Outsourcing Services

Providing the Bridge BetweenCompanies and OutsourcingProviders Around the World.

IT - Security im Rahmen von Outsourcing Verträgen

Outsourcing Services page 2

Table of Contents

Trestle Group - Vorstellung

Outsourcing – Ergebnisse einer Umfrage

IT Security - Framework

IT-Security am Beispiel ASP

Outsourcing Services page 3

Trestle Group - Vorstellung

Service: Fokus auf Offshore Outsourcing Aktivitäten. Beratung bei der Formulierung der Outsourcing Strategie, der Selektion geeigneter Partner Offshore und der tatsächlichen Implementierung des Projektes / BPO.

Was tun wir nicht: Unterstützung in rechtlichen Fragen!

Industrieller Fokus: Telekommunikation, Financial Services, produzierendes Gewerbe.

Standorte: Frankfurt (HQs), Zürich, London, New York und Amman

Outsourcing Services page 4

Table of Contents

Trestle Group - Vorstellung

Outsourcing – Ergebnisse einer Umfrage

IT Security - Framework

IT-Security am Beispiel ASP

Outsourcing Services page 5

OutsourcingAlternativen

Outsourcing Framework

BPO

Infrastruktur, Hardware

Applikationen (ASP)

Aktivität

Outsourcing Praxis

Outsourcing Aktivitäten werden sich in Zukunft in den Bereich BPO verschieben. Gerade in Deutschland findet sich noch viel Potential in den Bereichen Applikationen und Infrastruktur Outsourcing. Selektives Outsourcing scheint sich gegenüber Komplettlösungen durchzusetzen.

Outsourcing Services page 6

Trestle Group Research – Umfrage Sommer 2004

Industrie Scope: Telekommunikation, Financial Services und Manufacturing.

Geographischer Scope: 16 Länder, hauptsächliche EU

GegenwärtigeOutsourcingAktivitäten

Outsourcing Services page 7

Trestle Group Research – Chancen des Outsourcing

Neben dem offensichtlichen Kostenvorteil spielen die Verfügbarkeit von Ressourcen sowie deren höhere Flexibilität eine wichtige Rolle.

Vorteiledes

Outsourcing

Outsourcing Services page 8

Trestle Group Umfrage – Herausforderungen beim Outsourcing

Critical Success Factors: „Gesunde“ Beziehungen der Schlüssel zum Erfolg

Major Challenges: „Legal part“ genießt hohe Priorität v.a. vor dem Hintergrund Offshoring.

Erfolgsfaktoren versus Herausforderungen

Outsourcing Services page 9

Trestle Group Umfrage – Wohin wollen Unternehmen Outsourcen?

Neben etablierten Ländern wie Indien und die Philippinen, etablieren sich weitere, attraktive Alternativen. Die große Auswahl macht eine sorgfältige Selektion notwendig, u.a. unter Berücksichtigung der legalen Rahmenbedingungen

WohinOutsourcen?

Outsourcing Services page 10

Table of Contents

Trestle Group - Vorstellung

Outsourcing – Ergebnisse einer Umfrage

IT Security - Framework

IT-Security am Beispiel ASP

Outsourcing Services page 11

Was ist IT-Security Risk

Customers

Reputation

Capital People

Shareholder Value

“The exposure to loss or damage from the reliance upon information

technology to achieve organizational goals.”

Outsourcing Services page 12

IT Security als Risiko

Information contributes to the achievement of a company’s goals

Risks are anything that endanger the achievement of these goals

Risks to information confidentiality, integrity and availability can threaten a company’s survival

It is essential to

Identify the risks specifically

Assess the impact of these risks

Assess the probability of occurrence of these risks

Institute measures to mitigate risks

Outsourcing Services page 13

IT Security Versagen – Warum, Wer und Was

Common Causes of Damage

Human Error 52%

Fire 15%

Dishonest people 10%

Technical Sabotage 10%

Water 10%

Terrorism 3%

Responsible for Damage:

Current employees81%

Outsiders 13%

Former employees 6%

Types of Computer Crime:

Money theft 44%

Damage of software16%

Theft of information16%

Alteration of data12%

Theft of services10%

Trespass 2%

Source: Datapro Research

Outsourcing Services page 14

IT Security Definition

IT Security is a specific set of risk mitigation measures related to the

confidentiality,

integrity,

availability and

Audit ability

of data and systems. This encompasses manual and system processes, standards and technology-based solutions. It is interrelated to form a coherent control system based on a set of clearly defined policies.

