建立一个安全有效的风险模型进行外包决策【外文翻译】.doc

1、本科毕业论文（设计）外 文 翻 译原文：Creating an effective security risk model for outsourcing decisionsBT has substantial experience of outsourcing and off-shoring, particularly to Indian companies, and supplier engagement processes are well established . BT outsources information and communications technologies (I

2、CT) work to a combination of strategic and tactical suppliers. A common contractual framework has been implemented for strategic partners since 2003 and this includes a comprehensive set of baseline security requirements that can be enhanced to appropriate levels, depending on the nature of the info

3、rmation assets concerned. BT has redefined offshore outsourcing from being a tactical means of reducing operational costs, into a strategic tool for business transformation. This has resulted in a significant increase in the outsourcing and offshoring of ICT development, maintenance, support and con

4、tact centre activities. At the same time, customers and stakeholders are becoming aware of their increasing reliance on electronic information and the risks posed by not just malicious acts, but also accidental exposure.Outsourcing and offshoring presents a more complex picture for conducting securi

5、ty risk assessments and the outcomes may have a major impact on operational and business decisions. BT has therefore reviewed its approaches to security risk management to ensure that outsourcing assessments are built into the new dynamic environment in which ICT programmes exist. This paper details

6、 the evolution of processes to meet these new needs. Specific models, tools and techniques have been developed to ensure that effective and timely engagement with stakeholders occurs, that risks and requirements are identified and communicated, and that risk mitigation and management strategies are

7、implemented within appropriate compliance and governance frameworks. The approach used by BT is based on HMGs Infosec Standard No 1: Residual Risk Assessment Method (IS1) .Security issues and risks are likely to change when sourcing outside your own organisation even if within your own country. Comp

8、lexity will increase when offshoring to third parties based in countries that have different political, economic and cultural environments. Security assessments must therefore be augmented to address these changes and the associated legal, regulatory and contractual requirements. Many offshore envir

9、onments will not have privacy laws equivalent to those mandated within the European Union (EU). The UK Information Commissioners Office (ICO) has found it necessary to highlight that outsourcing data processing to foreign suppliers does not absolve companies from protecting the data once it passes t

10、o a third party and that UK companies will still be liable for breaches . Other compliance factors also come into play BT, for example, is listed on the US Stock Exchange and must therefore adhere to Sarbanes-Oxley requirements for outsourcing systems. In general, customer requirements are becoming

11、more specific and varied and some may include no offshoring clauses.BTs prominent position within the ICT market makes it a target for threat agents seeking to cause disruption to its operational capability, to compromise the integrity of critical data or to steal information. BT is a core component

12、 of the UK Critical National Infrastructure (CNI) , a position that brings with it specific security responsibilities and the need to consider a wide range of stakeholders. Threat agents seeking to attack information or other assets belonging to UK CNI companies may find that they are able to operat

13、e more easily in some overseas countries where levels of protection are lower. Insider threats to information assets are well recognised. However, the use of outsourcing and off-shoring services can blur the distinction between a companys employees and third party personnel and great care must be ta

14、ken to ensure that physical and logical access controls remain effective in a changing and flexible environment. Stakeholder concerns regarding successful attacks on information are increasing, partly driven by reports about the abuse of personal data through fraud and identity theft within outsourc

15、ing companies .Activities and functions outsourced to third parties will vary, for example, some companies will specialise in software development while others will specialise in operational support, and it is possible that a number of third parties will be providing services for the same ICT produc

16、t. The nature of the contract will usually determine the type of access profiles that third party personnel will have to BT and customer information, e.g. powerful root access for support functions versus standard user access for helpdesk activity. In all cases, it is recommended that information se

17、curity requirements are decomposed into the specific subjects of confidentiality, integrity and availability and to consider these from the system life cycle stages covered by the outsource contract (e.g. requirements capture, design, development, test, operate and shut-down). This will create the g

18、ranularity needed to identify specific levels of security for different life cycle stages or contracts, e.g. application development using dummy data may require lower levels of security than operational stages accessing live customer data. It is also important to address security throughout the con

19、tract life cycle as well, i.e. through to contract termination and the UK national infrastructure security co-ordination centre (NISCC) has issued guidelines to facilitate this . One-off security assessments are insufficient and planned life cycle and contract changes over time provide an effective

20、trigger for risk management reassessments, i.e. on top of traditional triggers for revision such as major component changes or annual review. Many factors must therefore be assessed to identify security risks and subsequent security requirements and mitigation options, for example: international sta

