BT Innovation Journal - Current Volume

Information Security Risk Management

Carl Colwill - BT Design Security Risk and Compliance

Global sourcing security requirements have long term implications that must be considered from the very start of risk assessments rather than treating them as supplementary tasks to be tackled at a later date when things go wrong. This paper looks at three important issues for any outsourcing information security risk management and compliance framework and summarises how BT has addressed them as part of its strategy to provide secure services and enhance customer experience:

Dealing with complexity: outsourcing, and particularly offshoring, brings with it a multitude of information security risks, issues and variables and attempting to deal with all of these can lead to "paralysis by analysis". Key risk factors must be identified, together with the level of granularity to be applied to assessments. Risk assessments should be designed to support business decisions and facilitate the ongoing management of risks.

Agility: the pace of business continues to accelerate and one outsourcing project may involve hundreds of systems or roles, but security input to business decisions is required within ever decreasing timeframes. Agile development approaches can be applied to security risk modelling processes to address this issue. Risk assessments should not be viewed as 'one-offs' and should avoid re-inventing the wheel each time by building upon strategic solutions.

Assurance and auditability: customers are now demanding assurances that their information remains secure, especially in outsourced environments. Security requirements and controls should therefore be designed from an 'end-to-end' perspective to facilitate audits and the implementation of compliance regimes. Many factors must be considered to ensure that compliance can be quantified effectively across a wide range of projects and vendors and that the resultant framework is able to provide assurances and evidence in a timely and consistent fashion.

1. 21st Century customer experience and the dynamic world of outsourcing

Customer experience is central to the design of BT's products and services. Customers want and expect speed, simplicity, control, lower costs, higher quality and overall a great experience. BT is investing £ 10 billion in its internet protocol (IP)-based 21st Century Network (21CN) which puts the customer at the centre of all new services, offering them control, choice, flexibility and resilience. BT uses two key measurements of success for designing solutions to enhance customer experience: getting it 'right first time'; and delivering in the shortest 'cycle time'. Innovation, agility and collaborative working are critical to achieving these goals.

At the same time, globalisation has had a pervasive impact and changed the way that business is conducted and information and communication technology (ICT) infrastructures are managed. The growth of the digital networked economy has resulted in high-speed, high capacity and relatively low cost communications. This has opened up new opportunities for sourcing work and made geographic location virtually irrelevant for many activities and services. In this dynamic world, businesses must transform or stagnate and global sourcing is a major weapon to achieve transformation. This is resulting in a rapid and massive expansion of outsourcing and, particularly, offshoring - where activities and data are transferred to third parties located in foreign countries or access to onshore data and services is provided to third parties from foreign locations. A KPMG survey showed that, in India alone, the value of the outsourcing industry swelled by 40% to $5.8 billion in 2006 compared to 2005 and is expected to reach $64 billion and employ three million people by 2012 [1]. The 2005/06 financial year saw the start of the aggressive rationalisation of BT's ICT programme support which has led to an unprecedented level of strategic sourcing to offshore locations.

The combination of global sourcing and an absolute focus on customer experience is having a major impact on BT's security teams, their engagement with internal and external stakeholders, the nature of the services provided and the tools and techniques used. These business imperatives present a more complex picture for conducting information security risk assessments where the outcomes may have an immediate impact on operational and business decisions and therefore customer services and experience. Customers are increasingly expecting resilience to security risks. This requires effective information risk management, compliance and governance frameworks but the implementation of these can prove problematic for some companies. A recent European survey indicated that nearly 50% of companies had not conducted any risk assessment on the organisations to which work was outsourced [2]. Further research shows that, in many outsourcing initiatives, governance is an area that is frequently underestimated in terms of time and investment as well as the technical architecture necessary to manage accountability [3]. Equally, security compliance topics should not be considered just because outsourcing arrangements are starting to fail; audit perspectives and audit input to protect information and systems are needed from the outset [21].

