Information Security Risk Management

IT operation outsourcing

A case study

Based on a real project

Identities protected and altered – does not affect the process that was used

A sensitive defence organisation needs to be more cost effective

Already has long term outsource partner

Mid contract break point drives improvement

Perception that security experts will say no

This is based on current policy

Research and advice across defence sector

Many highly sensitive contracts and relationships

Key target for traditional and cyber attack

Already outsourced support in many areas but all delivered from inside UK

Urgent need to make more savings

Concept is to move back office processing and support to a low cost labour country

Use the process to establish threats and exploits

Look at sensitivity of assets affected

See if controls and mitigations can reduce these to acceptable levels

Stop or go ahead and accepts residual risks

Sounds simple but only works if you understand how the exploits will happen

Move offshore :

No classified material at all

Human resource basic records

Travel expenses fulfilment

Purchase order ledger

Order generation

Payment of suppliers

Agree some risks to privacy sensitive records

No classified material included so low risk

Bulk data sets to be protected no copying or transport in country

Staff in country to be vetted

Buildings to be secured to higher level

Subcontract suppliers to be vetted

Extra monitoring to be established

Threats from individuals, petty criminals and other low grade threat actors

Opportunistic not organised

No strategic goal

Security first response is NO

Little explanation but just a risk we don’t need to take

Leadership want to make the savings

Security role to establish the REAL risks

Then find ways of reducing them

Explain the result to leaders so they can decide if the residual risks are acceptable

Key is to find a way we can all say yes to a desirable initiative not find reasons to say no!

Threat sources FIS, competitors and sophisticated activist groups

Want to reverse engineer size of cyber defences on new order for sensitive web hosting contract

Purchase order ledger is moved offshore

Use open source to establish likely timing of orders for components and services

Penetrate data centre offshore via traditional human methods or cyber attack

Collect and analyse project identifiers in database Collect orders and establish scale of servers and defences Mobilise denial of service resources now known to be able

to destroy hosting at will

Threat actors FIS, crime, competitors want to identify targets for corruption related to specific

contracts HR and travel expenses moved offshore Use open source material to identify timing of contract

negotiation and award Target country is known - penetrate data centre or create and

remove copy (could acquire rotating backups) Mine travel expenses to find all trips to target country in window

and create long list Qualify list with HR system look for expensive life, large family,

lower bonus etc Go back to expenses to find detailed behaviours, bar bills,

timing, phone call duration .......... Short list targets and move to more traditional methods

Open source used to index low grade bulk data

Structure of data is as valuable as the data itself

Mining and profiling used to enrich data

Traditional methods still needed but this improves chance of success significantly

Access to data set or actual system is assumed in target country despite countermeasures

Attacks are cyber used to enhance traditional approaches

Scramble data before off shoring

Remove structure from orders

Reassemble in UK

Anonymous HR records with numeric identifiers and address data and other pointers removed

Scramble travel expenses and make claim to index number not person

Other similar methods to scramble data and remove structure

All reinserted in secure enclave in UK

Off shoring can go ahead with residual risk lower than original solution

Savings reduced by about 20% to pay for enclave in UK

Information asset owners much more aware of real high impact risks

Partnership with outsource provider strengthened

Partner takes security function into other customers as expert adviser and secures new business

Threats from sophisticated sources not well understood by asset owners

Assumption that security will say NO!

Savings reduced but project still went ahead and delivered a large net saving

After solution risks were lower than original solution

Ready for next break point off shoring can now go to any country even very high risk/low cost environments