Enterprise:Management:Outsourcing

Contents 1 Navigation 2 Related categories 3 About the Outsourcing page 4 Build or buy decisions - pros and cons 5 VoIP managed services 6 General Outsourcing resources 7 ASP market information 8 Examples of succesful & innovative outsourcers 8.1 Everdream 8.2 AeroTech Service Group 8.3 Other outsourcers 8.4 Software as a Service (SaaS) resources 9 Offshoring with onshore operations 10 Security assessments for outsourcing agreements 10.1 IT security standards of relevance for outsourcing agreements 10.2 The Financial Institution Shared Assessments Program (FISAP) for IT outsourcer assessment 10.3 SAS-70 compliance 10.4 Issues with off-shore outsourcing

Navigation

Related categories

About the Outsourcing page

The practice of outsourcing covers a variety of services, from software development to HR and telecommunications. In a form or another the same questions are asked in all these outsourcing deals

• Is it a sound economic decision to outsource (buy) rather than provide "in-house" (build) the service
• Is there any security risk that an outsourcing agreement can bring about?

Here are a few resources on the outsourcing topics, unfortunately incomplete, as this page is still under construction. Please stay tuned.

Build or buy decisions - pros and cons

David Carney, a senior SEI member authored of this brief and humorous look on issues related to COTS products, is using the Maoist-style "Little Red Book" approach of the 60's, using glimpses of ancient Chinese wisdom. The humorous (but to be taken very seriously) "Quotations from Chairman David" is an official SEI document. Although the essay is about build-or-buy decisions in software development, its questioning are very applicable to outsourcing agreements.

VoIP managed services

• SBC PremierSERV VoIP managed service [1] [2]
• NEC SecurePlus IP Telephony remote monitoring service [3]
• Cisco NetSolve ProWatch remote IPT management services
  • Cisco NetSolve remote-operations services [4]
  • Cisco technical support and professional services [5]
  • Cisco Managed Services portfolio [6]
• Vanguard (formerly Motorola Network Division) Managed Services portfolio [7]

General Outsourcing resources

• Global Telecommunications Services survey [8]
• Morgan Stanley "Convergence: The Endgame to Global Telecom Capex?" Global Telecom survey 2004 [9]
• Global Trade Integration and Outsourcing - EU challenges [10]
• Survey: Failed outsourcing deals blamed on people, not SLAs [11]
• Outsourcing articles, surveys and news from ITBusinessEdge [12]
• Creating Effective Outsourcing Agreements [13]
• Some counter-arguments for using SLAs in outsourcing practice [14]
• Federal Financial Institutions Examination Council (FFIEC) "Outsourcing Booklet" [15]
• Federal Financial Institutions Examination Council (FFIEC) regulatory resources on outsourcing [16]
• Managing Your Service Provider Relationships - overview of outsourcing risks and mitigation strategies [17] local copy
• Managing Outsourced Service Providers [18]
• Global Sourcing -not just about cost cutting [19]
• Best practices for service-level management - a Forrester research report [20]
• Outsourcing business model - 12manage article [21]
• SLA example - ERP Application management - Selective outsourcing [22]

ASP market information

• Feasibility study on the ASP Business Model for outsourcing Enterprise Application Software [23]

Examples of succesful & innovative outsourcers

Everdream and Aerotech Service Group, now Talisen are two innovative pioneers of outsourcing. Here are their stories.

Everdream

Everdream started in 1998, with an innovative business model, addressing the SME market. Everdream developed the business model and the technology that enabled the firm to remotely provide its clients, over an Internet connection the following services:

• 24/7 Solutions Center
• Secure automated online backup
• virus protection
• desktop self-healing capabilities
• Virtual Desk-Side Assistance
• diagnosis and repair
• Web-based email
• asset and software management

Today Everdream's market encompasses more than 140000 desktops in 60 countries.

