|
SECURITY MANAGEMENT |
Security issues must
be confronted bearing in mind three points:
>> |
security must be "embedded
into the system", when it is "an add-on" it is much less
effective |
>> |
security is first-of-all a relationship
structure and management issue |
>> |
the technical tools, which are
nevertheless indispensable, cannot make up for lack in relationship
set-up and management. |
|
|
In offshore outsourcing relationships
"managing
security" means "guaranteeing" two aspects: proprietary
information non-disclosure, and service continuity.
The process that yields such "guarantees" is described
in ISO standard 17799 "Best practices in information security",
which is derived from the methodology universally accepted to formulate
insurance contracts. The basic idea is that the "guarantee"
cannot be "absolute" (total security does not exist),
but must be related to the risks.
Therefore the two aspects mentioned (proprietary information non-disclosure
and service continuity) must be analysed in
detail for their component risks -a process known as threat modelling.
Once the threats have been identified, the workable solutions
and their costs are considered. The solutions may be of three kinds:
preventive (technologies or policies), outsourcing-type, and insurance-type.
ISO 17799 allows for the cross-evaluation of solutions against threats
to be be carried out either through a quantitative analysis (more
detailed but more difficult) or through a qualitative analysis (less
demanding in terms of data and in facts more widespread).
The result of the analysis is the list for the solutions/
devices (tools, procedures and policies, and insurance contracts)
which best suit the customer's needs in the light of the specific
relationship under definition.
|
|