Examining The Business Function Of Outsourcing Information Technology Essay

Outsourcing is “the contracting out of a business function to an external provider.” In other words, two companies go into an agreement for exchanging service. There is a type of outsourcing that is called “offshoring” or “offshore outsourcing.” This means the outsourcing on the international level.

There are many reasons for outsourcing. These include for example:

• Cost savings: This means reducing and restructuring the overall cost, the scope and the quality levels.

• Focusing on Core Business: Like the case where companies outsource for IT support.

• Improving quality: This means upgrading the level of service by outsourcing more professional parties.

• Tax Benefit: This comes through promoting outside parties by lowering tax.

• Creating leisure time: This simply means giving more free time for individuals and orgaisations by giving work to other parties.

• Operational expertise: The outsourcing company will benefit a lot from the external experience in the field that may not be available inside

• Access to talent: This is linked to the previous benefit by getting more skilled manpower in many fields.

In the outsourcing process, RFP (Request For Proposal) is simply a written document by which the organization invites suppliers to bid for the purpose of achieving a certain product or service. This initial process is very important as it identifies risks and benefits. At a later stage, the contract award is given to the supplier who provides the best bid.

The evaluation of the outsourcing process follows definite steps that range from planning to implementation and management. This may well include certain serious steps such as “feasibility study; (detailed analysis of requirements design, building and implementing the relationship, on-going operation of the relationship and expiration of the relationship.”

The exit strategy is a tactic by which the organization can escape a current critical situation. Within this strategy, the organizations asks for withdrawal from its commitments with holding some additional costs.

Other names for exit strategy include exit plan, or strategic withdrawal. This is basically a transfer of the ownership of the property. This is done in order to recover the capital invested.

References:

http://en.wikipedia.org/wiki/Exit_strategy

www.sis.pitt.edu/~jjoshi/IS2820/Spring06/chapter04.doc

www.sis.pitt.edu/~jjoshi/TELCOM2813/…/Lecture4.ppt

http://current.com/1tcqu4c

http://en.wikipedia.org/wiki/Outsourcing

http://en.wikipedia.org/wiki/Request_for_proposal

http://www.businessdictionary.com/definition/contract-award.html

Posted by Fahim Alzaabi at 10:25 AM 0 comments Email This BlogThis! Share to Twitter Share to Facebook Share to Google Buzz

Sunday, October 10, 2010Task Nine: Phyical Security

Reflection on Understanding

It was really a great section to read. I never thought of this aspect of information security to be that important. However, after reading chapter 9, I came to recognize the significance of physical security in the field of information security. Things that we consider trivial might actually be so sensitive and may cost billions of dollars. Just like it is important to protect the software material within the computer, it is equally vital to protect the hard material that contains these software packages. In other words, in order to protect the content of any material, it is your first priority to protect the material covering that content.

Question Number 1: How safe is the data on your computer, especially if your computer is lost or stolen?

As clarified in the chapter, data is prone for insecurity if the computer is lost or stolen. Hence, it is important to make sure that the data there is safe and cannot be accessed.

In this aspect, it is important to recognize that the password protection on the Word and Excel applications and the WinZip are not sufficient. So, one has to use a strong protective tool for his file not to be accessed if his computer gets stolen.

I think that the best method for securing data on the computer if it get lost or stolen is to use encryption. One of the most important encryption tools used in this aspect is the free open source tool TrueCrypt. This tool creates virtual encrypted drives that are nearly impossible to crack without the proper passphrase, and works with any file and any application. So, one has to make sure that sensitive data is encrypted and inaccessible to others by using TrueCrypt or any other similar encrypting tool.

Question Number 2: If you were working for a large multinational business or government department, what measures do think might be in place to mitigate the risks of physical theft or loss??

I think there are certain procedures that should be in place mitigate the risks of physical theft or loss in a large multinational business or government department:

1- Physical Security: This comes through protecting actual physical items. Computer and laptops should be chained to an unmovable object, such as a desk or permanent fixture.

2- Information security: This has to do with the data stored on the computer. This includes using passwords on the computers so that only authorized personnel can access it.

3- Network security: This has to do with the networks that the computer might be attached to. For example, all computers have to have an antivirus program installed and a firewall turned on. If using a VPN, the security settings should be turned on again so that only authorized people can access the network.

