Tuesday, October 27, 2009

Implementing Security: Week 10

As businesses are gaining more and more connectivity to the Internet and other business partners, the number of options for security holes increases. As hardware and software becomes more complex, so does the possibility of security holes. Many security exploits are found and not reported and even more considerable is the fact that there are still many potential security exploits yet to be discovered. Therefore Information security becomes an important factor for many businesses.

Outsourcing is subcontracting a service, such as product design or manufacturing, to a third-party company, in this case, it is information security. The decision whether to outsource or to do it in-house depends upon costs, available resources and capital. In some instances, it is better to do it in-house where as in other cases outsourcing is the way to go.

Some advantages of Outsourcing Information security include:

- Businesses no longer have the hassles or the costs of trying to hire security professionals ,it can be cheaper and provide access to superior, real-time service and specialized knowledge
- An outsourcer will have qualified customer-focused staff to align security management with your business goals
- The outsourcer will be qualified to provide you with ongoing support and will be up to date on the latest security issues, and should be able to separate the facts from the myths.
- Outsourcers will have extensive knowledge of the security market, both locally and globally to keep you informed and make recommendations that help your business grow whilst enhancing security.

Distadvantages Include:
- Loss of Control
- Viability of Service Providers
- Quality of Service Provided
- Differing goals of business and outsourced security personnel

A request for proposal (RFP) is like tendering where invitations are sent to suppliers asking them to submit a proposal on a specific commodity or service. By doing so, it brings structure to the procurement decision and allows the risks and benefits to be identified clearly upfront. The added benefit of input from a broad spectrum of functional experts ensures that the solution chosen will suit the company's requirements.

Evaluation:
Before deciding to draw up a contract with a third party service provider, it is important that the contract is evaluated and the viability of the service provider is thoroughly appraised. There have been a number of immediate and dramatic instances of failure of managed security service providers (MSSPs), which threatened the ability of customers to stay in business. Before entering into a service-provider arrangement, the prospective purchaser of the services should perform a complete and detailed due diligence process.

After evaluation, comes contract award, where the Project Manager accepts the most appropriate and satisfying bid from third party organizations.

Exit Strategy:
The agreement between the customer and outsourcer should anticipate the potential failure of the service provider and include provisions for such an event. These provisions should include a set of contingency plans allowing the customer organization to avail itself of alternative facilities and resources or to take over those resources of the outsourcer that have been applied to the customer’s particular service.

There are many reasons why a company might go out of the service-provider business. Some are due to internal factors, such as poor management, inadequate funding, and employee misdeeds. Others relate to external factors, such as industry trends, downturns in the general economy, and mergers and acquisitions. One of the most insidious causes for failure is damage to reputation. This can be real or perceived. A major factor can be broad awareness of customer dissatisfaction if it is made known through disparaging articles in the press, badmouthing among industry members, or other forms of communication.

Thursday, October 22, 2009

Physical Security: Week 9

After reading chapter 9, I now understand why there are security policies and procedures in place. I did not realize that there were that many threats that could affect information. After reading about tailgating, thinking about it, I realized I have done a bit of tailgating myself without realising it and I didn’t get pulled up on it. It takes a lot of planning to make a facility secure, with electronic monitoring, security related to physical theft, fire threats and many other forms that I wouldn’t even have thought of until reading this chapter.

After reading this chapter, I have come to realise the many security procedures that I need to go through at uni as well as my workplace. For example, we need to swipe our uni cards to enter the IT and business Labs afterhours, CCTV’s placed all over uni, are just some examples of the making the university secure.

I have a Toshiba laptop with a biometric feature (fingerswipe). You can log into the computer with either a password or by swiping your finger. When I first purchased the laptop, I had all my fingerprints stored into the system and no one can get into the computer unless i swipe my finger or if they know what my password is. With windows XP, there are a few softwares that you can use to either change the windows logon password or find out what it is whereas for windows vista, these softwares that i have encountered, do not work. In that sense, i think the information in my laptop is pretty secure.

For multinational businesses, they would definitely have electronic identity cards that must be worn at all times while working; they would have security guards in place, electronic monitoring (CCTV), alarm systems and fire detection systems. For people working in government organizations, in addition to the measures mentioned above, I would assume workers also need to go through a background/police check before being allowed to work for the government.