21、ndards, such as ISO/IEC 27001 , BS7799 Part 2:2005 , BS7858 , BTs corporate security policy and privacy markings, regulation and legal requirements, e.g. UK Data Protection Act, UK Telecoms Strategic Review, The sarbanes-oxley act, customer security requirements individual, company and UK Government

22、, including imported privacy marking, CNI requirements, country-specific factors, e.g. political, economic, social, technological and legal environmental conditions, system life-cycle stage, contract life-cycle stage, base-line contractual security requirements, enhanced contractual security require

23、ments.The timely capture of these requirements in a form readily usable for input to risk models can, however, prove difficult. Many sources of requirements and system security information from across the organisation must be identified and consolidated to create the big picture of information secur

24、ity attributes.Global sourcing also brings with it an increasingly dynamic environment for which flexible responses are required. From BTs perspective, the recent increase in the volume of systems and applications earmarked for outsourcing presents another significant challenge for the security comm

25、unity; bottle-necks and constraints in risk assessments could cause delays in product launch or invoke contractual penalties.In summary, outsourcing security risks are becoming increasingly complex, have potentially high impact and must be built into business risk management processes. BT has theref

26、ore reviewed its approach to security risk management to ensure that outsourcing assessments are conducted using a consistent method, are built into the dynamic environment in which ICT programmes exist, and that the outcomes areintegrated into business decisions.It is recognised that there are limi

27、tations to the RM2 model it is a decision aid RM2, where outputs should not be used in isolation. However, RM2 has been judged to be an effective tool for speedy risk assessment providing stakeholders with useful and timely results to aid decisions at various stages of project and contract life cycl

28、es. Where necessary, RM2 will be complemented with other risk management techniques, e.g. the information assurance programme risk model will be utilised to assess certain CNI related risks, impacts or threats. As with all risk management processes, RM2 is designed for iterative use to assess change

29、s in risk over time; all businesses are in a constant state of flux and any changes will affect the risk profiles.The use, across a wide range of ICT programmes, of a common risk model and supporting tool for outsource risk assessments has the following benefits: better understanding of the drivers

30、for the costs and constraints of security, providing an input to the outsource cost-benefit analysis, outsource vendors can better understand the required security controls and the list of legal, regulatory and compliance standards which may apply, where the residual risk is deemed to be of an unacc

31、eptable level and the programme director chooses to accept this risk, it can be managed through the appropriate risk register and/or governance framework, consistency in assessment means that systems can be preferential early in the project life cycle for potential outsourcing opportunities or for a

32、dditional levels of protection, results can be expressed in ICT programme management- specific terminology, results can be aggregated to form the big picture view required by stakeholders and senior management, stakeholder confidence and reliance on results increases over time as a historical record

33、 of data is built and users grow their experience levels results form a key part of the outsource business case, common strategies for risk mitigation can be identified and lead to the raising of base-line security or policy the level of understanding of security risks among stakeholders has increas

34、ed to the point where the information required to make a suitable assessment is becoming increasingly available, risk management is never a one-off process, it is an iterative process, using of common model to allow different scenarios to be re-run with different inputs and outputs changes to aspect

35、s of the risk profile can be rapidly re-modelled to measure changes to the residual risk, an effective protective monitoring and audit regime is a key part of the compliance framework and BT has a series of vendor security audits scheduled this demonstrates a commitment to security and helps to deve

36、lop secure partnerships with an increased level of trust and assurance, and so, whenever a gap is identified through audit, vendors are committed to closing it and constantly raising levels of base-line security, boilerplate security clauses are now standard for all outsource contracts the specifica

37、tion of BTs security requirements has been instrumental for a number of strategic vendors in achieving compliance to international standards, e.g. ISO27001.BTs security community has successfully reviewed its approach to outsourcing security risk management to introduce a new risk model and supporti

38、ng process. These have been effectively integrated with decision-making processes and compliance and governance frameworks and have publicised senior management endorsement. It is recognized that security, though only one input, is a key input to making commercial decisions.Outsourcing business driv

39、ers have stimulated innovation and automation for collecting input for risk assessments, performing the calculations and disseminating the results. The wide-scale review of data sources and security attributes has led to new approaches to categorising systems and applications and to the understandin

40、g of data in terms of its value and impact to BT and stakeholders.The ability to identify the key risk factors applicable to outsourcing, namely, specific environmental conditions, the number of third party personnel involved in the contract and the level of trust given to these personnel, provide f

41、actors that will drive mitigation strategies. It is now relatively straightforward to identify situations, e.g. based on the consolidated impact value of the data, where it is known that no current cost-effective outsourcing solution exists. The importance of protective monitoring and audit regimes

42、has been highlighted for BT and its outsourcing partners from both a compliance and assurance perspective and is being used to create effective engagement to raise security thresholds and discuss security issues. Further work is planned to integrate compliance and audit regimes. Complacency must be