Posted by Fahim Alzaabi at 6:11 PM 0 comments Email This BlogThis! Share to Twitter Share to Facebook Share to Google Buzz

Sunday, September 12, 2010Task Eight: Summary of Chapters 6,7 and 8

Question Number 1. Which architecture for deploying a firewall is most commonly used in businesses today? Why?

A firewall is “a security system consisting of a combination of hardware and software that limits the exposure of a computer or computer network to attack from crackers; commonly used on local area networks that are connected to the internet.”

Firewall devices can be configured in a number of network connection architectures. There are mainly four common architectural implementations of firewalls. They are packet filtering routers, screened host firewalls, dual-homed host firewalls and screened subnet firewalls.

Generally speaking, the selection of one or architecture depends on three factors: the objectives of the network, the organization’s ability to develop and implement the architectures, and the budget available for the function. However, the most common architectural implementation used in organizations nowadays is the screened subnet firewalls.

This kind of firewall architecture is used preferred for reasons related to its high level of security. Screened subnet firewalls provide a DMZ (demilitarized zone). The DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet.

The subnet firewall usually consists of two or more internal bastion hosts behind a packet filtering router, with each host protecting the trusted network. Connections from the outside or untrusted network are routed into-and then out of-a routing firewall to the DMZ. At the same time, connections into the trusted internal network are allowed only from the DMZ bastion host servers.

In this way, the screened subnet functions as an entire network that performs two functions. First, it protects the DMZ systems and information from outside threats by providing a network of intermediate security. Second, it protects the internal networks by limiting how external connections can gain access to internal systems. At the same time, DMZs can create extranets, segments of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.

For all these reasons, the screened subnet firewalls are the most dominant architecture used today.

Question Number 2.What are the reasons that VPN technology has become the dominant method for remote workers to connect to the organizational network?

Since the Internet has become more widespread in recent years, other options for remote connections, such as Virtual Private Networks (VPNs), have become more popular. A VPN is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network.

VPNs have become dominant method for remote connection for many reasons. In general, they extend securely an organization’s internal network connections to remote locations beyond the trusted network. In addition, the VPNC defines three VPN technologies. First, a trusted VPN, or legacy VPN, uses leased circuits from a service provider and conducts packet switching over these leased circuits. Second, a secure VPN uses security protocols and encrypts traffic transmitted across unsecured public networks like the Internet. Third, a hybrid VPN combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.

Moreover, VPNs usually maintain the following:

– Encapsulation of incoming and outgoing data, wherein the native protocol of the client is embedded within the frames of a protocol that can be routed over the public network as well as be usable by the server network environment.

– Encryption of incoming and outgoing data to keep the data contents private while in transit over the public network but usable by the client and server computers and/or the local networks on both ends of the VPN connection.

– Authentication of the remote computer and, perhaps, the remote user. Authentication and the subsequent authorization of the user to perform specific actions are predicated on accurate and reliable identification of the remote system and/or user.

Question Number 3.Will biometrics involve encryption? How are biometric technologies dependent on the use of cryptography?

Biometrics is the process of using body measurements. They include fingerprint, palm print, hand geometry, facial recognition, facial recognition, retinal print, and iris pattern comparison. Among all possible biometrics, only three human characteristics are usually considered truly unique which are fingerprints, retina of the eye and iris of the eye.

Encryption is a mathematical process that helps to disguise the information contained in messages that is either transmitted or stored in a database. Most of the technologies that scan human characteristics convert images to some form of minutiae, which are unique points of reference that are digitized and stored in an encrypted format when the user’s system access credentials are created.

Biometric Encryption is the process of using a characteristic of the body as a method to code or scramble/descramble data. Since body characteristics are unique to each individual, biometrics are seen as the answer to combat theft and fraud, particularly when dealing with commerce over the internet.

Encryption is very important with biometrics. As one industry expert put it, “Unless criminals are going to start cutting off peoples fingers to gain access to their accounts, biometric encryption is an excellent method for controlling access to those who should have it.”

Biometric makes the individual bits in the template unreliable; only an approximate match can be expected to a stored template. Conversely, cryptography demands correctness in keys; it requires that keys be exactly right, or protocols will fail. Hence, it is important to combine cryptography and biometrics to achieve reliability and protection that biometrics alone will not provide.

Reference:

http://www.emory.edu/BUSINESS/et/biometric/Biometrics.htm retrived on Sep 12 , 2010

http://www.google.com/search?hl=en&rlz=1W1SKPB_en&defl=en&q=define:firewall&sa=X&ei=Y3KNTJuPFMKBlAflnYhg&ved=0CBIQkAE retrieved on Sep. 12th 2010.

