Date post: | 17-Dec-2015 |
Category: |
Documents |
Upload: | arnold-gervais-mccoy |
View: | 216 times |
Download: | 1 times |
© Robert G Parker – UW-CISA 2010
Dealing with issues when a portion or all of the provision of technology services is performed outside of the entity’s normal service delivery envelope.
• Loss of control (Priority, timing, effort, changing deadlines, etc.)
• Additional security risks (Lack of understating of outsourcer’s security procedures, lack of knowledge of their consistent application)
• Concern over the inadequacy of IT governance procedures (Within the organization and at the outsourcer)
• Contract terms and service level agreements are not consistently met (Poor/inadequate contract management, lack of contract metrics and lack of timely reporting)
• Re-outsourcing of services to another third party (Concern despite contractual agreements, use of cloud computing by outsourcer, etc.)
S-2
Outsourcing
© Robert G Parker – UW-CISA 2010
Renaissance in USA Industrial manufacturing by 2015
2015-China only 10% to 15% Cheaper than the USA
2010 – Caterpillar opening 600,000 sq-ft. manufacturing facility in Texas
Manufacturing Costs
S-3
Outsourcing
© Robert G Parker – UW-CISA 2010
OutsourcingOutsourcing Risks
• UCSF outsourced the processing of its medical transcripts to a U.S.-based company that outsourced the records to yet another company in the U.S.
• The second outsourcing company, in turn, sent the transcripts to a company in Pakistan for processing.
• A Pakistani data entry clerk attempted to extort money from the University of California at San Francisco’s (UCSF) Medical Center.
• The Pakistani clerk was having trouble getting paid for her work, so she directly contacted the University, attached some of the medical data she had as proof, and demanded payment, threatening that she would post all of the medical records on the Internet if she did not receive the money.
• The UCSF Medical Center asserted it was not even aware that sensitive medical records were processed offshore.
S-5
© Robert G Parker – UW-CISA 2010
6 - Outsourcing
• Increasing labour rates in Asia
• Increasing transportation rates between North America and Asia
• Security concerns over intellectual property
• Lack of ‘hands-on’ control
• Language and cultural differences
• Regulating laws
• Cultural differences
Business Risks
S-6
© Robert G Parker – UW-CISA 2010
6 - Outsourcing
• Implement more sophisticated automated manufacturing processes in North America
• Reduce transportation volume between North America and Asia
• Increase use of lockable/destructable software code vs. mechanical controls to protect intellectual property
• Repatriate ‘hands-on’ control (Your people in their land)
• Implement two way cultural training
• Establish all laws to be in country exporting the work or technology
Outsourcing Risk Management
S-7
© Robert G Parker – UW-CISA 2010
7 - Public Trust
Technology Appears to Present a Threat to Society
• Hackers, Security Breaches, Identity Theft, Viruses, Worms, etc.
• Concerns Over Data Theft, Confidentiality of Personal Information
• Concerns over Identity Management, Credit Card Fraud and Unauthorized Access or Sharing of Information
With warnings about viruses, worms, Trojan horses, phishing, identity theft, hackers, and an ever increasing prevalence of malware, users of Information Technology have expressed legitimate concerns. With the business need to reduce costs, technology provides an enticing opportunity for eBilling, payments, distribution of newsletters, product information, and any number of product support scenarios. Users want assurance that their information is safe and that they are dealing with a legitimate business
S-9
13
Public Trust
Information security management was reported to be third on ISACA's 2011 Survey of Top Business/Technology Issues.
The survey attributed the finding to a combination of high profile breaches and the large investment in security technologies.
Most significant issue were the unknown security threats or those security threats that are not fully assessed. Other issues in order of ranking, that likely contribute to the a lack of public trust include:• Information security controls are not regularly assessed for performance and
effectiveness. • Top management is not involved "in setting direction and objectives for
information security ".• “Lack of enterprise-wide information security awareness and training ".• Perception that security is owned by Technology.• Lack of integration of information security into the culture of the organization.
14
IT Governance
Business Reaction
Public Trust Risk ManagementLack of enterprise wide training and awareness of The risksLack of enterprise level ownership of the riskLack of ownership, accountability and responsibilityLack of a security culture
319% should be a wake up call to businesses and professionalsCyber risks must be taken seriouslyIncreased senior management involvement is security and the security messageInitiation of an enterprise-wide security programC-suite responsibility and direction for the security program