This paper describes how BT has evolved its approaches to information security risk management to ensure that outsourcing assessments are built into the dynamic business environment in which IT programmes now exist. New tools, techniques and processes to protect BT's and BT customers' information have been developed to ensure timely engagement with stakeholders and that information security risks and requirements are identified, communicated and managed. BT ensures that risk management strategies are linked with appropriate compliance and governance frameworks. Audit regimes are being designed to produce timely evidence and assurances - for BT's own use and for its customers. To achieve effectiveness and consistency, compliance requirements must be considered before the start of sourcing risk assessments: an end-to-end perspective must be maintained. This paper focusses on BT as a customer for development, support and business process outsourcing services; BT is also a major supplier of outsourcing security services to a wide range of global companies.

2. Outsourcing makes risk assessment more complex

Security vulnerabilities, threats and risks are likely to change when sourcing outside your own organisation even if within your own country. Complexity, in terms additional factors and new risk variables to consider, will increase when offshoring to third parties based in countries that have different political, legal, economic and cultural environments and each new organisational or regional factor may present new threats and risks or affect other factors. Risk assessments must therefore be augmented to cater for these changes and many requirements and factors must be taken into account, for example:

  • international security standards - ISO/IEC27001 [4], BS7858 [5];
  • sector-specific standards - Payment Card Industry (PCI) Data Security Standard [6];
  • corporate security policy and privacy markings;
  • regulatory requirements - UK Telecoms Strategic Review, US Sarbanes Oxley;
  • legal requirements - UK Data Protection Act (DPA);
  • customer security requirements - individual, company and UK Government, including imported privacy marking and "no offshoring" clauses;
  • UK Critical National Infrastructure (CNI) [7] responsibilities and Centre for Protection of National Infrastructure (CPNI) requirements [8], [11];
  • country-specific factors - political, economic, social, technological and legal environmental conditions (including local laws that may override UK laws or corporate requirements);
  • system, product and service lifecycle stages;
  • contract lifecycle stages;
  • baseline contractual security requirements (physical, IT and personnel);
  • enhanced contractual security requirements and other formal work package agreements;
  • vendor-specific environments.

Many sources of potential requirements from inside and outside the organisation must be identified and consolidated to create the 'big picture' of information security attributes; some of these may be implicit and require customer contact to verify. It can prove difficult and time consuming to prepare this information in a form useable as input to risk assessments.

The key message is that outsourcing is not simply a change in who is responsible for performing a piece of work. The enterprise contemplating global sourcing must manage the changing risks and establish an effective regime to ensure compliance to information security requirements. Security cannot be bolted on effectively at the end of outsourcing transitions and piecemeal approaches will result in inefficiency, potential gaps in protection and fragmented audit regimes. These challenges and the additional complexity involved can be considered from an agile and innovative viewpoint to help identify, design and deliver security solutions.

3. Modelling security risks

Typical targets for outsourcing risk assessments are:

  • networks;
  • platforms;
  • systems;
  • applications;
  • services;
  • products;
  • business functions;
  • roles and responsibilities;
  • personnel.

In reality most business processes tend to be a complex network of interrelationships between such entities and the overall security risk is not simply an aggregate of the individual risks. Increasingly, assessments require detailed decomposition and dependency analysis to identify critical components and potential vulnerabilities. This will impact on the choice of risk modelling tool, the level of granularity required in assessments and the use of the outputs. The business drivers behind information security risk assessments will also influence the type of analysis required and BT distinguishes two basic categories:

  • large scale outsourcing covering many targets;
  • detailed assessment of a single target or small number of targets.

The increase in the volume of targets earmarked for outsourcing presents a significant challenge for the security community: the former category relates to about 90% of the current security risk assessment workload and has become a 'business as usual' (BaU) necessity and urgent priority to help meet strategic transformation aims. For this BaU approach, tools based on the UK Government's Infosec Standard No. 1 Residual Risk Method (IS1) [9] are employed. The latter category remains a significant requirement but these cases occur less frequently. These assessments are generally based on the use of BT's Information Assurance (IA) Risk Model [10], especially where detailed vulnerability or threat analysis is required.