Posted by Fahim Alzaabi at 10:56 PM 0 comments Email This BlogThis! Share to Twitter Share to Facebook Share to Google Buzz

Friday, September 3, 2010Task Seven: Planning for Security

Question Number 1: Incident classification is based on the judgment of the information security professionals involved. How would you determine if any given circumstance is business as usual, an incident, or a disaster?

The new situation is considered as an incident if it “poses a clear threat to the confidentiality, integrity, or availability of information resources.” It may be considered as an attack if it is directed against information assets and if it has a realistic chance of success.

There are a number of indicators that show that there is a probable incident. The following is some of them:

1- Presence of unfamiliar files

2- Presence or execution of unknown programs or processes.

3- Unusual consumption of computing resources.

4- Unusual system crashes.

5- Probable indicators of incidents:

6- Activities at unexpected times.

7- Presence of new accounts.

In the meantime, there are definite indicators which surely show the existence of a real incident:

1- Use of dormant accounts.

2- Changes to logs.

3- Presence of hacker tools.

4- Notifications from partner or peer.

5- Notifications from hacker.

6- Predefined situations that signal an automatic incident:

7- Loss of availability.

8- Loss of integrity.

9- Loss of confidentiality.

10- Violation of policy.

11- Violation of law.

This incident can become a disaster in the following cases:

1- When the organization is unable to mitigate the impact of an incident when it occurs.

2- When the level of damage or destruction is so severe that the organization is unable to quickly recover.

3- The difference may be subtle. It is up to the organization to decide which incidents are to be classified as disasters and, thus, receive the appropriate level of response.

Question Number 2: It’s often said that information security begins with solid policy. Why is this so?

A policy is “a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters.” It is important that information security begins with solid policy for many reasons. First, policies are considered as the basis for all information security planning, design, and deployment. Second, policies direct how issues should be addressed and how technologies should be used. Third, policy guides personnel to function in a manner that will add to the security of its information assets. Fourth and finally, policy sets the strategic direction, scope, and tone for all security efforts within the organization.

Question Number 3 -Keeping policy current is critical. How do you think policy needs to be updated to accommodate current events? Give examples where possible

It is known that security policies are the least expensive control to execute, but the most difficult to implement. For a policy to be updated , it must be properly disseminated, read, understood, and agreed upon by all members of the organization. Professionals should also make sure that it stresses specific areas of technology and contains an issue statement on the organization’s position on an issue.

In addition, updating the policy can be done through three basic ways.

1- Creating a number of independent ISSP documents, each tailored to a specific issue.

2- Creating a single comprehensive ISSP document that covers all issues.

3- Create a modular ISSP document that unifies policy creation and administration, while maintaining each issue’s requirements.

Question Number 4-Read the UB Information Security Policy (http://policy.ballarat.edu.au/information_technology/it/ch02.php) . What are your impressions of it? Is it up-to-date? Is it sufficiently ‘solid’?

In general, the information security policy of UB seems sound and solid. It clearly defines its purpose and scope. In addition, it gives a list of definitions of the major concepts included. The policy statement is also detailed and contains ample description of all parties including staff and student security, acceptable usage, logical security in addition to other essential information. It is also important that the policy includes information about the legislative context with the source being Victorian Information Privacy Act 2000.

However, there seems to be something important lacking in the policy; which is information about ways of updating it. It is agreed that all policies need to be regularly updated to accommodate new changes in circumstances. However, UB policy does not include any information about guidelines or procedures for this updating. I believe that for the policy to be perfect it has to include a section on means of updating it so that it becomes applicable in all circumstances.

Further Reading

www.ecu.edu/cause06 /presentations/IT_Security_Panel.ppt –

Posted by Fahim Alzaabi at 12:45 AM 0 comments Email This BlogThis! Share to Twitter Share to Facebook Share to Google Buzz

Sunday, August 29, 2010Task Six: Risk Management

Reflection on Learning (Difficulty):

I really found this topic to be the most beneficial for me so far. However, there were certain issues that were hard for me to grasp. The most important of these is the threat identification and vulnerability identification. I could not figure out whether they are two terms for the same process or they are two distinct processes. It seemed for me that vulnerability identification is an umbrella term that covers threat identification. However, I am still not sure about that. I hope I will reach a level of understanding through further readings.

