Security in outsourcing or cloud-based project: how to glue the client and the supplier views
The previous posts (find part 1, part 2 and part 3 here) discussed the need for businesses and outsourcers to collaborate in the development and implementation of IT security. Security entails controlling, mitigating or managing risks, and someone must take responsibility for this.
the missing link: the Information Security Officer
The outsourcer must provide a highly educated security professional who will sit between the client and its organization. This person, let’s call him the Information Security Officer, will ensure that security needs and requirements from the clients are well understood and that they fit within the proposed solution from the supplier. He will act during the build phase of any project but also be a main actor during the run phase.
the Information Security Officer: an audit facilitator
The Information Security Officer is a critical component of audits. When you request an audit, the outsourcer must ensure that all resources are available at the time of the audit. The scope of the audit must be understood and agreed. The Information Security Officer may perform the audit of the outsourced environment himself, or he may act as a facilitator between you and your chosen auditors.
This role of facilitator is “natural” for the Information Security Officer. Not only does he understand the project and the outsourced environment, but he also has a good understanding of
- your business,
- the reasons behind the audit
- and what is really needed.
He also knows who to contact for the necessary information, either inside the project team or within the organization.
This three-way knowledge – the project, the client and the organization – puts the Information Security Officer in an ideal position to drive audits smoothly and ensure that security controls are in place.
security meetings, processes and risk management: CSOs bring in their knowledge
The Information Security Officer participates in security meetings with his clients. This ensures that all findings, corrective actions and requests are correctly pursued. He also contributes his understanding of the outsourcer and of the timeliness and feasibility of his clients’ requests.
Many processes must be defined to facilitate the efficient collaboration between businesses. Those processes touch security areas, like user management and incident management, since any failure in those areas could have a dramatic effect for both the outsourcer and the client in an outsourcing project.
Risk management is a pillar of security management. You may have assumptions about the implementation of your project but the Information Security Officer is in the ideal position to identify those assumptions and highlight risks that you may not be aware of.
Throughout the life of the outsourcing project, many changes will occur: new services will be implemented or you may contract with new partners. The world of security will also evolve: new technologies will be developed and new attacks will be deployed. The Information Security Officer will be fully aware of how each of these changes might affect his clients’ security solutions. He will assess the impact on the security of his clients’ data and present correct and verified information regarding any new risks. He will also suggest solutions and potential mitigation actions.
Whatever part of your IT or process is outsourced and whatever type of management (managed services, full outsourcing or the cloud) you prefer, the Information Security Officer is the only one who can ensure that all security aspects are fully considered and met. He is the only one with a 360° view of the project, your business and the outsourcer’s company. This view allows him to provide you with the unique guarantee that your requirements are perfectly understood, that audits will be executed correctly and that incidents will be correctly and efficiently managed.
Having an individual Information Security Officer in an outsourced project guarantees that security will be managed in the way that you want it to be managed.
Do you want to know more? Do not hesitate to download my whitepaper on this subject.
crédit photo: © XtravaganT - Fotolia.com
August 9, 2014Outsourced IT Services DallasThis is one technology that I would love to be able to use for myself. It’s definitely a cut above the rest and I can’t wait until my provider has it. Your insight was what I needed.Thanks
April 13, 2014Managed Services DallasThis is one technology that I would love to be able to use for myself. It’s definitely a cut above the rest and I can’t wait until my provider has it. Your insight was what I needed. Thanks
May 7, 2013D&V PhilippinesI would like to give an emphasis on this sentence from this article: "The outsourcer must provide a highly educated security professional who will sit between the client and its organization" I must agree that this is one of the biggest missing links among companies that offer outsourcing services. I feels great to read that from you. We all know that this business is very tough when it comes to competition and if you don't have these kinds of staffs that will deal will technical issues, then chances are big that you will be left behind by those companies that hire good employees in dealing with their customers. Great article