Each of the outsourcing requirements and physical, IT and personnel security factors listed earlier can introduce or affect risk modelling inputs and variables and a decision on the most appropriate and influential set to use is required. In basic modelling terms, risk can be calculated as a function of:

  • impact (based on the value of an asset);
  • likelihood (based on the threat of an attack).

In most situations risk modelling software will be needed to perform many hundreds of calculations to create even a baseline understanding of gross risk. Many additional calculations will then be needed to perform 'what ifs' to calculate residual risk after applying potential mitigation controls.

An initial, critical objective for the analyst is to determine the appropriate granularity to apply to the information security risk assessment. Granularity in this context refers to the number of factors and variables required to meet the objectives of the assessment task and to the depth of decomposition needed; some risk variables may have to be broken down into additional variables for analysis. This may vary from task to task and the nature of the target selected for risk assessment. For example, when modelling a range of threat actors and attack scenarios, the threat can be decomposed further into:

  • motivation;
  • opportunity;
  • capability

In all cases, it is advisable to decompose information security requirements into the specific properties of confidentiality, integrity and availability ("CIA"). The risk associated with these properties is then typically considered from a system lifecycle stage perspective to create granularity in results. Table 1 presents an example of different levels of information risk categories that can exist over a traditional system lifecycle: these will vary depending on the nature of the system and data.

PChanging information security risks
                                Table 1

This level of decomposition will produce results that help the analyst to differentiate between levels of information security requirements for each lifecycle stage, for example, application development using 'dummy' or 'anonymised' data may require less rigorous (and lower cost) security measures than operational stages using 'live' customer data.

Depending on the risk assessment task, it may also be necessary to consider security throughout the contract lifecycle as well, from initiation through to termination. If this further decomposition is required, specific contractual information can be gathered to determine the type of access profiles that third party personnel will have to corporate and customer information, for example, powerful 'root' access for support functions versus 'standard' user access for help desk activity.

Fine granularity requires more detailed modelling but may identify options for enabling outsourcing and cost-effective security solutions that would not have been seen at a coarser level of assessment. However, a trade-off is required: it is essential to avoid "paralysis by analysis" whereby too many inputs, variables and options are identified but cannot be assessed effectively or efficiently and therefore have limited use for business-oriented stakeholders and the decisions they must take. Typically, an analyst will start off with a coarse grained decomposition then refine the analysis by identifying additional factors and variables at lower 'layers' until the necessary level of detail required to meet the risk assessment task is obtained. Figure 2 presents an example set of layers of decomposition that can be applied.

Figure 2
          Figure 2

In more general terms, the key business drivers for outsourcing will usually relate to changes in:

  • environment (for example, regional and operational factors); 
  • user population (for example, the number of potential third party attackers and the type of access they will have).

These drivers provide focus for risk model inputs, threat actors, attack scenarios, risk priorities and for choosing appropriate risk mitigation controls. It may also be possible to identify those factors and variables that can be driven by assumptions, for example, baseline levels of security within strategic partners (though such assumptions should be backed up by tangible evidence: BT uses third party audits and a large body of security knowledge and experience to apply assumptions).

Focus on the outputs of risk assessments is equally important, for example:

  • security recommendations need to support business decisions on the choice of outsourcing options, vendors, regions and levels of protection;
  • mitigation controls should be chosen with long-term, end-to-end risk management and compliance requirements in mind and wherever feasible should reuse existing standards.

Each security requirement and control will need to be owned, implemented, monitored and integrated into risk management, compliance and governance frameworks. Each control will also have an implementation and in-life management cost associated with it and will need to be positioned appropriately as an investment to protect revenue and enhance customer experience and not just a security overhead.

4. Developing agile security responses

BT Agile [12] is based on the Agile Manifesto [13] and presents a fundamentally new way of developing products, services and enhancing customer experience. It changes the product development process - from the identification and evaluation of new opportunities to the development and delivery of those that provide the greatest benefit and with the best chance of success. The core principles of collaboration, iterative working and flexibility are applied to the product development process to:

  • involve the customer from concept to delivery;
  • focus attention on the best business-led rather than technology-led opportunities;
  • decide if and how BT should respond;
  • shape the product or service to match customer needs;
  • get the product to market as quickly as possible.

