Organizing for Security in an Outsourced Environment

While the primary roles for information security are relatively easy to identify (but somewhat more challenging to implement), organizational dynamics in outsourced organizations complicate matters. A process-based approach facilitates practical allocation of responsibilities.
Written by Tom Scholtz, Contributor

While the primary roles for information security are relatively easy to identify (but somewhat more challenging to implement), organizational dynamics in outsourced organizations complicate matters. A process-based approach facilitates practical allocation of responsibilities.

META Trend: Consolidation of security responsibilities (2003/04) will be followed by the establishment of clear accountabilities and separation of duties (2003-05). The percentage of organizations investing more than 1.5% of their IT budget in information security will increase from 40% in 2002/03 to 70% by 2005. Scalability, auditability, and liability requirements will force organizations to adopt a process-oriented approach to security management (2003-05), as resource constraints accelerate the use of managed security services.

As organizations continue to look toward outsourcing IT functions, the implications on the information security organization must be managed effectively. The act of outsourcing IT functions does not constitute the transfer of risk, or for that matter, accountability for information risk management. Indeed, it places additional burdens on security leadership to ensure security activities are aligned among multiple parties. Furthermore, outsourcing must not result in the abandonment of separation-of-duties principles.

Best-practice strategies and metrics for dealing with information security in outsourcing relationships will continue to mature (2004/05), potentially being complicated by an increase in on-demand outsourcing (2005/06). Outsourcers will continue to attempt to capitalize on the importance of security to leverage add-on security consulting and systems integration services, and to unbundle existing deliverables into new, added-cost managed security products. Increasingly stringent regulatory requirements will not only force organizations to tighten up the security terms and conditions in their outsourcing contracts (2003/04), but also result in increased use of third-party security assessment and validation services.

Outsourcing potentially encompasses a whole spectrum of activities, from selective IT out-tasking through total IT outsourcing to business process outsourcing, resulting in an infinite range of different types of relationships and contracts. This Delta aims to provide best-practice guidance for situations of comprehensive IT outsourcing (i.e., where most or all IT functions have been outsourced). The objective is not to analyze security services outsourcing (i.e., to indicate which security services can be outsourced), but rather to guide decision making regarding the implication for security activities when substantial parts of the IT service delivery are outsourced. Regardless, these guidelines will typically also be of help in selective outsourcing situations. Of course, every outsourcing relationship is unique and these guidelines should - keeping separation-of-duties principles in mind - be adapted to suit specific realities.

Allocating Responsibilities
META Group research indicates that a process-based view of security responsibilities and activities provides the best foundation for developing an organizational strategy for information security in outsourced environments. Indeed, a well-defined set of security roles and its associated strategic and operational processes provides a framework against which respective responsibilities can be allocated (see Figure 1). Accountability for information security cannot be outsourced, as indicated by the fact that ownership for all processes and functions remains within the client organization.

Not surprisingly, leadership responsibility for relationship and strategic management is something that should never be outsourced. However, any specialized knowledge and support available from the outsourcer should be exploited whenever required, provided that such input is deemed impartial and in the best interest of the client. Selective use of third-party services for strategy and architecture work is also appropriate. In an outsourced environment, the scope of the security relationship management process expands to include management of all the information security interfaces and service levels with the outsourcer. Indeed, META Group has long held that successful outsourcing is largely predicated on the establishment and nurturing of effective relationships between client and service provider. The increasing importance of information security and risk management in this context speaks for itself.

The client organization should retain primary execution responsibility for most of the analysis/design processes and functions. A key cornerstone of an adaptive approach to information security is the development and implementation of processes (i.e., policy management, risk management, etc.) that enable business discretion in security solution design. Given the intimate knowledge of the business that this implies, such processes do not lend themselves to being outsourced. However, technology-specific expertise (e.g., cryptography, network security) can be provided by the outsourcer (or other service providers).

Awareness communications programs can potentially be executed effectively by external resources. However, communications materials and packaging should be structured in such a way that they are perceived as corporate messaging, not originating from the service provider. Simply put, the intended audience should interpret the communications as having originated from within the organization. By implication, the communications role fulfilled by local (i.e., within business units) security coordinators is something that should not be outsourced (unless the entire business process is outsourced).

In many organizations, the proactive security operations processes - specifically, monitoring, vulnerability research, and configuration management - lend themselves to being outsourced. In a perfect outsourced world, these processes should be provided by a third party to maintain separation of duties. Given the immediate potential impact on the business, the resultant need for intimate business knowledge, and the close interrelationship with disciplinary procedures, the reactive processes (incident response and forensics) should be executed by the client organization. However, specialized activities associated with forensics (e.g., evidence capture, maintenance of the chain of custody) could be outsourced selectively, preferably to an independent third party. In addition, user life-cycle management activities should be kept in-house, with administration tasks (e.g., provisioning, maintenance, termination) potentially delegated to the appropriate business units. Control over administration of the access rights of outsourcer staff members should preferably not be done by the outsourcer.

The outsourcer is responsible for ensuring that it understands the industry- and country-specific regulations pertaining to the client and maintaining the ability to: 1) comply with such regulations; and 2) provide sufficient “transparency” showing that it does comply and is thus accountable during audits.

A Word About Processes
Process alignment between client and outsourcer is a prerequisite for outsourcing success. This predicates a review of the tools and processes used by both parties, as well as an agreement to use one or the other, or an integration of the two sets. A key area of on-demand services is standardization, and during the next few years, it is likely that vendors will offer price concessions to clients that are willing to conform to their security processes.

In addition to providing a model for allocating responsibilities between client and outsourcer, security processes also enable specific associated metrics. These metrics potentially form the foundation for effective security service levels to be negotiated and instituted as part of the outsourcing relationship. Furthermore, effective security auditing is crucial in an outsourced environment, and the nature of processes (i.e., a predefined set of actions executed in a predefined sequence, with consistent decision points) enables improved auditability.

Bottom Line: Outsourcing IT does not transfer risk or accountability for information security. Organizations must use a process-based approach to delineate security responsibilities between themselves and their outsourcers.

Business Impact: Failure to implement a clear organizational and responsibility construct with service providers exposes organizations with IT outsourcers to untenable risk.

META Group originally published this article on 12 January 2004.

Editorial standards