This comprehensive and timely resource
examines security risks related to IT outsourcing, clearly showing you how to
recognize, evaluate, minimize, and manage these risks. Unique in its scope,
this single volume offers you complete coverage of the whole range of IT
security services and fully treats the IT security concerns of outsourcing. The
book helps you deepen your knowledge of the tangible and intangible costs and
benefits associated with outsourcing IT and IS functions.
Moreover, it enables you to determine
which information security functions should be performed by a third party,
better manage third-party relationships, and ensure that any functions handed
over to a third party meet good security standards. From discussions on the IT
outsourcing marketplace and the pros and cons of the IT outsourcing decision
process, to a look at IT and IS service provider relationships and trends
affecting outsourcing, this essential reference provides insight into how
organizations are addressing some of the more thorny issues of IT and security
outsourcing.
"With the prospect of outsourcing security becoming a reality and US companies increasingly asking tough questions about it, C Warren Axelrod's book couldn't have come at a better time. Unique in its scope, this book packs a complete coverage of the whole range of IT security services and concerns about outsourcing into its 250 pages. From discussions on the IT outsourcing marketplace and the pros and cons of the IT outsourcing decision process, to a look at IT and information security service provider relationships and trends affecting outsourcing, this book provides insight into how organizations are addressing some of the more thorny issues of IT and security outsourcing. A 'must have' for any C-level executive faced with difficult decisions in this arena.”
---CXO Magazine, 2005
"Axelrod has provided a very solid and useful framework for dealing with the many areas that need to be considered if outsourcing is sought.”
---Internet Review Project, December 2004
“...Outsourcing Information Security is a long-overdue book that asks the questions that are neccessary before an organization decides to outsource any information security function...the book is a huge value for anyone considering outsourcing security. The book asks questions that are often never asked, and details how the outsourcing of information security is not the slam-dunk that the MSSPs often portray it to be. For those who know what their security issues are and look to outsource their security functionality to a trusted MSSP, Outsourcing Information Security shows how it can be done. On the other side, for those who are drunk with the panacea that outsourcing security is supposed to provide, Outsourcing Information Security will be a sobering wake-up call.”
---Slashdot.org, November 2004
Foreword.
Preface
‑ The Time Was Right. The Intent of the Book. Acknowledgements.
Outsourcing
and Information Security ‑ First - Some Definitions. Second - A
Clarification. Y2K as a Turning Point. The Post Y2K Outsourcing Speed Bump.
Shaky Managed Security Services Providers. A Prognosis. The Information
Security Market.
Information
Security Risks ‑ Threats. Vulnerabilities. Summary.
Justifying
Outsourcing ‑ Professed Reasons to Outsource. The Basis for Decision.
Reasons for Considering Outsourcing. Summary.
Risks
of Outsourcing ‑ Loss of Control. Viability of Service Providers.
Relative Size of Customer. Quality of Service. The Issue of Trust. Performance
of Applications and Services. Lack of Expertise. "Hidden" and
Uncertain Costs. Limited or No Customization and Enhancements. Knowledge
Transfer. Shared Environments. Legal and Regulatory Matters. Summary and
Conclusion.
Categorizing
Costs and Benefits ‑ Structured,
Unbiased Analysis ¾ The Ideal. Costs and Benefits.
Costs
and Benefits Throughout the Evaluation Process ‑ Triggering the Process.
Different Strokes. Analysis of Costs and Benefits. Costs to the Customer. Costs
to the Service Providers. Benefits to the Customer. Benefits to the Service
Providers. Refining the Statement of Work. Service Level Agreement.
Implementation. Transition Phase. Transferring form In-House to Out-of-House.
Monitoring, Reporting and Review. Dispute Resolution. Incident Response,
Recovery and Testing. Extrication. Conclusion.
The
Outsourcing Evaluation Process ‑ Customer and Outsourcer Requirements‑‑Including
All Costs. Structure of the Chapter. The Gathering of Requirements. Business
Requirements. Viability of the Service Provider. Marketplace and Busyness
Prospects. Technology Requirements.
Outsourcing
Security Functions and Security Considerations when Outsourcing ‑
Security Management Practices. Asset Classification and Control. Information
Security Policy. Access Control and Identity Protection. Application and System
Development. Operations Security and Operational Risk. Security Models and
Architecture. Physical and Environmental Security. Telecommunications and
Network Security. Cryptography. Disaster Recovery and Business Continuity. Law,
Investigations, Ethics. Summary.
Summary
of the Outsourcing Process ¾ Soup to Nuts.
Appendix
A ‑ Candidate Security Services for Outsourcing.
Appendix
B ‑ A Brief History of IT Outsourcing.
Appendix
C ‑ A Brief History of Information Security.
Selected
Bibliography. Index.