建立一个安全有效的风险模型进行外包决策外文翻译.doc
《建立一个安全有效的风险模型进行外包决策外文翻译.doc》由会员分享,可在线阅读,更多相关《建立一个安全有效的风险模型进行外包决策外文翻译.doc(13页珍藏版)》请在沃文网上搜索。
1、 本科毕业论文(设计)外 文 翻 译原文:Creating an effective security risk model for outsourcing decisionsBT has substantial experience of outsourcing and off-shoring, particularly to Indian companies, and supplier engagement processes are well established . BT outsources information and communications technologies (
2、ICT) work to a combination of strategic and tactical suppliers. A common contractual framework has been implemented for strategic partners since 2003 and this includes a comprehensive set of baseline security requirements that can be enhanced to appropriate levels, depending on the nature of the inf
3、ormation assets concerned. BT has redefined offshore outsourcing from being a tactical means of reducing operational costs, into a strategic tool for business transformation. This has resulted in a significant increase in the outsourcing and offshoring of ICT development, maintenance, support and co
4、ntact centre activities. At the same time, customers and stakeholders are becoming aware of their increasing reliance on electronic information and the risks posed by not just malicious acts, but also accidental exposure.Outsourcing and offshoring presents a more complex picture for conducting secur
5、ity risk assessments and the outcomes may have a major impact on operational and business decisions. BT has therefore reviewed its approaches to security risk management to ensure that outsourcing assessments are built into the new dynamic environment in which ICT programmes exist. This paper detail
6、s the evolution of processes to meet these new needs. Specific models, tools and techniques have been developed to ensure that effective and timely engagement with stakeholders occurs, that risks and requirements are identified and communicated, and that risk mitigation and management strategies are
7、 implemented within appropriate compliance and governance frameworks. The approach used by BT is based on HMGs Infosec Standard No 1: Residual Risk Assessment Method (IS1) .Security issues and risks are likely to change when sourcing outside your own organisation even if within your own country. Com
8、plexity will increase when offshoring to third parties based in countries that have different political, economic and cultural environments. Security assessments must therefore be augmented to address these changes and the associated legal, regulatory and contractual requirements. Many offshore envi
9、ronments will not have privacy laws equivalent to those mandated within the European Union (EU). The UK Information Commissioners Office (ICO) has found it necessary to highlight that outsourcing data processing to foreign suppliers does not absolve companies from protecting the data once it passes
10、to a third party and that UK companies will still be liable for breaches . Other compliance factors also come into play BT, for example, is listed on the US Stock Exchange and must therefore adhere to Sarbanes-Oxley requirements for outsourcing systems. In general, customer requirements are becoming
11、 more specific and varied and some may include no offshoring clauses.BTs prominent position within the ICT market makes it a target for threat agents seeking to cause disruption to its operational capability, to compromise the integrity of critical data or to steal information. BT is a core componen
12、t of the UK Critical National Infrastructure (CNI) , a position that brings with it specific security responsibilities and the need to consider a wide range of stakeholders. Threat agents seeking to attack information or other assets belonging to UK CNI companies may find that they are able to opera
13、te more easily in some overseas countries where levels of protection are lower. Insider threats to information assets are well recognised. However, the use of outsourcing and off-shoring services can blur the distinction between a companys employees and third party personnel and great care must be t
14、aken to ensure that physical and logical access controls remain effective in a changing and flexible environment. Stakeholder concerns regarding successful attacks on information are increasing, partly driven by reports about the abuse of personal data through fraud and identity theft within outsour
15、cing companies .Activities and functions outsourced to third parties will vary, for example, some companies will specialise in software development while others will specialise in operational support, and it is possible that a number of third parties will be providing services for the same ICT produ
16、ct. The nature of the contract will usually determine the type of access profiles that third party personnel will have to BT and customer information, e.g. powerful root access for support functions versus standard user access for helpdesk activity. In all cases, it is recommended that information s
17、ecurity requirements are decomposed into the specific subjects of confidentiality, integrity and availability and to consider these from the system life cycle stages covered by the outsource contract (e.g. requirements capture, design, development, test, operate and shut-down). This will create the
18、granularity needed to identify specific levels of security for different life cycle stages or contracts, e.g. application development using dummy data may require lower levels of security than operational stages accessing live customer data. It is also important to address security throughout the co
19、ntract life cycle as well, i.e. through to contract termination and the UK national infrastructure security co-ordination centre (NISCC) has issued guidelines to facilitate this . One-off security assessments are insufficient and planned life cycle and contract changes over time provide an effective
20、 trigger for risk management reassessments, i.e. on top of traditional triggers for revision such as major component changes or annual review. Many factors must therefore be assessed to identify security risks and subsequent security requirements and mitigation options, for example: international st
21、andards, such as ISO/IEC 27001 , BS7799 Part 2:2005 , BS7858 , BTs corporate security policy and privacy markings, regulation and legal requirements, e.g. UK Data Protection Act, UK Telecoms Strategic Review, The sarbanes-oxley act, customer security requirements individual, company and UK Governmen
22、t, including imported privacy marking, CNI requirements, country-specific factors, e.g. political, economic, social, technological and legal environmental conditions, system life-cycle stage, contract life-cycle stage, base-line contractual security requirements, enhanced contractual security requir
23、ements.The timely capture of these requirements in a form readily usable for input to risk models can, however, prove difficult. Many sources of requirements and system security information from across the organisation must be identified and consolidated to create the big picture of information secu
24、rity attributes.Global sourcing also brings with it an increasingly dynamic environment for which flexible responses are required. From BTs perspective, the recent increase in the volume of systems and applications earmarked for outsourcing presents another significant challenge for the security com
- 1.请仔细阅读文档,确保文档完整性,对于不预览、不比对内容而直接下载带来的问题本站不予受理。
- 2.下载的文档,不会出现我们的网址水印。
- 3、该文档所得收入(下载+内容+预览)归上传者、原创作者;如果您是本文档原作者,请点此认领!既往收益都归您。
下载文档到电脑,查找使用更方便
20 积分
下载 | 加入VIP,下载更划算! |
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 建立 一个 安全 有效 风险 模型 进行 外包 决策 外文 翻译