Outsourcing Information Security

C. Warren Axelrod, CISM, CISSP | Reviewed by Sarathy Emani, CISA, CISM

According to Outsourcing Information Security, information must be as secure as any other business asset, and confidentiality, integrity and availability must be ensured, which is relatively easier in a closed environment. The challenge is to ensure these and still reap the benefits of outsourcing.

In the author's own words, "Outsourcing is as secure as you make it." The controls should be appropriate for the circumstances that suit the risks and business partner relationships.

C. Waren Axelrod provides a balanced, risk-based approach to outsourcing relationships in this book, which is targeted for managers and information security and IT senior management who are directly involved in outsourcing or business partner relationships. This book is very good at explaining the issues one needs to identify, quantify and analyze to make the right outsourcing decisions without sacrificing security.

While other areas are touched upon, this book predominantly covers the security of outsourcing.

This book is well organized into nine chapters, three appendices and a bibliography. Each chapter is organized into paragraphs related to the topic, summary and references, and sufficient footnotes are provided. In some of the chapters, there is a "Next Chapter" paragraph, which explains how this chapter provides insight into the next chapter.

Chapter 1, Outsourcing and Information Security, defines IT outsourcing and traces the history of such services. It defines and clarifies outsourcing as distinguished from insourcing, cosourcing and intersourcing. Y2K is cited as the turning point for the emergence of outsourcing. Along with touching upon viruses and worms, chapter 1 covers shaky managed security service providers and the information security market.

Chapter 2, Information Security Risks, details several internal and external information security risks that are confronted daily. The internal source of threat is identified as a disgruntled employee with variants such as insider, opportunist and inadvertent destroyer. The external sources of threat are identified as hacker, thief, virus distributor, spy, cyberterrorist, etc. Vulnerabilities are identified.

Chapter 3, Justifying Outsourcing, deals with the motivations and justifications behind outsourcing. These are explained in detail under the broad categories of cost savings, performance, security, expertise, computer applications, support and financial arrangements.

Chapter 4, Risks of Outsourcing, features a long list of risks, including loss of control and quality of service. It also includes a table on opposing and common objectives of outsourcers and customers.

Chapter 5, Categorizing Costs and Benefits, offers greater detail on the tangible and intangible costs and benefits related to outsourcing. Chapter 6, Costs and Benefits Throughout the Evaluation Process, categorizes these into tangible/intangible, direct/indirect, objective/subjective, etc. Usage of such information collected in the evaluation process is addressed in chapter 7, The Outsourcing Evaluation Process—Customer and Outsourcer Requirements. The requirements are categorized as business, service and technology.

Chapter 8, Outsourcing Security Functions and Considerations When Outsourcing, delves into the specific security considerations that affect the outsourcing decision and how they should be handled. It presents the relationship between the CISSP body of knowledge and ISO 17799 security classifications with their appropriateness for outsourcing.

Chapter 9, Summary of the Outsourcing Process—Soup to Nuts, summarizes the full outsourcing evaluation and decision process. It consolidates the events, tasks and steps of the outsourcing process into 20 simple paragraphs.

Appendix A, Candidate Security Services for Outsourcing, evaluates the various candidate security services that might be performed by a third party.

Appendix B, A Brief History of IT Outsourcing, contains the history of outsourcing starting from the mid-1960s with facilities management and remote job entry (RJE), and ending with the latest entrants of straight through processing (STP) and mobile computing.

Appendix C, A Brief History of Information Security, covers the mainframe era, distributed systems, the World Wide Web and wireless revolution.

The author, C. Warren Axelrod, a director of Pershing LLC, has worked in many areas of security and infrastructure protection issues at firms such as SIAC and HSBC Securities, and has been a senior IT manager for more than 25 years.

Sarathy Emani, CISA, CISM
is the CEO of MEQPRIMA Advisory Services, helping IT organizations with software engineering, business process, quality assurance, information systems audit, knowledge management and IT security management. He has more than 21 years of experience in the software industry in Bahrain, India, Japan, Malaysia and the US. He is a member of the ISACA Publications Committee.

Editor's Note:

Outsourcing Information Security is available at the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, e-mail or telephone +1.847.253.1545, ext. 401 or 478.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2006


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC

World Congress: INSIGHTS	Training Week	Webinars
North America CACS	eLearning Campus	Virtual Conferences
EuroCACS / ISRM	On-Site Training
Governance, Risk and Control	Exam Review Courses	COBIT EDUCATION
North America ISRM
Latin America CACS / ISRM
Oceania CACS
Asia-Pacific CACS / ISRM


COBIT 5 Home
Product Family
Training & Accreditation
Licensing
Join the Conversation
News
Recognition
FAQs