Question Number 1.What is the best value that should be assessed when evaluating the worth of an information asset to the organization – replacement cost or lost income while repairing or replacing?

I believe that the best value that should be assessed while evaluating the worth of an information asset is the replacement cost. This is not to say that lost income is insignificant. However, when faced with such a situation, replacement cost takes precedence over lost income. This is because lost income can be compensated for by other ways and through other assets. In addition, the replacement cost may be much lower than the lost income and in this case leads to more revenue. On the other hand, if we consider the lost income without the replacement cost, the feasibility study will definitely be affected and a loss will ensue.

Note: I read an online article that gives a good view about replacement cost. It is entitled ” The replacement Cost Claim: It’s Just like any Others or Is it” , available at http://www.nfa.com/article-2.html

Question Number 2. What is the likelihood value of a vulnerability that no longer must be considered?

The likelihood value of a vulnerability that no longer must be considered would definitely be far from the value of 1.0. That can be understood through an illustration of the risk assessment process. The risk assessment process entails the assignment of numeric values to vulnerabilities. Once certain vulnerability is strong, the value assigned will be closest to 1.0. Conversely, if it is weak, it will go away from this value. That is why we say that the value of the vulnerability that no longer exists will be far from 1.0.

Question Number 3. In what instances is baselining or benchmarking superior to cost benefit analysis?

First, one has to distinguish between baselining and benchmarking. Benchmarking is the “process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate. Baselining, on the other hand, is “the analysis of measures against established standards.”

Cost Benefit Analysis ( CBA) helps companies determine whether or not an information asset is worth protection. It also helps them assessing the cost of implementing sufficient controls in order to protect the organization from threats and vulnerabilities. Cost benefit analysis generates much benefit in this regard. However, by virtue of their definition, baselining and/or benchmarking are much beneficial than cost benefit analysis in other cases. That is, they become more beneficial when an organization aims at comparing its performance to other companies. Hence, they are more recommended in any attempts to determine strategic areas of opportunity rather than just getting the financial value of information.

Question Number 4. How can we find out what an organization’s risk appetite is? Why is this important?

Risk appetite can be defined as ‘the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility’. It is very important to assess the organization’s risk appetite for many reasons. First, each organization has its own point of weakness that differ from other organizations, thus, it becomes hard to give one general statement of risk appetite for all organizations. Second, evaluating the risk appetite helps in the process of risk management and control. That is because the organization can assess its defensive techniques and employ them to the best. In addition, assessing risk appetite of an organization helps the organization put proper security measures in place according to the financial, physical and other conditions governing the organization.

Suggested Reference: http://www.youtube.com/watch?v=MUQzEJ82TrQ

The above is a youtube that gives fundemental information about information risk management.

Posted by Fahim Alzaabi at 6:21 AM 0 comments Email This BlogThis! Share to Twitter Share to Facebook Share to Google Buzz

Monday, August 16, 2010Task Five: Legal, Ethical and Professional Issues

Legal, Ethical and Professional Issues in Information Security

Question Number 1: Research Process and Most important Resources

Just like the question requires, my research process was essentially online. I goggled different key terms such as “Australian Computer Law”, “Information Security in Australia” and other terms. I was directed to different sites dealing with these issues. However, some of them were rather general and provided broad information about the general legal arena in Australia, which was of no benefit to my research.

This has lead me to narrow down my research parameters. I looked for sources to provide me with information about particular topics pertaining to my research such as copyrights, spy laws and privacy laws. The information I found was valuable but I liked the above mentioned article most. That is because this article provides the information in a very concise and organized manner. What I liked about this sources is that it provides some headlines about the issue and refers the reader to a more encyclopedic source that contains more information if needed. This has to advantages. First, the reader who is not interested in the details does not have to read redundant data that he does not need. Second, the reader who need more information may go to the resources indicated and enrich his knowledge.

Another source I liked was Thehe Australian Copyright Council’s Online Information Center . The Australian Copyright Council is an indepnant non-profit organisation that provides information, advocacy and advice on copyright. It also provides traianing on copyrghts in Australian and produce pulication and research on copyright policy issues. The site contains sheets, articles, and books about issues regarding copyrights.

