Outsourcing Services Providing the Bridge Between Companies and Outsourcing Providers Around the World. IT - Security im Rahmen von Outsourcing Verträgen

page 2 Outsourcing Services Table of Contents Trestle Group - Vorstellung Outsourcing – Ergebnisse einer Umfrage IT Security - Framework IT-Security am Beispiel ASP

page 3 Outsourcing Services Trestle Group - Vorstellung Service: Fokus auf Offshore Outsourcing Aktivitäten. Beratung bei der Formulierung der Outsourcing Strategie, der Selektion geeigneter Partner Offshore und der tatsächlichen Implementierung des Projektes / BPO. Was tun wir nicht : Unterstützung in rechtlichen Fragen! Industrieller Fokus : Telekommunikation, Financial Services, produzierendes Gewerbe. Standorte : Frankfurt (HQs), Zürich, London, New York und Amman

page 4 Outsourcing Services Table of Contents Trestle Group - Vorstellung Outsourcing – Ergebnisse einer Umfrage IT Security - Framework IT-Security am Beispiel ASP

page 5 Outsourcing Services Outsourcing Alternativen Outsourcing Framework BPO Infrastruktur, Hardware Applikationen (ASP) Aktivität Outsourcing Praxis Outsourcing Aktivitäten werden sich in Zukunft in den Bereich BPO verschieben. Gerade in Deutschland findet sich noch viel Potential in den Bereichen Applikationen und Infrastruktur Outsourcing. Selektives Outsourcing scheint sich gegenüber Komplettlösungen durchzusetzen.

page 6 Outsourcing Services Trestle Group Research – Umfrage Sommer 2004 Industrie Scope: Telekommunikation, Financial Services und Manufacturing. Geographischer Scope : 16 Länder, hauptsächliche EU Gegenwärtige Outsourcing Aktivitäten

page 7 Outsourcing Services Trestle Group Research – Chancen des Outsourcing Neben dem offensichtlichen Kostenvorteil spielen die Verfügbarkeit von Ressourcen sowie deren höhere Flexibilität eine wichtige Rolle. Vorteile des Outsourcing

page 8 Outsourcing Services Trestle Group Umfrage – Herausforderungen beim Outsourcing Critical Success Factors: Gesunde Beziehungen der Schlüssel zum Erfolg Major Challenges : Legal part genießt hohe Priorität v.a. vor dem Hintergrund Offshoring. Erfolgsfaktoren versus Herausforderungen

page 9 Outsourcing Services Trestle Group Umfrage – Wohin wollen Unternehmen Outsourcen? Neben etablierten Ländern wie Indien und die Philippinen, etablieren sich weitere, attraktive Alternativen. Die große Auswahl macht eine sorgfältige Selektion notwendig, u.a. unter Berücksichtigung der legalen Rahmenbedingungen Wohin Outsourcen?

page 10 Outsourcing Services Table of Contents Trestle Group - Vorstellung Outsourcing – Ergebnisse einer Umfrage IT Security - Framework IT-Security am Beispiel ASP

page 11 Outsourcing Services Was ist IT-Security Risk Customers Reputation Capital People Shareholder Value The exposure to loss or damage from the reliance upon information technology to achieve organizational goals.

page 12 Outsourcing Services IT Security als Risiko Information contributes to the achievement of a companys goals Risks are anything that endanger the achievement of these goals Risks to information confidentiality, integrity and availability can threaten a companys survival It is essential to Identify the risks specifically Assess the impact of these risks Assess the probability of occurrence of these risks Institute measures to mitigate risks

page 13 Outsourcing Services IT Security Versagen – Warum, Wer und Was Common Causes of Damage Human Error52% Fire15% Dishonest people 10% Technical Sabotage 10% Water 10% Terrorism 3% Responsible for Damage: Current employees81% Outsiders 13% Former employees 6% Types of Computer Crime: Money theft44% Damage of software16% Theft of information16% Alteration of data12% Theft of services10% Trespass 2% Source: Datapro Research

page 14 Outsourcing Services IT Security Definition IT Security is a specific set of risk mitigation measures related to the confidentiality, integrity, availability and Audit ability of data and systems. This encompasses manual and system processes, standards and technology-based solutions. It is interrelated to form a coherent control system based on a set of clearly defined policies. Operational risk covers all risks associated with internal processes, systems and people. Thus, IT Security is a specific subset of Operational Risk.

page 15 Outsourcing Services IT Security Objective - Integrity Integrity of Data or Systems Ensuring that information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability. Integrity Confidentiality Audit ability Availability

page 16 Outsourcing Services IT Security Objective - Confidentiality Confidentiality of Data or Systems Protecting the information of customers and the institution against unauthorized access or use. Integrity Confidentiality Audit ability Availability

page 17 Outsourcing Services IT Security Objective - Availability Availability Ensuring authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems. Integrity Confidentiality Audit ability Availability

page 18 Outsourcing Services IT Security Objective - Accountability Accountability Ability to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records. Integrity Confidentiality Audit ability Availability