This is achieved by bringing people together from across the company to share their expertise and insight. Products are built iteratively with stakeholder involvement: this facilitates speedy customer feedback into the design and subsequent iterations. BT Agile provides a suitable background for BT's security community to address the need for timely and frequently updated risk assessments. It is evident that global sourcing creates a dynamic environment for which innovative and flexible responses are required and where 'right first time' and, particularly, 'cycle time' are crucial. We have seen that outsourcing requests are increasing rapidly but that security team input to business decisions is required faster than before. A key objective is to avoid delays in decisions for sourcing transitions that may be time bound for competitive advantages: bottlenecks and constraints in risk assessments could cause delays in product launch or invoke contractual penalties; this would impact on programme implementation and customer experience. Security assessments must therefore be integrated into development and business decision-making processes and not conducted in isolation.

Prior to the launch of BT Agile, it had already been recognised that traditional responses by security risk assessment teams had to change fundamentally to meet new business imperatives. BT was faced with a decision to find more and more skilled security professionals to resource risk assessments (a difficult task), or to change the method (or application of the method). IS1 was confirmed as the core outsourcing risk assessment method but a flexible 'front-end' was needed to streamline its use to drive speedy, effective and consistent analyses [14].

To achieve this it was necessary to rationalise the inputs to IS1. This required a wide-scale review of disparate sources of risk modelling data to identify key information security attributes and affinities from a variety of business impact analysis and security profiling processes, together with customer, legal and regulatory requirements. The results were consolidated to create a common understanding of Impact Levels (consistent with IS1 definitions) based on data value, sensitivity and potential impacts inside BT, on BT's customers and on the UK CNI. At first, significant effort was required to collect the data and identify gaps and potentially contradictory values. Much data cleansing was required to improve quality but this created a new set of credible and consistent security attributes loaded into a secure database that could be used across the security community.

This evolution paved the way for greater agile working within security teams. Options were reviewed to apply agile methods to stakeholder collaboration, the iterative design of modelling tools and the use of 'user stories' (used to help engagement with outsource projects via previous security experiences). To facilitate the delivery of risk management tools and techniques, internal customer-led approaches and 'small steps' (via rapid prototyping) are now being applied. A central aim is to make security assessments faster, easier to understand and directly useable by stakeholders who are not security professionals. From an output perspective, 'reuseable infrastructure building blocks' are being created. A "keep it simple" maxim is also being applied.

The IS1-based risk modelling tool has developed into an effective business decision aid called Risk Matrix 2.1 (RM2.1), implemented in 2006/07. RM2.1 removes the complexity of calculation from the sight of the user and aims to make the results intuitive. A 'RED-AMBER-GREEN (RAG) approach has been adopted to facilitate ease of communication and understanding, partly because this notation is widely used in the IT project management community. Thresholds and descriptions based on IS1 risk scores were then mapped onto each RAG status - see Table 2.

Red-Amber-Green status
                          Table 2

In most cases, a RAG status of AMBER will result in a recommendation for more detailed analysis and, where appropriate, the application of additional risk mitigation controls to reduce the RAG status to an acceptable level. However, in some cases, detailed assessment will be recommended for both RED and GREEN flagged targets, for example, where risk scores are close to thresholds or specific concerns exist. Where there is any doubt, or results require sensitivity analysis, a detailed IS1 or IA assessment will be recommended.

Further developments have taken place since 2006/07 to enable even greater stakeholder use of the RM2.1. A set of high level questions has been developed, known as the Due Diligence Questionnaire (DDQ) which has been successfully integrated with RM2.1 - see Figure 3.

