Managing Risks and Security in Outsourced Environment

Similar documents
ASX CLEAR OPERATING RULES Guidance Note 9

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 9

Security and Risk considerations for outsourced IT Services EA InfoSec Conference,14/08/2013, version 1.0

Off Shoring Audit Implications

Outsourcing in the Banking Sector in the Bailiwick of Guernsey. A Thematic Report issued by the Guernsey Financial Services Commission

OUTSOURCING IN 2010 RECENT TRENDS & KEY ISSUES FOR IRISH BUSINESSES

Success through Offshore Outsourcing. Kartik Jayaraman Director Enterprise Relationships (Strategic Accounts)

2009 AT&T Business Continuity Study SOUTHERN CALIFORNIA Results

Outsourcing: Building Successful Strategies

Outsourcing Guidelines. for Financial Institutions DRAFT (FOR CONSULTATION)

ACI AIRPORT SERVICE QUALITY (ASQ) SURVEY SERVICES

Compass Privacy Compliance

Risk Advisory Services

Boao Forum Highlight Regional Integration and Future Development of the Guangdong, Hong Kong, and Macao Greater Bay Area

A Privacy Compliance Checklist: Organizing for Privacy Management

2014 Survey of IT Internal Audit practices in the Luxembourg financial sector Capturing insight. October 2014

Together. Free your energies. Cheuvreux Autumn Conference. September 29, Paul Hermelin, CEO

Request for Proposal OGL Information Technology Security Audit

Department of Defense DIRECTIVE

Your Corporate Services Provider in Hong Kong Atrix Business Services Limited. All rights reserved.

EXAM PREPARATION GUIDE

Vacancy Announcement

UNLOCKING BUSINESS VALUE OUTSOURCING DEALS FROM SECOND GENERATION

CNAS-RC07. Rules for the Accreditation of Certification Bodies with Foreign Locations

Deal or No Deal: Managing Vendor Relations & HMIS Contracting

The Director is the legally responsible person must manage the RTO s compliance with the Standards for RTO s 2015.

City of Coquitlam. Request for Expressions of Interest RFEI No Workforce Scheduling Software

December 21, 2004 NATIONAL SECURITY PRESIDENTIAL DIRECTIVE NSPD-41 HOMELAND SECURITY PRESIDENTIAL DIRECTIVE HSPD-13

Information Technology Business Impact Analysis Consulting Services

Primary Care Liaison Coordinator

Higher Education Funding Reforms. Clinical Placements

REQUEST FOR PROPOSALS (RFP) For. External Audit Services

Third Party Trust Manage your outsourcing arrangements

RECOMMENDATIONS ON CLOUD OUTSOURCING EBA/REC/2017/03 28/03/2018. Recommendations. on outsourcing to cloud service providers

NOA Glossary of Sourcing Terms

OUTSOURCING GIS DATA SERVICES OFFSHORE A REALITY CHECK ISHU WADWANI APPLIED FIELD DATA SYSTEMS, INC. & CINDI SALAS CENTERPOINT ENERGY

Notice of CBRC on Issuing the Regulatory Guidelines for the. Risks in the Information Technology Outsourcing of. Banking Financial Institutions

INTRODUCTION Illinois Valley Community College (IVCC) is requesting proposals for information technology security assessment services.

UNITED STATES ARMY SOLDIER SUPPORT INSTITUTE ADJUTANT GENERAL SCHOOL

Generating Business Value from Information Technology

Banking Regulation and Policy Department Bangladesh Bank Head Office Dhaka

KSBCL/SYS 2 020/ Date: 22/03/2014. Notice for Time Extension. Sub: Information Security Management System Implementation

Offshore Outsourcing. Agenda

International Trade Division Overview North Carolina Department of Commerce

TEXAS GENERAL LAND OFFICE COMMUNITY DEVELOPMENT & REVITALIZATION PROCUREMENT GUIDANCE FOR SUBRECIPIENTS UNDER 2 CFR PART 200 (UNIFORM RULES)

3. Trustees and Governance 3.1 Charity and Clinical Governance

FINAL AUDIT REPORT DEPARTMENT OF COMMUNITY AFFAIRS WEATHERIZATION ASSISTANCE PROGRAM ARRA IMPLEMENTATION FEBRUARY 14, 2009 THROUGH JANUARY 31, 2010

Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03)

Factsheet Sustainable Development Report Sustainable Sourcing

Retail Audit Forum How can Internal Audit add value to outsourcing arrangements?

Statement of Owner Expectations NSW TAFE COMMISSION (TAFE NSW)

Our focus is on organic growth with excellence as the driver.

CONNECT with the world s airports

BOM/BSD 17/May 2006 BANK OF MAURITIUS. Guidelines on Outsourcing by Financial Institutions

The Request for Proposal consists of the following documents, and should be read in conjunction with any Addenda issued:

Application for Funding

Report No. D May 14, Selected Controls for Information Assurance at the Defense Threat Reduction Agency

ASSESSING CONSTRUCTION THE ROLE OF INTERNAL AUDIT CONSULTANT ROBERT S. BRIGHT PRESIDENT TALSON SOLUTIONS LLC

Outsourcing. A Paper by SQA. Contributors: Revision 0.13 September 15, John J DeMassi Tony Troppito Ann Danby Paul German

Baptist Health Nurse Leader Competency Model

U.S. Trade and Development Agency Proposal and Budget Model Format

SAU 19 and the School Districts of Goffstown and New Boston REQUEST FOR PROPOSAL AUDIT SERVICES

Supplements and Amendments VI to the Mainland s Specific Commitments on Liberalization of Trade in Services for Hong Kong 1. A. Professional services

NZQA registered unit standard version 1 Page 1 of 6. Conduct asbestos assessment associated with removal

APPENDIX D CHECKLIST FOR PROPOSALS

Software as a Service Agreements

I. Improving disaster risk preparedness in the ESCAP region ($621,900)

Risk Mitigation in Offshoring

Winning in Today s Outsourcing-Driven World. Michael F. Corbett The 2001 Outsourcing World Summit

IT OUTSOURCING MARKET: STRONG, GROWING AND WITH HIGH CUSTOMER EXPECTATIONS

1) MAJOR INVESTMENT GRANTS

John C. La Rosa, MD, FACP President

Promoting Hong Kong as the Bridgehead for Mainland Enterprises Outward Investment Ventures

When Recognition Matters WHITEPAPER ISO 37500:2014 HOW A PECB CERTIFIED OUTSOURCING MANAGER CERTIFICATION CAN BENEFIT YOUR ORGANIZATION.

Government IT. Strategies. Irma Mentzer Information Management Technology World Bank Group

OFFICE OF THE DIRECTOR OF NATION At INTELLIGENCE WASHINGTON, DC 20511

OPTIMUM/12/2016 CORPORATE RATE PROGRAMME O PTIMUM. BENEFITS TAILOReD FOR SMALL and MEDIUM ENTERPRISES. by langham

Outsourcing IT in the Global World: Choosing an Offshore Destination

MEANINGFUL USE & RISK ASSESSMENT

Forward Looking Statements

MAS RELEASES REVISED GUIDELINES ON OUTSOURCING RISK MANAGEMENT

Department of Defense DIRECTIVE

DOH Policy on Healthcare Emergency & Disaster Management for the Emirate of Abu Dhabi

TITLE: Digital Data Disaster Recovery and Electronic Records Backup Project

Port Pirie Community Health. Port Pirie ASO2

RFP No. FY2017-ACES-02: Advancing Commonwealth Energy Storage Program Consultant

REQUEST FOR QUALIFICATIONS & PROPOSALS FOR AIR SERVICE DEVELOPMENT CONSULTING SERVICES FOR THE

THE ROLE OF THE PRIVATE SECTOR IN PROMOTING ECONOMIC GROWTH AND REDUCING POVERTY IN THE INDO-PACIFIC REGION

Individual Grants for Rural Medical Specialists Accessing Continuing Professional Development

Technology Standards of Practice

Airport Health Organisation Cochin International Airport Ministry of Health and Family Welfare Nedumbassery, Cochin

GLOBAL YOUTH SUMMIT: BYND 2015

Agile Development of Shared Situational Awareness: Two Case Studies in the U.S. Air Force and Army

Hong Kong Tourism Board Hong Kong Transit Programme Guide to Application. Table of Contents

Offshore Co-Sourcing Speeds Weyerhaeuser SAP R/3 Implementation Initiative. on-site/offshore SAP implementation and post-implementation support.

This document is being disclosed to the public in accordance with ADB s Public Communications Policy 2011.

