This comprehensive and timely resource examines security risks related to IT outsourcing, clearly showing you how to recognize, evaluate, minimize, and manage these risks. Unique in its scope, this single volume offers you complete coverage of the whole range of IT security services and fully treats the IT security concerns of outsourcing. The book helps you deepen your knowledge of the tangible and intangible costs and benefits associated with outsourcing IT and IS functions. Moreover, it enables you to determine which information security functions should be performed by a third party, better manage third-party relationships, and ensure that any functions handed over to a third party meet good security standards. From discussions on the IT outsourcing marketplace and the pros and cons of the IT outsourcing decision process, to a look at IT and IS service provider relationships and trends affecting outsourcing, this essential reference provides insight into how organizations are addressing some of the more thorny issues of IT and security outsourcing.
Foreword.; Preface ë The Time Was Right. The Intent of the Book. Acknowledgements.; Outsourcing and Information Security ë First - Some Definitions. Second - A Clarification. Y2K as a Turning Point. The Post Y2K Outsourcing Speed Bump. Shaky Managed Security Services Providers. A Prognosis. The Information Security Market.; Information Security Risks ë Threats. Vulnerabilities. Summary.; Justifying Outsourcing ë Professed Reasons to Outsource. The Basis for Decision. Reasons for Considering Outsourcing. Summary.; Risks of Outsourcing ë Loss of Control. Viability of Service Providers. Relative Size of Customer. Quality of Service. The Issue of Trust. Performance of Applications and Services. Lack of Expertise. Hidden and Uncertain Costs. Limited or No Customization and Enhancements. Knowledge Transfer. Shared Environments. Legal and Regulatory Matters. Summary and Conclusion.; Categorizing Costs and Benefits ë Structured, Unbiased Analysis ¬æ The Ideal. Costs and Benefits.; Costs and Benefits Throughout the Evaluation Process ë Triggering the Process. Different Strokes. Analysis of Costs and Benefits. Costs to the Customer. Costs to the Service Providers. Benefits to the Customer. Benefits to the Service Providers. Refining the Statement of Work. Service Level Agreement. Implementation. Transition Phase. Transferring form In-House to Out-of-House. Monitoring, Reporting and Review. Dispute Resolution. Incident Response, Recovery and Testing. Extrication. Conclusion.; The Outsourcing Evaluation Process ë Customer and Outsourcer RequirementsëëIncluding All Costs. Structure of the Chapter. The Gathering of Requirements. Business Requirements. Viability of the Service Provider. Marketplace and Busyness Prospects. Technology Requirements.; Outsourcing Security Functions and Security Considerations when Outsourcing ë Security Management Practices. Asset Classification and Control. Information Security Policy. Access Control and Identity Protection. Application and System Development. Operations Security and Operational Risk. Security Models and Architecture. Physical and Environmental Security. Telecommunications and Network Security. Cryptography. Disaster Recovery and Business Continuity. Law, Investigations, Ethics. Summary.; Summary of the Outsourcing Process, Soup to Nuts.; Appendix A ë Candidate Security Services for Outsourcing.; Appendix B ë A Brief History of IT Outsourcing.; Appendix C ë A Brief History of Information Security.; Selected Bibliography. Index.;
-
C. Warren Axelrod
C. Warren Axelrod is the president of C. Warren Axelrod, LLC. He was previously the research director for financial services for the U.S. Cyber Consequences Unit and an executive adviser to the Financial Services Technology Consortium. He was also the chief privacy officer and business information security officer for U.S. Trust. He has been a senior information technology executive in financial services for more than 25 years, has contributed to numerous conferences and seminars, and has published extensively. Dr. Axelrod is the author of Enterprise Information Security and Privacy and Outsourcing Information Security (Artech House 2009, 2004). He holds a Ph.D. in managerial economics from Cornell University, and a B.Sc. in electrical engineering and an M.A. in economics and statistics from Glasgow University. He is certified as a CISSP and CISM.