page 19 Outsourcing Services Beispiele von IT-Security Risiken Ineffective physical securityDestruction, fire, water, physical attack Intrusion, physical attack Physical Facilities Non-detectionDestruction, theft, fire, waterPhysical attack, damageTheft of codes, e.g. HW encryption Hardware Ineffective intrusion detection Overloads, Spamming, worms Firewall breech, code changes, backdoors, wiretaps Hacking, spoofing, masquerading, eavesdropping Networks Non-detectionLoss, unrecoverabilityModification, Viruses, Trojan Horses, Worms Theft, copying, industrial espionage Raw Data Non-detectionErasure, Errors, system malfunction, Worms Changed programs, Trojan Horses, Viruses Theft of codes, exposure of system entry points Systems Non-detectionErasure, loss of backup, obsolete archive copies Erasure, modification, Masquerading Exposure, theft, publicity, copying, password exposure Information AuditabilityAvailabilityIntegrityConfidentiality AREA

page 20 Outsourcing Services Beispiele von IT-Security Risiken, Controls Physical security logsHot Site, backup site, outsource Physical Access control, IDs, Biometrics Physical Facilities System monitors and alerts Redundancy, multiple processors Restrict physical access, dark room operations, etc. Hardware Access logging, System performance monitor Redundancy, Reliability (N, N+1, etc.), DRP, BCP Firewalls, secure servers, DMZs, Virus control Restricting physical access, Firewalls, DMZs, IPSec Networks Error logging and reporting Restore, recovery, mirroringAccess controls, restricted physical access Encryption, physical protection, access controls Raw Data Service Level ReporterCheckpointing, system backups, restores Access controls to programs and systems Systems System LoggingBackups, ArchivesAccess controls (User-id and password), cards, Biometrics Encryption, access controls (User-id and password), PKI Information AuditabilityAvailabilityIntegrityConfidentiality AREA

page 21 Outsourcing Services Outsourcing and IT-Security Major considerations: We are still responsible for safeguarding our assets even if we have outsourced their processing. In case of litigation, we are still liable for violations of data privacy (Bundesdatenschutzgesetz), even if the data is hosted by another company Intellectual Property resident in an outsourced facility may have a higher risk of being compromised Data essential to company survival hosted in an outsourcing facility may pose a higher risk to the company

page 22 Outsourcing Services Legal issues Accountability for Security clearly defined in outsourcing contract Legal enforceability of measures, e.g. monitoring of staff keystrokes Compliance to legal statutes and regulations, e.g. electronic signatures, Data privacy, encryption of cross-border data traffic, Tax and, in some cases, Transfer Pricing Sanctions for Info Security violations may not be enforceable, e.g. forcing an outsourcing provider to fire a staff for security violations may not be so easy Retain the right to regular audit and recurring due diligence Detection mechanisms to monitor security violations may be hard to enforce, e.g. video monitoring would be too expensive if outsourcing facility is thousands of miles away Mitigation measures may be illegal in the outsourcing providers country, e.g. vetting employees, requiring disclosure of assets, etc. Proving violations may be difficult Enforcing liability claims may be difficult Different laws, e.g. some countries do not have data privacy laws

page 23 Outsourcing Services Table of Contents Trestle Group - Vorstellung Outsourcing – Ergebnisse einer Umfrage IT Security - Framework IT Security am Beispiel ASP

page 24 Outsourcing Services Am Beispiel – Applikation Service Providing ASP Service Provider (ASP) sind Unternehmen, die Geschäftsanwendungen oder Programmfunktionalitäten über Netzwerke bereitstellen. Im Gegensatz zum Applikation Hosting mit eigens für einen Kunden bereitgestellten Applikationen, greifen beim Applications Service Providing mehrere Nutzer auf die in Datenzentren bereitgestellten Applikationen zu. Rahmenvertrag : Klassische Bestandteile sind Partner, Produkt, Preismodell, Vertragslaufzeit, Kapazitätsplanung, Strafe bei Minderleistung / Nichterfüllung, Installation, etc. SLAs : Klassische Unterteilung nach Applikation, Netzwerk und Hosting. IT Security als Querschnittsthema findet sich in allen Teilbereichen.

page 25 Outsourcing Services Applikation – IT Security Relevanz Applikation: Festlegung der Applikationsfunktionalitäten IT Security Aspekte : Schutz vor unberechtigtem Zugriff und Gewährleistung des Zugriffs für autorisierte Personen. Einrichtung von Rollenprofilen zum selektiven Zugriff über ein fundiertes Berechtigungskonzept. Schutz der Applikation vor externen Angriffen. Sicherstellung der Stabilität der Applikation.

page 26 Outsourcing Services Netwerk – IT Security Relevanz Netzwerk: Netzverbindung zwischen ASP und Kunden IT Security Aspekte : Verschlüsselung der Daten beim Transfer über öffentlichen Leitungen. Kein Datenverlust beim Übertragen von Informationen Installierung eines VPN (Virtual Private Network) mit Hilfe verschlüsselter TCP/IP Verbindungen. Eventueller Zielkonflikt zwischen Sicherheit und Performanz Eventuell redundante Auslegung der Leitung

page 27 Outsourcing Services Hosting – IT Security Relevanz Hosting: Definition der Anforderungen an Service und Infrastruktur. IT Security Aspekte : Beschreibung der Verfügbarkeit und maximalen Störzeiten. Datensicherung durch regelmäßige Backups des Betreibers. Gewährleistung der physischen Sicherheit z.B. durch Brandschutzdefinitionen

Outsourcing Services Thank you for your attention Switzerland: The World Trade Center Leutschenbachstrasse, Zurich Germany: An der Welle 4, Frankfurt am Main UK: Ropemaker Street, EC2Y 9HT London USA: 245 Park Avenue, New York, NY Jordan: Hayek Building 1 st Circle Road, Amman Contact us TRESTLE GROUP Offices : Zurich: Frankfurt: London: New York: Amman: