Скачать презентацию Sourcing Management of Information Security Sébastien BOMBAL Скачать презентацию Sourcing Management of Information Security Sébastien BOMBAL

cf890498dd167c097a964904e5a2e8ac.ppt

  • Количество слайдов: 16

Sourcing & Management of Information Security Sébastien BOMBAL 4 th March 2011 Sourcing & Management of Information Security Sébastien BOMBAL 4 th March 2011

Sourcing & information security ? n From outsourcing IT in the 1960 s… To Sourcing & information security ? n From outsourcing IT in the 1960 s… To “cloud computing” in 2011 n Why ? Still same objectives since the 60 s n n Increasing focus on core competencies Increasing competitive pressure (optimizing run cost and investment) Accessing world class capabilities, best practices Sharing risk…. n What ? From routine and non critical tasks… To strategic processes that directly impact revenues. n Where (is my data) ? From your IT rooms… To a worldwide cyberspace. n Who ? From an identified subcontractor To cascaded subcontracting (chain of trust ? ). 2

Sourcing and common problems for security n Risk : Data theft, leak or unavailability Sourcing and common problems for security n Risk : Data theft, leak or unavailability n n n Data falls in competitors’ hands Publicized data leakage, thief or unavailability Objectives not reached (cost, time, effectiveness and efficiency) n Important details to check : ¡ ¡ ¡ ¡ n SLA (predefined non-negotiable agreements and negotiated agreements) ¡ Licensing ¡ criteria for acceptable use ¡ service suspension, termination, limitations on liability ¡ privacy policy ¡ modifications to the terms of service Audit capability Data ownership and their localizations Mutualized or dedicated Measurement of service effectiveness Compliance with laws and regulations Use of validated products and vetting of employees And don’t forget : ¡ Erosion of in-house knowledge 3

Deploying ISO 27001 - best practices ? n Using a certified ISO 27001 service Deploying ISO 27001 - best practices ? n Using a certified ISO 27001 service provider ? n n Not really useful… Tasks : More details http: //www. club-27001. fr/supports/2009 -06 -11_AREVA. pdf n n n n Asset classification Contracts Risk management Audits / reporting Incidents Management Dashboards Awareness Plan + Act Do Check 4

Classify your assets with an outsourced IS n The longest task is inventory Asset Classify your assets with an outsourced IS n The longest task is inventory Asset types Inventory management is a difficult process Feedback Applications, software, hardware… User’s sites or datacenters To be checked but no inventory needed at the costumer level Documentations, contracts… To be checked but no inventory needed at the client This can be even easier ¡ ¡ n Usually specified in the contract in the scope of operations. Human resources n De facto, providers want quality in the assets management. . to invoice Case of leasing Case of ASP, Saa. S, Paa. S, Iaa. S, … Even if everything is outsourced, do not forget your own assets ¡ Human resources, sites, documentation, file servers. 5

Deploying ISO 27001 - best practices ? n Using a certified ISO 27001 service Deploying ISO 27001 - best practices ? n Using a certified ISO 27001 service provider ? n n Not really useful… Tasks : More details http: //www. club-27001. fr/supports/2009 -06 -11_AREVA. pdf n n n n Asset classification Contracts Risk management Audits / reporting Incidents Management Dashboards Awareness Plan + Act Do Check Why not use best practices for contract management ? Like e. SCM… 6

In a very few words : e. SCM n The e. Sourcing Capability Models In a very few words : e. SCM n The e. Sourcing Capability Models are best practices n n For Client organization : e. SCM-CL For Service provider : e. SCM-SP To successfully manage your IT sourcing life cycle. n e. SCM-CL a framework with 95 practices (measures) in 17 domains ¡ Through capability levels evaluation : n n n Level 1 : Performing sourcing at least you are level 1 Level 2 : Consistently Managing sourcing Level 3 : Managing organizational sourcing performance Level 4 : Proactively enhancing value Level 5 : Sustaining excellence at least two consecutive years at level 4 Maintained and published by ITSQC : http: //www. itsqc. org/ 7

Sourcing relationships & Information Security Management (ISM) 8 Sourcing relationships & Information Security Management (ISM) 8

Deploying ISO 27001 - feedbacks ? n Use ISO 27001 to reposition security and Deploying ISO 27001 - feedbacks ? n Use ISO 27001 to reposition security and risk management as a support to the IS Management n Limit the scope & responsibilities : contract, service agreement, RACI, … and by side effect the scope to be certified ¡ Should be done for in-sourcing model n Involve service providers (SP) in your risk management process n Maintain reasonable risk treatment plans ¡ Mix it with the different improvement plans n Audit & control SP commitments and evaluate your operational risk n Define and use dashboards and reports ¡ ¡ “Facts and Figures” Contracts are mostly managed through indicators & KPI 9

And my cloud ? n What is « Cloud computing » for an IS And my cloud ? n What is « Cloud computing » for an IS function ? Just a change of state of mind… not an outsourcing focus. 1. 2. Providing self-service resources to your business Standardizing and automating n 3. Tracking resources and cost. n 4. n Providing service catalogue Implementing showback and chargeback processes (ABC 1 and ABM 2) Managing capacity planning And as usual you can “make … or buy” 1 : ABC : Activity Based Costing 2 : ABM : Activity Based Modeling 10

Managing extended IS ISO 14001 ISO 27001 ISO 9001 COBIT Management system with a Managing extended IS ISO 14001 ISO 27001 ISO 9001 COBIT Management system with a PDCA (Plan Do Check Act) approach Security measures comes from ISO 27002, but some of them are redundant or complete ITIL and e. SCM ITIL e. SCM-CL ISO 27002 Security measure to include in the 11 contract

e. SCM-CL practices versus ISO 27002 (1/2) Linked with your ISO 27001 governance Audit e. SCM-CL practices versus ISO 27002 (1/2) Linked with your ISO 27001 governance Audit and control security 12 involvement needed

e. SCM-CL practices versus ISO 27002 (2/2) Linked with your 27001 SOA security involvement e. SCM-CL practices versus ISO 27002 (2/2) Linked with your 27001 SOA security involvement needed v At least level 2 maturity for e. SCM seems to be enough with a few level 3 measures 13

In conclusion n Strong accelerating of security awareness in sourcing ¡ new players with In conclusion n Strong accelerating of security awareness in sourcing ¡ new players with cloud computing ¡ loss of view of data location n ISO 27001 in an outsourced IS ¡ Manage contracts ¡ Limit the scope for the auditor with contracts or agreements ¡ Implement an asset management process to control security … and invoice. n ISO 27001 is complementary with other methods like e. SCM-CL but these methods are not a substitute for continuous improvement of security n e. SCM-CL can help you in your ISO 27001 project n Keep things simple ! ¡ Risk management ¡ Security target. 14

Bibliography n e. SCM official website : www. itsqc. org n NIST : « Bibliography n e. SCM official website : www. itsqc. org n NIST : « Guidelines on Security and Privacy in Public Cloud Computing » n Yesser / e-government program of Saudi Arabia : « BEST PRACTICES FOR IT SOURCING » n Gartner – “Sourcing Strategies-Relationship Models And Case Studies” 15

Questions ? Thanks for your attention sebastien@bombal. org 16 Questions ? Thanks for your attention sebastien@bombal. org 16