Question Number 2: Disparity of Law and Implications

Definitely there are many differences between the Australian local laws and international laws. However, I would not call this phenomenon as disparity. These differences are normal modifications of laws that each country undertakes in a way that suites its interests. However, one statement of truth should be said in this regard, which is that the Australian local laws are more detailed and a little bit harsh. Again, this is intended to be neither a compliment nor criticism. Rather, as mentioned above, this is part of the natural differences between countries. The article in the link provided in the question shows a manifestation of these differences and the strictness of the Australian Law when it come to computer crimes. Australian authorities would not consider the accused person’s health state and would apply the law by extraditing him.

Question Number 3: Personal View on Extradition

Well, I think that this issue is purely legal. It is out of the terrain of computer security even. It is an essentially legal issue that is applied on more general terms. Some countries have agreements among them to extradite criminals. This should be applied in all cases whatever the humane aspect is great. So the issue of the mental state of the accused party in this case should not create a reason for not extraditing him as long as the law states so. Otherwise, chaos prevails. In this aspect one should not forgest the case of Lockerbie when Tripoli refused to extradite the accused person and hence a long period of political struggle ensued.

References:

Electronic Frontiers: Australia “Privacy Laws in Australia.” Retrieved from http://www.efa.org.au/privacy/ on August 12th, 2010.

Australina Coyright Council Online Information. http://www.copyright.org.au/. Retrived on August 12th, 2010.

Posted by Fahim Alzaabi at 11:03 PM 0 comments Email This BlogThis! Share to Twitter Share to Facebook Share to Google Buzz

Saturday, August 7, 2010Task Four: The Need for Security

Section 2 Overview

The Need for Security

((information security is primarily an issue of management, not technology. Best practices apply technology only after considering the business needs))

Reflection of Learning

I consider the things I learnt from this chapter as highly valuable. Planning is very important on the organizational level if a satisfying range of security is to be attained. In addition, the components of organizational planning as well as the components of information security system (Whitman & Mattrord, 2004) were clearly put so that their significance within the organizational planning scheme is realized. It is greatly vital to clearly indicate the vision, mission, values and strategy of the organization and then implement them to the utmost. Without this, the origination will never reach the needed level of information security.

What I also found beneficial is the clear outlining of the tasks of chief information security officer in relation to strategic planning. This is also in addition to the delineation of the job description of the information security department manager. This information will definitely reflect on my future career and help me foster it.

Question Number 1 – virus

One day I got a link on Facebook from a friend. I clicked it, then a strange website appeared. I did not take much notice of it. However, the computer started acting up after that. First, I noticed that the internet explorer could not connect to more than 3 tabs at a time. After that, the internet explorer would not work at all except that it allowed me to use MSN. Gradually, I became unable to use MSN either. I realized that It was a virus, however, I the antivirus (Norton) I could not detect the problem or fix it. I became more worried as I realized that hackers may get into my computer and I spent hard times trying to find a solution.

Question Number 2 – protect my computer

I checked with my family, relatives and friends; no one could help me with that. Ultimately, I took the computer to computer technician, who inspected it. He recommended installing Malwarebytes Malware Remover. However, I did not have the money to buy it. At last, a friend of mine told me that it was available online on ( http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe. I downloaded it in minutes, installed it and it worked out. After that, the problem ended completely. I was able to use the internet in its full scale.

Question Number 3 – Article

The Department of Land and Survey was asked by the E-Government to uninstall its centralized antivirus system and install a new centralized one that works for the head office as well as all the branches. The Department did as it was asked to do. However, ever since the new antivirus was installed problems started to happen. First of all, all branches in addition to the head office reported severe cases of viruses and worms. In addition, and as a result of that, the internet access in all branches became so slow. It seems that the computers were busy dealing with the viruses and back doors. More dangerously, there were many reports of the system of the Department being accessed, hacked and changed by several parties.

The Department decided to contact the government to inform it of the severe results of the changes in the antivirus system. However, the government did not take the issue so seriously and only recommended modifications on the system. This was of course unattainable and unsuccessful in resolving the problem. So the Department decided to take unilateral action.

The head office instructed the IT unit to uninstall the newly-installed antivirus and re-install the old one. The IT unit did so, but it was not an easy task. In addition to changing the antivirus system in the head office and in all the branches, the IT experts had to deal with the problems resulting from the previous antivirus in both the head office and the branches. IT technicians had to travel all over the country where the branches were scattered. In addition to the costs of travelling, costs of treating the problems were so high, not to mention the great time spent on this issue on the expense of other viral issues. It took them more than two months to deal with all of this until the issue was ultimately solved ( Department of Land and Survey, 2006).