School of Computer and Information Science, Edith Cowan University, Perth, Western Australia
The globalisation of business and the growth of the digital networked economy means that virtually any business process can be undertaken by someone else, somewhere in the world. To achieve business transformation within the UK Information and Communication Technology (ICT) sector, BT is taking a strategic approach to outsourcing: this has resulted in a rapid and substantial increase in the outsourcing and offshoring of ICT development, maintenance and support contracts. Each and every outsourcing decision could have major security, legal, regulatory and contractual impacts. It is generally recognised that risks are likely to be compounded when outsourcing to companies based in countries that have different political, economic and cultural environments and, subsequently, that security assessments must be augmented to address this. However, difficulties can occur with the ongoing ownership of responsibilities for outsourced information and its processing, particularly when a number of vendors may be involved with the same product or service. Outsourcing security risks are becoming increasingly dynamic and complex, have major business implications and require both tactical and strategic responses. This presents many challenges for corporate security functions and, to be effective, security assessments must feed into business risk assessments and decisions. This paper describes the approaches taken by BT to ensure that security risk assessments are conducted within a consistent framework and integrated into decisionmaking processes for outsourcing ICT contracts. Specific tools and techniques have been developed to ensure that engagement with stakeholders is effective and timely, that risks and requirements are identified and understood, and that risk mitigation and management strategies are implemented within appropriate compliance and governance frameworks. The method employed by BT is based on the UK Government’s Infosec Standard No. 1: Residual Risk Assessment Method (IS1) and has been tailored to suit a commercial environment. To implement the method, many sources of security profiling data have been consolidated from across the business to create a full picture of information confidentiality, integrity and availability risks; this includes legal and regulatory issues and BT’s responsibilities as a fundamental component of the UK Critical National Infrastructure. This has enabled new approaches to categorising systems and applications in terms of data value and impact. To cater for the ‘industrial scale’ volume of outsourcing requests, automation has been introduced to enable consistent and speedy assessments and to improve the means of communicating the results to stakeholders. The paper also highlights the importance of a taking a hierarchical approach to conducting risk assessments and setting security requirements – within the context of system and contract lifecycles and the need for effective protective monitoring and audit regimes.