DDQ and flow of RM2.1 decision making 
         Figure 3

The DDQ contains 11 basic questions relating to the nature of the target and the sensitivity of its information, the type of outsource access intended, implications for UK legal and regulatory requirements and the identification of any "no offshoring" customer requirements. These questions are designed to capture high level security requirements and can be answered by stakeholders in IT programmes and then only augmented with input from security professionals if necessary - and in the majority of cases, additional analysis is unnecessary. The top-down approach of Figure 3 can be applied at a variety of lifecycle stages, including agile iterations and it provides early indications on "go/no go" situations and areas where further investigations are required. To ensure that all sourcing decisions undergo consistent risk assessments the above process has been integrated into BT's Procurement Security Gate. Evaluation via the Procurement Security Gate is mandatory for all BT lines of business and contracts and new work packages with vendors will only be endorsed when evidence of risk assessment and results is produced.

One outsourcing work package may involve hundreds of systems or operational roles and this has led to the application of flexible 'batching' techniques where inputs are grouped together based on information security attributes and affinities. Batching has been greatly assisted by the data cleansing exercise referred to above and is being extended to encompass roles targeted for outsourcing. Input categories can now be populated speedily to automate risk modelling. This results in high volume, speedy assessments where one DDQ/RM2.1 assessment can cover many targets.

Keeping the end-to-end compliance and risk management requirements in mind, the results from risk assessments are fed into a secure database to provide audit trails and to allow the consolidation of results. Effort has also been applied to ensure that each risk assessment avoids re-inventing the wheel - not just the inputs but the outputs as well. Focus on the outputs, in terms of sets of risk mitigation controls that have some form of affinity, has enabled the identification of common security requirements and situations where enhanced or additional measures are needed. This leads to another agile (and best practice) principle - the creation of reusable building blocks, in this case mitigation control sheets (and templates). All common, core requirements have been extracted and built into baseline security requirements. Enhanced requirements (higher levels of security) are being consolidated into mitigation sheets to address situations that are expected to arise more than once. This has shifted security responses from one-off tactical or pragmatic measures to a more strategic perspective. The mitigation control sheets will typically be used to enhance security in cases where vendors have access to sensitive information (such as DPA personal data or CNI data) or powerful access to operational services or functions - see Figure 4.

Figure 4 
         Figure 4

Note that engagement with programmes using agile development and delivery methods can present challenges for the security community. This is typified by the move away from the traditional 'waterfall' process for system/product development. Agile development methods could result in "CIA" vulnerabilities and compromises, for example by diffusing the traditional boundaries between using 'dummy' data and using 'live' data. The right times must be chosen to achieve effective engagement and apply security assessments: these should be linked in with key development decision points, iterations and initial hothouse events. The appropriate times will vary and this requires focus and potentially significant effort at first.

5. Implementing risk compliance and governance frameworks

Information security risk management and compliance issues are rising up the agenda. Customers - individual, corporate and governmental - understand that organisational boundaries are being extended and they are increasingly demanding assurances that their information remains secure in changing ICT environments, especially when information is moved outside of trusted domains. These concerns are reinforced by recent high profile information security failures such as the UK Government's Revenue and Customs Department (HMRC) losing personal details of 25 million people (42% of the UK population) in a single incident [15]. This was closely followed by the UK Government's disclosure that nearly three million learner driver records - part an outsource contract with a company in the USA - had been lost, and then that 168,000 National Health Service (NHS) patient records were missing [16]. Customers and regulatory bodies are now ready to take action when they believe that information security, especially confidentiality, is at risk or has been compromised. This can have serious financial implications, such as the £ 1 million penalty imposed on the Nationwide Bank in the UK [17] and a similar £ 1.26 million penalty for the Norwich Union Bank for not implementing robust security controls [18]. The longer-term impact on reputation and customer experience and perceptions may be even greater. As a consequence of the imposition of mandatory corporate regulation, governance and legal requirements (for example, Sarbanes Oxley and the DPA), there has also been a significant increase in security awareness and the potential impacts of security failures, including the liabilities that companies and individuals may face [19]. Information security is only one input to commercial decisions, but it is now recognised that it is an essential input that can influence outsourcing risk appetites.

To deal with these concerns in an outsourcing environment effectively, companies must demonstrate that key information risk management components are being addressed, namely appropriate risk assessments, the effective implementation of risk mitigation controls, risk re-assessments, audit regimes, the provision of suitable compliance evidence and assurances and linkage with corporate governance frameworks. Risk management is never a one-off process, it is an iterative process and each stage should be considered closely - see Figure 5. The importance of accountability, documented audit trails and the production of records and evidence of implementing and maintaining controls should be noted and designed into compliance frameworks from the start, in order to save time and effort in the long run .

