[ISN] Outsourcing Information Security

InfoSec News isn at c4i.org
Fri Nov 5 03:16:02 EST 2004


[ http://www.amazon.com/exec/obidos/ASIN/1580535313/c4iorg  - WK]

Author: C. Warren Axelrod  
Pages: 248 
Publisher: Artech House 
Rating: 10 
Reviewer: Ben Rothke 
ISBN: 1580535313 
Summary: Examines security risks related to IT security outsourcing 

When it comes to the outsourcing of information security functions
specifically, the situation is even worse. Far too few organizations
know the inherent risks involved with outsourcing security, and don't
properly investigate what they are getting into. The same company that
makes it nearly impossible for an employee to enter the office supply
closet to get much needed toner cartridge will outsource their
intrusion detection, email and firewall systems without a blink.

One of the many reasons companies turn to security outsourcing and
managed security services providers (MSSP) is to use their limited
internal security staff for more interesting areas such as web
development, VPN and e-commerce applications. They will then outsource
the boring activities such as firewall and IDS monitoring and
maintenance to a MSSP.

Given that activities such as firewall monitoring and administering an
IDS in large enterprise requires 24/7 support, it is not unusual for a
company to want to outsource such activities; monitoring and
administering are not core functions of most organizations.

The trouble comes from the lack of due care often given to choosing a
MSSP. With that, Outsourcing Information Security is a long-overdue
book that asks the questions that are necessary before an organization
decides to outsource any information security function.

The author's general tone is against the outsourcing of information
security; but provides readers with the various benefits and risks
involved in outsourcing security, and let's them ultimate decide if
outsourcing security is right for their organization. It is the reader
who must define, evaluate and manage those risks and determine if
outsourcing is a viable solution. These include technology, business
and legal risks.

The book comprises nine chapters and three appendices totaling a bit
under 250 pages. The first two chapters provide a good introduction to
and overview of outsourcing and information security, and the
associated security risks.

Chapter 3 details various reasons why outsourcing information security
makes sense. The chapter includes various tables and references to the
many reasons why a company would want to outsource security.

Chapter 4 takes the other side and analyzes the risks of outsourcing.  
The chapter details the traditional risks, in addition to other
factors such as hidden costs, broken promises, phantom benefits and
more. The book shows that while many organizations hand over
information security responsibility to their MSSP, when things go
wrong, they can't effectively blame the MSSP. When things go wrong --
and they will -- all of the fingers in the world can be pointed at the
MSSP, but the ultimate responsibility falls on the organization
itself. With outsourced security, if something goes wrong, those
fingers will point back to the company's security manager, not the
incompetent firewall administrator in Bangalore.

The chapter provides a balanced look at the risk of outsourcing, and
while calm in its overall approach, the chapter should at least make
the person considering outsourcing information security think twice.  
In fact, the author concludes the chapter by stating "when all of the
risks of outsourcing are considered, one wonders how anyone ever makes
the decision to use a third party." Nonetheless, there is plenty of
evidence that many security activities are indeed outsourced to MSSP,
and are often satisfactory from both the buyer's and seller's

Chapters 5 and 6 provide a thorough summary of the costs and benefits
of outsourcing, and provides a method with which to categorize them.  
The chapter is well suited for a CFO with its discussion of direct vs.  
indirect costs, controllable vs. non-controllable costs, and much
more. These two chapters show that creating meaningful financial
numbers to see if outsourcing makes financial sense is not such an
easy task. It is important to understand that outsourcing sometimes
makes financial sense, but certainly not all the time. For those
organizations that don't crunch the numbers seriously at the
beginning, these costs can later come back to haunt them in a big way.

Chapters 7 and 8 detail the processes involved in commencing an
outsourcing project, from requirements gathering to placing policy
against the outsourced company. A mistake many organizations make is
failure to ensure that the MSSP is abiding by the client's information
security policies, rather than their own.

Similarly, one of the most overlooked areas of outsourcing information
security functionality is regulation. A U.S. company may be under
numerous regulations, from HIPAA to Sarbanes-Oxley, GLBA, SEC and
more; when they outsource their security functionality, the remote
technician may not be under the jurisdiction of the SEC; but the
corporate data still must be protected according to those regulations.

The main part of the book concludes with chapter 9, which provides a
20-step process to determine if an outsourced security solution is
appropriate. In seven pages, the author specifies the various events,
tasks and steps that make up the typical outsourcing project.

Appendix A provides a breakdown of the various services that can be
outsourced, with Appendices B & C providing brief histories of IT
Outsourcing and Information Security.

The only downside to the book is its $85.00 price, which is at the
high-end for technology and business books. While the price is high,
the book is a huge value for anyone considering outsourcing security.  
The book asks the questions that are often never asked, and details
how the outsourcing of information security is not the slam-dunk that
the MSSPs often portray it to be.

For those who know what their security issues are and look to
outsource their security functionality to a trusted MSSP, Outsourcing
Information Security shows how it can be done. On the other side, for
those who are drunk with the panacea that outsourcing security is
supposed to provide, Outsourcing Information Security will be a
sobering wake-up call.

More information about the ISN mailing list