43、avoided. As customers begin to appreciate the value of their data and the importance of accessing it where and when they need it, the topic of security will continue its rise in significance. Globalization, coupled with the requirement for more open networks, will continue to increase and result in

44、corporate infrastructure fragmentation and the breaking down of traditional boundaries. At the same time, approaches to security must also evolve moving the focus from the infrastructure to the client, application and eventually the data level. Source: C Colwill,A Gray,2007. “Creating an effective s

45、ecurity risk model for outsourcing decisions”. BT Technology Journal .Vol.25, no. 1. January.pp. 79-87.译文：建立一个安全有效的风险模型进行外包决策英国电信有着经验丰富的外包和离岸外包经验，尤其是印度公司和供应商建立着良好的关系。英国电信的信息和通信技术外包工作提高一个供应商的组合战略和战术。自从2003年起，战略合作伙伴的共同契约框架已经实施，这里面包括了基本安全，根据有关资讯资产可以适当提高综合设置的水平。英国电信重新被定义为一种降低运营成本的一个战术手段，是业务转型的战略工具。这导致了信

46、息和通信技术外包的发展，维护、支持和联络中心活动的外包显著增加。 与此同时，客户和利益相关者逐渐意识到他们增加了电子信息的依赖不仅带来了风险，但意外的是恶性行为也随着曝光。 离岸外包为了开展安全风险评估提出了一种更为复杂的方案，结果可能对营运及业务决策产生重大影响。因此，英国电信已经审查了其安全风险管理方法，以确保外包的评估是在新的存在信息和通信技术方案的动态环境中。本文详细介绍了进程的发展，以满足这些新的需求。具体的模型、工具和技术已被开发，以确保利益相关者及时有效地运用，在适当的合规性和治理框架中实施、确定和传达这种风险要求，来进行风险缓解和管理战略。英国电信使用的这种方法是根据英国政府发

47、布的信息安全标准第1号：残余风险评估方法来确定的。组织在外采购时，即使在自己的国家，安全问题和风险也可能会发生改变。当离岸发生在有不同的政治基础经济和文化环境的第三方国家时，离岸外包的复杂性将增加。因此，安全性评估，必须增加应对这些变化的相关法律、法规和合同的要求。欧洲联盟的规定许多近海环境的法律没有隐私权。英国信息办公室专员认为有必要强调指出：数据处理外包给外国供应商并不能免除保护数据公司，一旦它传递给第三方，英国公司仍可对行为负责。其他合规因素也开始发挥作用。例如，股票在美国证券交易所的公司系统外包必须依照萨班斯法案的要求。总的来说，客户的要求越来越具体越多样，有些还可能包括“不外包”条款

48、。 英国电信在信息通讯技术市场的显眼位置使它成为威胁造成破坏寻求其业务代理人的目标，会致使数据的不完整性和数据的被窃取。英国电信是英国国家的一个核心部分，是关键基础设施地位，相关利益者需要考虑具体的安全责任。英国长青国际集团受到代理信息或其他资产的攻击威胁，可能会发现自己是能够更轻松地在国外的一些国家那里等到低水平的保护，内线的威胁是信息资产计入当期损益。然而，使用外包和服务之间的差别模糊的公司的员工以及第三方的人员和必须非常小心，采取措施保证物理和逻辑的访问控制一直有效在变化和灵活的环境。干系人的需要考虑成功的攻击信息在增加，部分被报告的个人资料滥用因欺诈和身份盗窃在外包公司。活动和功能外包

49、给第三方将会发生变化，例如一些公司将专注于软件开发而其他的人将擅长于运营支撑、还有可能存在许多第三方为相同的信息与通信技术产品提供服务。合同的性质通常会决定访问类型，第三方人员将不得不将BT和客户信息发出，例如强大的根的准入和支持功能的标准下的用户访问求助的活动。在所有的情况下，建立信息安全要求的具体对象分解为保密的、诚信的和可用性的，考虑到这些从系统生命周期阶段涵盖了外包合同。这将会产生在不同的生命周期阶段需要识别的特定的安全级，如合同的应用程序开发使用虚拟的数据比运行阶段访问的现场客户数据可能存在较低水平的稳定性。同样重要的是要解决整个合同即生命周期的安全，通过对合同终止的英国国家基础建设安全协调中心颁布的指导方针，促进这一次性安全评估不足和计划生命周期和合同随时间变化而变化提供了有效的诱因，即风险管理上等传统触发了修订的主要成分变化或年度回顾。因此必须对多种因素的识别安全风险评估及随后