Figure 5 
         Figure 5

BT applies ongoing monitoring of information security risks with appropriate triggers for risk management re-assessments and audits. The use of a common risk modelling tool (RM2.1) allows different scenarios to be modelled with different inputs and outputs. Changes to outsourced systems or work packages and environments can therefore be re-modelled rapidly to measure changes in residual risk.

A framework is being designed to create assurances and evidence in a timely and consistent fashion; this includes governance requirements in terms of changes in risk and mitigation control ownership. A firm linkage has been established between security risk and business risk management, compliance and governance frameworks to help develop the corporate view of risk and assess potential aggregation effects across contracts and business strategies - see Figure 6. This includes vendor audit and in-life management considerations.

Figure 6 
         Figure 6

The building block approach to mitigation controls has many beneficial implications for facilitating compliance frameworks: the core set of baseline security controls (physical, IT and personnel) now have an emphasis on protective monitoring and audit. Wherever feasible 'best practice' controls, for example from ISO/IEC27001 and the CPNI, are imported to facilitate longer-term maintenance and credibility. Security requirements and controls are now being designed to facilitate audits and compliance regimes from the outset by including audit teams in their creation. The specification of the controls needs to be concise, consistent, understandable (by a diverse collection of stakeholders), implementable and auditable.

The establishment of effective audit regimes is central to ensuring ongoing compliance - both inside and outside the organisation - and BT security teams work closely with global sourcing bodies and internal audit teams to achieve this. For BT, the use of common standards and mitigation control sheets facilitates consistency in the quantification and comparison of findings of compliance reviews across a wide range of BT programmes and vendors. From the external perspective, security evaluations are made on all prospective vendors and these are followed up with full onsite audits once projects have been transitioned. These onsite audits are conducted not just to provide assurances and evidence on the levels of compliance to BT's security requirements, but also to verify the key risk modelling environmental assumptions used in RM2.1. One benefit of the building block approach to mitigation controls is to provide a hierarchy of audit requirements, priorities and reporting needs. To complement the 'baseline' audit regime, specific reviews, for example involving security specialists, can be scheduled to test the implementation of enhanced requirements.

From the internal compliance perspective, much depends on the accuracy of the inputs to the risk assessment process, namely the DDQs. BT security has therefore launched an audit function internal to BT programmes to check the veracity of DDQ returns and the ownership and implementation of BT-facing mitigation controls stemming from RM2.1 assessments. The results of these audits are being amalgamated with vendor audit results to target common areas for attention. Audit regimes should, ultimately, be able to provide evidence of compliance and assurance "on demand" to stakeholders. Opportunities for automating the creation of key pieces of evidence across a range of targets and vendors are now be considered, for example, authorisation audit trails and physical and logical access log analysis.

As a further improvement, the clauses of strategic vendor contractual requirements are being reviewed with the aim of harmonising security requirements across all types of framework contracts. This is taking into account the results of previous audits, BT and vendor stakeholder interpretations and levels of understanding, and will lead to the adoption new, common baseline standards and form an enabler for wider application of the building block approach to mitigation controls

6. Results of applying the approach

Global sourcing business drivers have stimulated innovation and automation for collecting input for information security risk assessments, performing the calculations, communicating the results, implementing controls and auditing their effectiveness. The security community is now more able to engage with stakeholders in flexible and agile ways to help meet BT's outsourcing objectives and ultimately improve service and customer experience. Maintaining an end-to-end perspective has proved invaluable for ensuring that benefits are carried through the risk management cycle into compliance activities. Agility has been applied to risk modelling solutions though it is recognised that this was driven, initially, by pragmatic reactions to client demands rather than developed within a defined framework. However, the end result provides a positive base for the expansion of formal agile principles. The wide-scale review of data sources and security attributes has led to new approaches to categorising systems and applications and to the understanding of information in terms of its value and impact to BT and stakeholders.