Operational risk covers all risks associated with internal processes, systems and people. Thus, IT Security is a specific subset of Operational Risk.

Outsourcing Services page 15

IT Security Objective - Integrity

Integrity of Data or Systems

Ensuring that information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

Integrity Confidentiality

Audit ability Availability

Outsourcing Services page 16

IT Security Objective - Confidentiality

Confidentiality of Data or Systems

Protecting the information of customers and the institution against unauthorized access or use.

Integrity Confidentiality

Audit ability Availability

Outsourcing Services page 17

IT Security Objective - Availability

Availability

Ensuring authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.

Integrity Confidentiality

Audit ability Availability

Outsourcing Services page 18

IT Security Objective - Accountability

Accountability

Ability to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.

Integrity Confidentiality

Audit ability Availability

Outsourcing Services page 19

Beispiele von IT-Security Risiken

Ineffective physical securityDestruction, fire, water, physical attack

Intrusion, physical attackIntrusion, physical attackPhysical Facilities

Non-detectionDestruction, theft, fire, waterPhysical attack, damageTheft of codes, e.g. HW encryption

Hardware

Ineffective intrusion detection

Overloads, Spamming, worms

Firewall breech, code changes, backdoors, wiretaps

Hacking, spoofing, masquerading, eavesdropping

Networks

Non-detectionLoss, unrecoverabilityModification, Viruses, Trojan Horses, Worms

Theft, copying, industrial espionage

Raw Data

Non-detectionErasure, Errors, system malfunction, Worms

Changed programs, Trojan Horses, Viruses

Theft of codes, exposure of system entry points

Systems

Non-detectionErasure, loss of backup, obsolete archive copies

Erasure, modification, Masquerading

Exposure, theft, publicity, copying, password exposure

Information

AuditabilityAvailabilityIntegrityConfidentialityAREA

Outsourcing Services page 20

Beispiele von IT-Security Risiken, Controls

Physical security logsHot Site, backup site, outsource

Physical Access control, IDs, Biometrics

Physical Access control, IDs, Biometrics

Physical Facilities

System monitors and alerts

Redundancy, multiple processors

Restrict physical access, dark room operations, etc.

Restrict physical access, dark room operations, etc.

Hardware

Access logging, System performance monitor

Redundancy, Reliability (N, N+1, etc.), DRP, BCP

Firewalls, secure servers, DMZs, Virus control

Restricting physical access, Firewalls, DMZs, IPSec

Networks

Error logging and reporting

Restore, recovery, mirroringAccess controls, restricted physical access

Encryption, physical protection, access controls

Raw Data

Service Level ReporterCheckpointing, system backups, restores

Access controls to programs and systems

Access controls to programs and systems

Systems

System LoggingBackups, ArchivesAccess controls (User-id and password), cards, Biometrics

Encryption, access controls (User-id and password), PKI

Information

AuditabilityAvailabilityIntegrityConfidentialityAREA

Outsourcing Services page 21

Outsourcing and IT-Security

Major considerations:

We are still responsible for safeguarding our assets even if we have outsourced their processing.

