Tuesday, October 27, 2009

Implementing Security: Week 10

As businesses are gaining more and more connectivity to the Internet and other business partners, the number of options for security holes increases. As hardware and software becomes more complex, so does the possibility of security holes. Many security exploits are found and not reported and even more considerable is the fact that there are still many potential security exploits yet to be discovered. Therefore Information security becomes an important factor for many businesses.

Outsourcing is subcontracting a service, such as product design or manufacturing, to a third-party company, in this case, it is information security. The decision whether to outsource or to do it in-house depends upon costs, available resources and capital. In some instances, it is better to do it in-house where as in other cases outsourcing is the way to go.

Some advantages of Outsourcing Information security include:

- Businesses no longer have the hassles or the costs of trying to hire security professionals ,it can be cheaper and provide access to superior, real-time service and specialized knowledge
- An outsourcer will have qualified customer-focused staff to align security management with your business goals
- The outsourcer will be qualified to provide you with ongoing support and will be up to date on the latest security issues, and should be able to separate the facts from the myths.
- Outsourcers will have extensive knowledge of the security market, both locally and globally to keep you informed and make recommendations that help your business grow whilst enhancing security.

Distadvantages Include:
- Loss of Control
- Viability of Service Providers
- Quality of Service Provided
- Differing goals of business and outsourced security personnel

A request for proposal (RFP) is like tendering where invitations are sent to suppliers asking them to submit a proposal on a specific commodity or service. By doing so, it brings structure to the procurement decision and allows the risks and benefits to be identified clearly upfront. The added benefit of input from a broad spectrum of functional experts ensures that the solution chosen will suit the company's requirements.

Evaluation:
Before deciding to draw up a contract with a third party service provider, it is important that the contract is evaluated and the viability of the service provider is thoroughly appraised. There have been a number of immediate and dramatic instances of failure of managed security service providers (MSSPs), which threatened the ability of customers to stay in business. Before entering into a service-provider arrangement, the prospective purchaser of the services should perform a complete and detailed due diligence process.

After evaluation, comes contract award, where the Project Manager accepts the most appropriate and satisfying bid from third party organizations.

Exit Strategy:
The agreement between the customer and outsourcer should anticipate the potential failure of the service provider and include provisions for such an event. These provisions should include a set of contingency plans allowing the customer organization to avail itself of alternative facilities and resources or to take over those resources of the outsourcer that have been applied to the customer’s particular service.

There are many reasons why a company might go out of the service-provider business. Some are due to internal factors, such as poor management, inadequate funding, and employee misdeeds. Others relate to external factors, such as industry trends, downturns in the general economy, and mergers and acquisitions. One of the most insidious causes for failure is damage to reputation. This can be real or perceived. A major factor can be broad awareness of customer dissatisfaction if it is made known through disparaging articles in the press, badmouthing among industry members, or other forms of communication.

No comments:

Post a Comment