In terms of 'right first time' and 'cycle time', many achievements have been made. New tools have been developed and rolled out in quicker time, risk assessments are conducted faster, are easier to understand and can be used directly by business-orientated stakeholders. Risk assessments have also been integrated effectively with business outsourcing decisions via the Procurement Security Gate. Most noticeable is the large reduction in the time needed for an information security risk assessment, for example, in 2004/05 an IS1 assessment would take a minimum of 10 days, 12 months ago this had dropped to five days and now, using mitigation control sheets, this can be as short as half a day. For DDQs and RM2.1 GREEN results the outcome is effectively immediate and no further analysis or intervention from security experts is required. With regard to the Procurement Security Gate throughput, the period March 2007 to February 2008 saw 3909 DDQs completed, of which only 315 (approximately 8%) required further assessment by security risk analysts, namely those with AMBER and RED results; approximately 92% were GREEN - due to the application of consistent information impact level classifications - and could be outsourced directly subject to baseline security requirements.

A key feature in the new approach is focus and it is important to remember that this does not mean ignoring risk factors but concentration on the most important and influential. Risk calculations have been made simpler and easier to use, but without punching holes in the understanding and ownership of risk and the levels of protection implemented. The limitations of the DDQs and RM2.1 are recognised as they are designed as a decision aids for preliminary assessments rather than replacing a detailed risk assessment. However, they have been judged to be effective tools for speedy risk assessments and for providing stakeholders with useful and timely results to aid decisions at various stages of project and contract lifecycles; opportunities for potential outsourcing savings can be identified early in project lifecycles and before transition of work. As with all risk management processes, RM2.1 is designed for iterative use to assess changes in risk over time; sourcing strategies are in a constant state of flux and any changes will affect the risk profiles. The use of assumptions to drive certain factors, such as vendor environmental conditions, has proved necessary and is a key driver for reducing 'cycle time', but all assumptions can be challenged and changed on a case-by-case basis where additional input is either available or desirable. Assumptions are also subject to periodic review.

'Right first time' and 'cycle time' also apply to compliance topics. The need to build upon an effective outsourcing compliance framework is now central to all security risk management considerations. This longer term, end-to-end perspective and the building block approach for mitigation controls has helped to provide focus on key and common security risks and associated solutions and therefore avoid reinventing the wheel during each assessment - moving towards 'right first time'. Mitigations are designed with compliance in mind and this allows consistency in audit regimes and can reduce 'cycle times' for planning and executing audits. Compliance is quantified across a wide range of outsource projects and vendors and used to feed back assurances and evidence into risk management and governance frameworks. At present, 11 mitigation control sheets are used; these are based on the following requirements:

  • Business to Business (B2B) Gateways for strategic partners;
  • Business Impact Review (BIR) with classifications of 'serious' or 'critical';
  • CNI implications;
  • DPA Non UK plus privileged access;
  • DPA Non UK;
  • DPA Non UK, any BIR classification plus privileged access;
  • DPA UK, BIR (serious/critical);
  • DPA UK plus privileged access;
  • DPA UK;
  • DPA UK, BIR plus privileged access;
  • privileged access.

These templates have been created from combinations of standard controls and are generally applied to DDQ/RM2.1 'AMBER' results where the risks identified were unacceptable and additional controls are required. On average (during 2007/08), the frequency of use of the mitigation control sheets was approximately 10/month.

To stress the importance of security to third parties, BT deployed a full time security relationship manager to India in 2005/06 to oversee levels of compliance and also to provide advice and awareness on the reasons behind BT's information security requirements. Audits of vendor sites have since been used as opportunities to demonstrate commitment to security, raise security understanding and develop secure partnerships - for the benefit of both parties. This, in turn, should have a positive impact on sector and country levels of security, for example promoting the adoption of international standards such as ISO/IEC27001 and the need for thorough background vetting as part of the recruitment process. Whenever gaps are identified, firm commitments are sought from vendors to closing them and to maintain adherence to required levels of security. Since the start of 2006/07, 12 onsite vendor security audits have been completed and over 50 vendor security relationship management visits have taken place. These have enabled the identification of common non-compliances, typically relating to:

  • gaps in physical perimeter controls;
  • lack of effective logical and physical access log analysis (including analysis of anomalous behaviour as well as failed access attempts);
  • sharing of logon credentials;
  • incomplete personnel recruitment background vetting checks.