In case of litigation, we are still liable for violations of data privacy (Bundesdatenschutzgesetz), even if the data is hosted by another company

Intellectual Property resident in an outsourced facility may have a higher risk of being compromised

Data essential to company survival hosted in an outsourcing facility may pose a higher risk to the company

Outsourcing Services page 22

Legal issues

Accountability for Security clearly defined in outsourcing contract

Legal enforceability of measures, e.g. monitoring of staff keystrokes

Compliance to legal statutes and regulations, e.g. electronic signatures, Data privacy, encryption of cross-border data traffic, Tax and, in some cases, Transfer Pricing

Sanctions for Info Security violations may not be enforceable, e.g. forcing an outsourcing provider to fire a staff for security violations may not be so easy

Retain the right to regular audit and recurring due diligence

Detection mechanisms to monitor security violations may be hard to enforce, e.g. video monitoring would be too expensive if outsourcing facility is thousands of miles away

Mitigation measures may be illegal in the outsourcing provider’s country, e.g. vetting employees, requiring disclosure of assets, etc.

Proving violations may be difficult

Enforcing liability claims may be difficult

Different laws, e.g. some countries do not have data privacy laws

Outsourcing Services page 23

Table of Contents

Trestle Group - Vorstellung

Outsourcing – Ergebnisse einer Umfrage

IT Security - Framework

IT Security am Beispiel ASP

Outsourcing Services page 24

Am Beispiel – Applikation Service Providing

ASP Service Provider (ASP) sind Unternehmen, die Geschäftsanwendungen oder Programmfunktionalitäten über Netzwerke bereitstellen. Im Gegensatz zum Applikation Hosting mit eigens für einen Kunden bereitgestellten Applikationen, greifen beim Applications Service Providing mehrere Nutzer auf die in Datenzentren bereitgestellten Applikationen zu.

Rahmenvertrag: Klassische Bestandteile sind Partner, Produkt, Preismodell, Vertragslaufzeit, Kapazitätsplanung, Strafe bei Minderleistung / Nichterfüllung, Installation, etc.

SLA‘s: Klassische Unterteilung nach Applikation, Netzwerk und Hosting. IT Security als Querschnittsthema findet sich in allen Teilbereichen.

Outsourcing Services page 25

Applikation – IT Security Relevanz

Applikation: Festlegung der Applikationsfunktionalitäten

IT Security Aspekte:

Schutz vor unberechtigtem Zugriff und Gewährleistung des Zugriffs für autorisierte Personen. Einrichtung von Rollenprofilen zum selektiven Zugriff über ein fundiertes Berechtigungskonzept.

Schutz der Applikation vor externen Angriffen.

Sicherstellung der Stabilität der Applikation.

Outsourcing Services page 26

Netwerk – IT Security Relevanz

Netzwerk: Netzverbindung zwischen ASP und Kunden

IT Security Aspekte:

Verschlüsselung der Daten beim Transfer über öffentlichen Leitungen.

Kein Datenverlust beim Übertragen von Informationen

Installierung eines VPN (Virtual Private Network) mit Hilfe verschlüsselter TCP/IP Verbindungen. Eventueller Zielkonflikt zwischen Sicherheit und Performanz

Eventuell redundante Auslegung der Leitung

Outsourcing Services page 27

Hosting – IT Security Relevanz

Hosting: Definition der Anforderungen an Service und Infrastruktur.

IT Security Aspekte:

Beschreibung der Verfügbarkeit und maximalen Störzeiten.

Datensicherung durch regelmäßige Backups des Betreibers.

Gewährleistung der physischen Sicherheit z.B. durch Brandschutzdefinitionen

Outsourcing Services

Thank you for your attention

Switzerland: The World Trade Center Leutschenbachstrasse, 958050 Zurich

Germany: An der Welle 4, 60422 Frankfurt am Main

UK: Ropemaker Street, EC2Y 9HT London

USA: 245 Park Avenue, 10167 New York, NY

Jordan: Hayek Building 1st Circle Road, Amman

Contact us

TRESTLE GROUPwww.trestlegroup.comInfo@trestlegroup.com

Offices:Zurich: +41 1 308 3972 Frankfurt: +49 69 759 38461 London: +44 207 153 1006 New York: +1 212 672 1740 Amman: +962 79 666 6014