AeroTech Service Group

Talisen Technologies was founded in 1991, by George Brill, under the name AeroTech Service Group, Inc. The initial focus of the company was to supply contract engineering services for McDonnell Douglas Aerospace (MDA). In 1993, AeroTech began working with an MDA group responsible for a new information system called the Contractor Integrated Technical Information Service, or CITIS. CITIS was to be used as an electronic means to collaborate on projects as well as a method to reduce paperwork and exchange CAD documents electronically. This was the first production–ready, secure Internet portal for McDonnell Douglas in the mid 90s and esentially Aerotech was at the time a Managed Service Provider for its clients. This system has grown into a Virtual Community at Boeing which supports over 38,000 users who have the ability to access over 250 data sources and 400 applications. In 1996, The Harvard Business Review coined the name "The Virtual Factory" for this communications platform designed for MDA by AeroTech. The Virtual Community environment has expanded far beyond its original design for supply chain management in a manufacturing industry. The Virtual Community can be used in any industry that can benefit from the ability to securely collaborate on projects or safely share intranet information with users via the Internet. In order to reflect the broad use of the product in any industry, AeroTech became Talisen Technologies in September of 2001. Talisen Technologies is recognized internationally, working through partnerships in the United Kingdom (UltraSBS), Scandinavia (SecGo VE), and the Netherlands (Cap Gemini Ernst and Young) to bring the Virtual Community to corporations worldwide.

Other outsourcers

• Siemens Hipath Managed Services - acquired by Integreo
• SUN proactive support business model (KPI for SLM) [24]

The offering proactively monitors datacenters and warns administrators of pending problems,do risk assessments in three areas -- on systems, on processes and on people. It is the result of the 2004 acquisition of US company SevenSpace, a specialist in remote management.

• British Telecom Ignite and Global Services
• The MSP Alliance - an international association of pure-play Managed Service Providers

Software as a Service (SaaS) resources

• MSP and SaaS providers listings
• Google with Google Apps, Google Docs and Google Sites
• Salesforce.com's AppExchange CRM SaaS offering
• SAP AG Business by Design - a SaaS ERP solution starting at $149/month, targeted at the SME (< 100 employees) market and with a revenue target of $1B by 2011.
• Microsoft Office Live Workspace - Microsoft's SaaS response to Google Docs.
• "Security as a Service" providers

Qualys on-demand security management platform QualysGuard - selected by Telus

Google Apps Security Services - powered by Postini, acquired by Google in 2007

Offshoring with onshore operations

Increasing numbers of companies, including large Indian outsourcers, are "onshoring" desk/computer jobs from the metropolitan business centers to smalltown, rural centres instead of "offshoring" them to India. The trend is also called "Reverse Outsourcing". This might be a reaction to the increasing dissatisfaction of Corporate America to the benefits of the offshoring deals, one recent example being [Lehman Brothers] who cut short its IT helpdesk outsourcing deal with Wipro, who later bought Lehman's Mumbai-based operation. Three Indian firms, Wipro (6), Satyam (7) and Genpact (8) figure in the top 10 BPO companies, while China is still 10 years behind India as far as competition in the BPO sector is concerned.

• Indian outsourcer Aditya Birla bought Canadian firm Minacs Worldwide after the death of its founder and founded Transworks Worldwide specialized in Business Process Outsourcing (BPO).
• Wipro Technologies Inc establishes a design center in Atlanta that could employ about 500 computer programmers and buys onshoring assets in US and Europe.
• Tata Consultancy Services inaugurates a North America Delivery Center in Cincinnati, Ohio

Security assessments for outsourcing agreements

Enterprises seeking to outsource IT, network or data-processing services must evaluate provider security credentials from the outset and abide by the following recommendations in the RFP process.

• Outsource highly sensitive IT services only to SAS 70-certified providers.
• Ask the right questions and seek evidence, using an industry-recognized process (e.g. FISAP for financial institutions)

IT security standards of relevance for outsourcing agreements

Here is a good presentation (local copy) about IT security standards. The standards in the following are relevant for assessing an outsourcer's capability.