Standard responses, advice and awareness programmes, plus, where necessary, sanctions and penalties, can now be applied to address these.

7. Future work

Within the BT security community, further work is planned to evolve approaches and introduce greater agility to solution design, stakeholder engagement and the integration of internal and external compliance and audit regimes. All these activities will build upon the end-to-end risk management approach with the aim of making BT's processes and platforms more secure and robust. An initial focus is being taken on expanding the mitigation control sheet approach to platform-based architectures and harmonising BT Group-wide audits and vendor in-life management processes. Further challenges include:

  • developing efficient and effective engagement with teams using more aggressive agile delivery methods;
  • addressing additional data quality issues that impact on security risk assessments (for example maintaining system and data ownership records);
  • developing the internally-facing DDQ and mitigation control sheet audit process;
  • addressing server and application virtualisation issues.

In the longer term, global sourcing environments will continue to change and so must the focus on risks and compliance priorities; sometimes the shift in risks and priorities will not be obvious. It will be necessary to ensure that the ownership, accountability and maintenance of key information security controls, authorisation processes, protective monitoring and audit trails remain clear and appropriate. Effective global sourcing security and governance will become a key business success factor.


  1. Freeman, E, 9/07, Strategic Risk, Benefits without risk?Top
  2. Copeman, S 10/07, Strategic Risk, Risk without FrontiersTop
  3. Muir, D, 13/10/06, Computer Weekly, Why, when and how to outsourceTop
  4. ISO/IEC, 2005, ISO/IEC27001: International Standard for Information Security Management System.Top
  5. BSI, 2004, BS7858: Code of practice: Security screening of individuals employed in a security environment.Top
  6. PCI DSS, 2007, Payment Card Industry Data Security Standard:
  7. UK Critical National Infrastructure (CNI), 2007,
  8. CPNI, 2/8/06, Good Practice Guide Outsourcing: Security Governance Framework for IT Managed Service Provision,Top
  9. GCHQ/CESG, 02/07, UK Government's Infosec Standard No. 1: Residual Risk Assessment Method (IS1)Top
  10. Colwill, C et al, 2001, BT Technology Journal Vol. 19, No. 3, Information AssuranceTop
  11. Centre for the Protection of National Infrastructure (CPNI)
  12. BT Agile, 1/11/06, Agile Coaching in BT
  13. The Agile Manifesto http://www.agilemanifesto.orgTop
  14. Colwill, C & Gray, A, 2007, BT Technology Journal Vol. 25 No. 1, Creating an Effective Security Risk Model for Outsourcing Decisions,Top
  15. BBC, 20/11/07, UK's families put on fraud alert
  16. Rose, D., The Times, 24/12/07, More personal data lost as nine NHS trusts admit security breaches
  17. Privacy and Data Protection, 14/2/07, UK Bank Fined £ 1m for data security breach
  18. The Times, 17/12/07, Norwich Union fined record $1.26m over fraud risk
    banking_and_finance/article3062076.ece  Top
  19. Privacy and Data Protection, 7/2/07, Breaching DPA now carries 2 years jail time
  20. The Institute of Risk Management, 2002, A Risk Management Standard
  21. Sharma, A., Accountancy Age, 14/2/08, Mind your own business,
    20080214/ACCAGE0020080215e42e00005_FT.jsp  Top


Copyright © British Telecommunications plc, 2008. All rights reserved. BT maintains that all reasonable care and skill has been used in the compilation of this publication. However, BT shall not be under any liability for loss or damage (including consequential loss) whatsoever or howsoever arising as a result of the use of this publication by the reader, his servants, Actors or any third party. All third-party trademarks are hereby acknowledged.

« Previous | home | Next »