Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Choosing a ServiceDelivery Model
WEA
KNES
SES
OPPO
RTUN
ITIES
THRE
ATS
STRE
NGTH
Sffff In-house Procured Hybrid
CESG
Selectingfthefservicefdeliveryfmodelfthatffitsfyourforganisationfandfdeliversfthefrequiredfbusinessfandfsecurityfoutcomesfisfcritical0fUseftheffollowingfSWOTfkstrengthsCfweaknessesCfopportunitiesCfthreatspfanalysisftofconsiderfthefadvantagesfandfdisadvantagesfoffthefthreefmostfcommonfmodels0ff
©fCrownfCopyrightf2515f
• In1housexresourcesxunderstandxthexbusinessxandxthexenvironment7 andxcanxmakexmorexbusinessxfocusedxriskxmanagementxdecisionsE• Organisationxhasxcompletexcontrolxofxallxrelevantxsecurityx
policies7xproceduresxandxprocessesE• Sensitivexoperationalxactivitiesxandxinformationxretainedx
withinxthexorganisationE
• Supplierxisxresponsiblexforxrecruiting7xtrainingxandxretainingxsecurityxspecialistsE• Asxaxdedicatedxsecurityxorganisation7xthexsupplierxisx
favourablyxpositionedxtoxhirexandxretainxskilledxresources7shouldxhavexhighxsecurityxstandardsxandxbexregularlyxauditedE• Thexsupplierxoffersxexpertxandxspecialistxservicesxasxaxcorex
businessE
• ThexsupplierxoffersxexpertxandxspecialistxsecurityxanalystxservicesxasxaxcorexbusinessE• Supplierxcanxprovidexcriticalxfriendx
andxknowledgextoxhelpxestablishxin1housexserviceE
• VisibilityxofxthexriskxlandscapexbeyondxthexboundariesxofxthexorganisationxcanxbexlimitedE• RecruitingxandxretainingxsecurityxspecialistsE• OngoingxxsecurityxspecialistxtrainingxcommitmentE• Withxlittlexorxnoxexperiencexofxoperatingxthisxtypexofx
service7xitxwillxtakexlongerxtoxestablishxaxservicexandxexposexthexorganisationxtoxincreasedxriskE
• Businessxinformationxandxmonitoringxdataxwillxbexheldxoff1sitexandxmanagedxbyxthexsupplier7xraisingxadditionalxrisksE• Maintainingxthexcontinuityxofxarchivedxrecordsxtoxmeetx
legalxorxregulatoryxrequirementsxwhenxaxcontractxisxterminatedE
• ThexneedxtoxrecruitxandxretainxsomexspecialistsE• ThexneedxforxsomexongoingxspecialistxtrainingE• Maintainingxthexcontinuityxofxarchivedxrecordsxtoxmeetxlegalx
orxregulatoryxrequirementsxwhenxaxcontractxisxterminatedE• Somexbusinessxinformationxandxmonitoringxdataxwillxbexheldx
off1sitexandxmanagedxbyxthexsupplier7xraisingxadditionalxrisksE
• MaximisexinvestmentxinxexistingxsecurityxproductsE• Reductionxorxredeploymentxofxsecurityxresourcesxforx
greaterxeffectE• Developmentxofxin1housexspecialistxsecurityxskillsE• Flexibilityxtoxchangexthexsecurityxoperationsxservicesxasx
required7xencouragingxaxmorexpro1activexandxdynamicxriskxmanagementxapproachE
• MorexinformedxriskxmanagementxcapabilityxasxthexsupplierxisxdevelopingxanalyticxsolutionsxtoxprotectxallxitsxcustomersEx• Thexsupplierxshouldxseexpatternsxdevelopingxacrossxtheirx
customerxset7xandxprovidexadvancexwarningsxofxattacksxallowingxdefencesxtoxbexputxinxplaceE• Thexsupplierxmayxhavexexistingx’)j7xcapability7xifxrequiredE• ThexsupplierxmayxprovidexmaturexincidentxresponsexprocessesE• Anyxdedicatedxsecurityxresearchxcapabilitiesxwithinxthexsupplierx
couldxbenefitxthexorganisationE
• RetentionxofxsensitivexoperationalxactivitiesxandxinformationxwithinxthexbusinessE• Flexibilityxtoxtailorxaspectsxofxthexservicextoxmeetxspecificxriskx
managementxneedsE• Nst levelxresponsexcouldxbexretainedxlocallyxwithxthexoptionx
toxrequestxsupportxfromxexternalxservicexprovidersE• Thexsupplierxshouldxseexpatternsxdevelopingxacrossxtheirx
customersxthatxcouldxprovidexadvancexwarningsxofxanxattackxandxallowxdefencesxtoxbexputxinxplaceE• Developmentxofxsomexin1housexspecialistxsecurityxskillsE
• In1housexsecurity analystsxmayxnotxseexwidexscalexattacksxdevelopingE• Easierxforxmaliciousxinsiderxtoxcolludexwithxin1housex
analystE• In1housexservicexcouldxbexswampedxbyxaxmajorxincidentE• LackxofxskilledxanalystxresourcesxinxthexmarketE• Thexamountxofxinformationxgeneratedxbyxthexmonitoringx
capabilityxcouldxfloodxthexorganisationE
• Thexsupplierxmayxbexresponsible forxnumerousxcustomersxandxmayxtimexslicexresourcesE• Thexfullxbusinessxrelevancexofxsecurityxeventsxmayxnotxbex
understoodE• Notxhavingxanxin1housexcapabilityxmayxgivexaxfalsexsensexofx
security7xandxaffectxthexorganisation’sxIAxcultureE• Thexsupplierxmayxonlyxofferxaxstandardisedxservicexwhichxmayx
notxdirectlyxsupportxthexorganisation’sxriskxmanagementxobjectivesE• Reducedxflexibilityxandxincreasedxrisk7xduextoxlongxleadxtimesx
toxdeliverxchangesxrequestedxbyxthexorganisationE
• Blurringxofxin1housexandxsupplierxresponsibilities7xpossiblyxleadingxtoxservicexdeliveryxconfusionxFespeciallyxinxthexareasxofxincidentxresponsexandxhandling2E• Thexsupplierxmayxbexresponsiblexforxaxnumberxofx
customersxandxmayxtimexslicexanalyticalxandxspecialistxresourcesE