The Queen Elizabeth Hospital. Woodville RN-2C / RN-1

Incentive schemes to promote renewables and the WTO Law of subsidies: World Trade Forum 2007

SA Health Women s and Children s Health Network. Division Paediatric Medicine

America s Coast Guard. Commandant s Guiding Principles. U.S. Coast Guard

Transcription:

Managing Risks and Security in Outsourced Environment Vincent Leung CISSP CISA CISM TOGAF Enterprise Architect - Information Security 19 May 2011 1

Contents 1. About Cathay Pacific Airways 2. Outsourcing and its typical risks 3. Managing security in an outsourced environment 2

Key facts and figures An international airline registered and based in Hong Kong 127 aircrafts offering scheduled cargo and passenger services to 143 destinations in 39 countries and territories Major shareholders Swire Pacific Limited (43.97%) Air China Limited (29.99%) CITIC Pacific Limited (1.98%) About 19,000 staff worldwide 3

Our vision and missions 4

Outsourcing footprints in Cathay Pacific Information technology Business solutions hosting ASP / SaaS Data centre hosting and management Application maintenance and development Network, server and desktop maintenance. Back office operations Aircraft maintenance Loyalty marketing Ground handling (in small ports outside Hong Kong). 5

Contents 1. About Cathay Pacific Airways 2. Outsourcing and its typical risks 3. Managing security in an outsourced environment 6

What is outsourcing? outsourcing is often viewed as involving the contracting out of a business function - commonly one previously performed in-house - to an external provider. In this sense, two organizations may enter into a contractual agreement involving an exchange of services and payments (Source: Wikipedia) Outsourcing can be onsite (outsourcing staff working in the same location), offsite (outsourcing staff working in a remote location under the same geographical area) or offshore (outsourcing staff working in a remote location under different geographical area) 7

Common reasons of outsourcing Focus on core business activities Reduce cost do the same thing with less Avoid headcount expansion Flexibility with respect to both organization and structure Think about these questions before deciding to outsource a business function or capability Is this a core function for the organization? Does this function require specific knowledge, process and staff that cannot be replicated externally? Can this function be performed by another party for the same or lower price, with the same or higher quality, without any risk induced beyond the organization s risk appetite? 8

Outsourcing has its benefits, drawbacks and risks Possible benefits Economy of scale Leverage on service providers experience with wider array of skills, tools, techniques and methodology Well defined specifications and better deliverable quality (as a result of having formal contractual agreements ) Less likely to induce scope creep (as service providers are sensitive to changes which can be time and resource consuming) Possible drawbacks and risks Service degradation, not meeting SLA Loss of key personnel Fraudulent act by disgruntled employees Loss of flexibility to change (as every thing is bounded by contract) Loss of control on information security Non compliance to regulatory requirements, e.g. data privacy violation Offshore-specific risks, e.g. cultural difference 9

Risk reduction options in outsourcing Establish measurable and shared goals and rewards Use multiple suppliers for the balancing of power Perform regular reviews and benchmarking Establish contract change control mechanism Make the scope of services modular in the contract and include provisions to consider as many contingencies as possible Implement short term contracts with flexibility to extend Conduct due diligence with the supplier to confirm the baseline initially set by the supplier in its initial proposal and subsequent negotiations Form a contract management team and establish a strategic supplier management discipline Establish a change management program on the people side helping the affected staff to adapt to new working model 10

Contents 1. About Cathay Pacific Airways 2. Outsourcing and its typical risks 3. Managing security in an outsourced environment 11

Information security considerations in outsourcing Embed security considerations in the outsourcing contract Understand how the service provider will secure your data In case of offshore outsourcing, understand the legislation requirements regarding transborder flow of personal data Security awareness should include your service provider Last but not least, make sure you have the right to audit your service provider! 12

A checklist on the security considerations that should be taken in an outsourcing contract Security Controls Area Contract Clauses Security management Security policies Roles and responsibility Compliance and auditing Information protection Identity and access management End point and server security Information classification Sharing of information to third parties Information retention Identity administration Identity auditing Privilege management Access control Threat prevention Vulnerability management Network security Threat prevention Content filtering Segregation Application security Development Testing Monitoring and audits Physical and personnel security Information facility access and workplace security Background checks Security skills and qualifications Operations security Security monitoring Incident response Disaster recovery 13

Wrap up Outsourcing is a tool to achieve cost reduction and operational efficiency, yet the business benefits will be jeopardized if the outsourcing risks are not managed properly The risks of outsourcing should be identified and managed throughout the whole outsourcing project and contract lifecycle - obtain management oversight in managing the risks because they are business issues Outsourcing contracts must address all relevant aspects of information security such that service providers are obliged to protect the information of their clients 14

End of presentation vincent_leung@cathaypacific.com +852-27474875 15

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback