessing the period after the implementation of a special time, and outsourcing to shared the results of two and discuss and determine whether a solution and / or development planning process to respond to any change in the assessment. assess the need for relevant materials and documents in the control process should be established and maintained, the enterprise will assess these documents as an important tool in the service performance of external contractors assessment. assessment after the event solutions and priority check are recorded in the appropriate file so that the two sides in the service and to improve information security management.
3.4 The development of information security control rules outsourcing services
Outsourcing services under the control of information security rules, is divided into three sections: The first part defines the framework of the rules of the service, primarily to clarify how the implementation of information security services, implementation of common standards and measurements, outsourcing providers and the mandate and the parties responsibilities; second part is the relevant requirements of information security services, this section is divided into specific high-level demand for services; service availability; services architecture; services software hardware and services; service metrics; service level; reporting requirements, scope of services and other aspects ; The third part is the safety requirements, including security policies, procedures and regulations; continuity plans; operational and disaster recovery; physical security; data control; identification and authentication; access control; software integrity; security asset allocation; backup; monitoring and auditing; incident management and so on.
3.5 The corporate structure of information security management outsourcing specific optimization program are as follows:
(1) The Chief Security Officer: CSO is the company's high-level security executives, he needs to directly to senior executives who report to work, including: CEO, COO, CFO, principal management leadership, Chief Legal consultant. CSO need to oversee and coordinate the implementation of security measures in the company, and to determine the safety standards and initiatives, including information technology, human resources, communications, legal, facilities management and other departments.
(2) security team: security team consists of personnel outsourcing provider of information security professionals and corporate clients within the IT personnel and information security specialist. The main task of this group of information security services in accordance with the enterprise outsourcing service provider control information security rules and technical services.
(3) Management Committee: This is information security and customer service outsourcing provider to solve the problem of high-level body. Includes both members of the CEO, CIO and corporate clients CSO, outsourcers and other related senior project manager, decision-makers. This committee meets once a year, responsible for auditing the annual level of service, adaptability of enterprises to assess the results, changes in relationships and so on.
(4) Advisory Committee: Advisory Committee meetings mainly to solve the planning problem. Such as service level changes, new technical means of applications, services and service replacement priority financial issues, the Advisory Committee members include internal TI 'officers and security commissioner, and finance departments, human resources, business sector, relevant personnel, and outsourcing business person in charge of specific projects.
(6) Security working Group: Security working Group of the staff responsible for specific address information security issues, the working Group is composed of personnel from both outsourcing providers and enterprises. The working Group in close contact with the Service Switching Center, will highlight formed into the problem solving projects, and will not solve the problem presented to the Advisory Committee.
(7) Service Switching Center: Service Switching Center staff from both sides, including key personnel within the enterprise's various business sectors related to personnel and information security. They liaise with the various business units to explore the business potential of information security issues and vulnerability, and these problems reported to the Security working Group.
(8 instruction issue management group: the composition of this group were all internal staff, including the Information Security Officer and head of business units. In the security team's technical staff to solve the security of the enterprise, after technical issues, or is When the CSO released the enterprise to improve information security solutions, these solutions will be transmitted to the command problem management team, who after learning of this group discussion, and then publish it to all business sectors.
(9) Oversight Committee: This committee composed entirely by internal staff. In charge of foreign contractors in the service process, supervision.
3.6 The relationship between management and outsourcing business
And the outsourcer to manage the relationship between means and outsourcing companies should aim to establish long term business relationship, which will help the outsourcing of security services provider to learn more about corporate culture, thus providing better service. In the management Relations with the process of outsourcing, companies should focus on monitoring and control at the same time, the same incentive to pay attention and collaboration of external contractors. to establish a good relationship can develop the foundation for the relationship management. outsourcer to maintain the basic method of code of conduct is the supervision and control. monitoring is used to observe whether the outsourcer to do things he should do. If the outsourcer is found by monitoring the behavior of deviation from the intended target, this time on the need to control, control is returned to the business of outsourcing the right track up. With control rules to regulate the outsourcing of business service performance, the outsourcer to maintain regular communication and enterprise customers to be able to promptly identify problems, to standardize the control activities. reposted elsewhere in the Research Papers Download http://www . hi138.com
Newest Research Papers
- Newest
- Management Theory Papers
- The rise of the Internet era to create a large network of integrated marketing value
- Chinese students in English language writing negative transfer network to write papers analyzing _ _ net _ to write thesis papers Network
- Chinese students' English pronunciation problems On
- On the "Wuthering Heights"
- On building a culture of three sources of English and American Literature Literature Teaching Corpus improve
- Anglo-American literature on the characteristics of the strange language
- American Literature on the College English curriculum
- On the teaching of English and American Literature on film and literature interaction
- On the Anglo-American literature class on the social and cultural background knowledge in the import
- On the Anglo-American literature in the vague language of the translation strategies
- Anglo-American literature on the reform of teaching in the multimedia
- On the Multimedia in the Teaching of English and American Literature
- Carried out on university English classroom teaching of English and American Literature and challenges the status quo
- Analysis of critical discourse on the Teaching of English and American Literature courses
- On teaching English and American Literature in English in an important position papers to write network _
MOST POPULAR Management Theory Papers
- 24Hours
- 7Days
- 30Days
- How to write a research paper?
- About bracket theory in vocational English Listening Teaching
- To explore the Chinese language and literature courses to build network to write papers _
- On the Multimedia in the Teaching of English and American Literature
- On building a culture of three sources of English and American Literature Literature Teaching Corpus
- Interview must be conscientious about
- United States International Development Strategy Analysis of Higher Education
- About Metropolis news magazine of the operation planning
- On the "Wuthering Heights"
- On the new media era newspaper editor's role
- Carried out on university English classroom teaching of English and American Literature and challeng
- Stressors on ICU nurses and Countermeasures
- Students on full play the main role in the teaching of English
- About Vocational School of Health to develop education and training
- Amy Tan novel about mother-daughter relationship between culture _ paper to write network
- About bracket theory in vocational English Listening Teaching
- Hangzhou guide the work on the practice patterns of family education
- On the new curriculum of high school language teaching
- On Quju "lone elm house"
- On how sports psychology in the formation of child health
- Treatment of cervical scraping rubbing on back muscle strain of the clinical experience
- On the secondary school mathematics teaching poor students into thinking about the problem
- Stressors on ICU nurses and Countermeasures
- Students on full play the main role in the teaching of English
- About Vocational School of Health to develop education and training
- How mathematics teaching in primary schools to implement quality education
- Psychological Contract Perspective counselor burnout causes and Countermeasures
- Amy Tan novel about mother-daughter relationship between culture _ paper to write network
- About bracket theory in vocational English Listening Teaching
- On patients in rural junior high school chemistry experiment on the use of resources
- On the water project's construction cost control measures On the _ papers to write network