• ISO/IEC 15443 A framework for IT security assurance (covering many methods, i.e. TCSEC, Common Criteria, ISO/IEC 17799)
  • ISO/IEC 15443-1: Overview and framework
  • ISO/IEC 15443-2: Assurance methods
  • ISO/IEC 15443-3: Analysis of assurance methods
• ISO/IEC 15408 refer also to Common Criteria

• ISO/IEC 17799:2005 Code of practice for information security management refer also to ISO/IEC 17799, providing for detailed analysis of the following topic areas:
  • Security Policy
  • Security Organization
  • Assets Classification and Control
  • Personnel Security
  • Physical and Environmental Security
  • Computer and Network Management
  • System Access Control
  • Systems Development and Maintenance
  • Business Continuity Planning
  • Regulatory Compliance

• NIST 800 Series, contains both issue-specific (firewalls, IDS, PKI) and general standards.
  • 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
  • 800-26, Security Self-Assessment Guide for Information Technology Systems
• Federal Information Systems Controls (FISCAM) Audit Manual, evaluating internal controls for the integrity, confidentiality, and availability of data maintained in systems managed by the federal government.
• Site Security Handbook RFC2916, a practical guide to developing computer security policies and procedures for internet-exposed sites.
• Commonly Accepted Security Practices and Recommendations (CASPR) - an open-source, vendor-neutral collection of security best practices.
• Control Objectives for Information and related Technology (CobiT), an open framework for IT controls, identifying key IT processes, control objectives and guidelines.
• TCSEC "Trusted Computer System Evaluation Criteria", Orange Book from the Rainbow series

• AICPA's "Systrust" standard for Trust Services Principles and Criteria, identifying 5 security principles to be assessed based on policies, communications, procedures, and monitoring.
  • Security
  • Availability
  • Processing Integrity
  • Online Privacy
  • Confidentiality

• AICPA's Statement on Auditing Standards Number 70 (SAS70) for Service Organizations
  • Does not explicitly require any particular controls or practices
  • Involves a review of the existing controls utilizing industry standards for audit
  • Requires that a “Service Auditor’s Report” is issued by an independent auditor, offering an opinion on the effectiveness of existing controls.

• CERT recommended security practices

The Financial Institution Shared Assessments Program (FISAP) for IT outsourcer assessment

The Financial Institution Shared Assessments Program is a new process for financial institutions to evaluate the security controls of their IT service providers. The new program replaces the 2004 ISO 17799-based IT Service Provider Expectations Matrix Launched in February 2006, the Program today has more than 40 member companies and 16 major service providers are committed to having assessments performed under the program. Here are the reference links and the questionnaire documents:

• Banking Industry Technology Secretariat (BITS) Financial Institution Shared Assesment Program
• Banking Industry Technology Secretariat (BITS) ISO 17799-based IT Service Provider Expectations Matrix
• The Agreed Upon Procedures v2.0 (local copy)
• The Standardized Information Gathering v2.0 (local copy) matrix

The FISAP questionnaire focus on:

• Security policy.
• Organizational security.
• Asset classification and control.
• Personnel security.
• Physical and environmental security.
• Communication and operations management.
• Access control.
• System development and maintenance.
• Business continuity management.
• Compliance with legal and regulatory requirements.

SAS-70 compliance

The Statement on Auditing Standards No. 70 (SAS 70) is a third-party report on a service organization's security and the effectiveness of its internal controls. SAS 70 Type II defines the standards an auditor must employ in order to assess the internal controls of a service organization that is contracted by any enterprise subject to Sarbanes-Oxley (SOX) evaluation. The SAS 70 standard has gained importance for those organizations delivering fi nancial services to their customers. The Section 404 of the Sarbanes-Oxley Act requires corporate managers to verify control over processes, including those of outside service providers. Up-to-date information on the topic is available through the Sarbanes-Oxley Compliance Journal. More information on information-technology auditing issues is provided by the Institute of Internal Auditors(IIA)

Issues with off-shore outsourcing

• Security Risk Associated with the new Outsourcing model [25] local copy
• How Dangerous Is Outsourcing? [26]