|< Day Day Up >|| |
Organizations of all types may need to assist in improving security in government outsourcing and procurement by providing information as requested about contractors, equipment, software, and services. References for service providers will be essential to improving security and qualifying service providers and contractors.
In November 2001 the U.S. GAO released a report entitled 'Leading Commercial Practices for Outsourcing of Services.' The report focused on practices that were most critical, rather than the full set of practices that could be implemented. Commercial firms were asked to provide examples of how such critical practices are implemented. This information was used to develop an evaluation framework that could provide a basis for comparison and contrast between commercial and federal (DOD and civilian) IT acquisition practices. Among the practices included in the report were the following:
Examine how IT will support business processes when evaluating sourcing strategies.
Use third-party assistance with experience in a variety of sourcing arrangements when formulating a sourcing strategy.
Incorporate lessons learned from peers who have engaged in similar sourcing decisions.
Estimate the impact of the sourcing decision on the internal organization as well as the impact on enterprise alliances and relationships.
Consider optimizing IT and business processes before deciding on a sourcing strategy.
Benchmark and baseline productivity of internal services prior to making the final sourcing decision.
Consider starting with a representative service or selective set of services to outsource balanced against economies of scale.
Determine the business reasons for outsourcing IT. Leading organizations identified the following business reasons:
To expand the geographic reach of the organization without increasing internal resources for IT
To respond more quickly to business and industry changes by leveraging the experience of an external service provider
To predict operating costs better by contracting for IT services using a standard unit of measure
To reduce capital investments by shifting ownership of IT resources to external service providers
To focus internal resources on core business competencies by transferring responsibility for IT services to external providers
In addition, it is important to clarify all of the needs of the outsourcing organization in a thorough contract. Practices identified by the GAO for contract administration include the following:
Use performance requirements and service-level agreements (SLAs).
Base performance requirements on business outcomes.
Include measures that reflect end-user satisfaction as well as technical IT performance.
Review and update performance requirements periodically.
Require the provider to meet minimum performance in each category of service.
Require the provider to achieve escalating performance standards at agreed-upon intervals.
Incorporate sufficient flexibility so that minimum acceptable performance is adjusted as conditions change, as the provider becomes more adept at satisfying customer demands, and as improvement goals are achieved.
Use SLAs to articulate clearly all aspects of performance, including management, processes, and requirements.
Specify circumstances under which the provider is excused from performance levels mandated by master service agreements.
Identify SLAs for which compensation is based, while additional ones may be defined to manage performance.
The contract must be flexible enough to adapt to changes in the business environment. It should include clauses for determining pricing structures, performing satisfaction surveys and using the results to redefine performance levels, terminating the contract, resolving disputes in a timely manner, and taking work away from the provider for nonperformance. The contract must also specify which laws govern security of the operation and the standards for security.
Numerous laws govern the use of government computers and networks. There are also many standards and policies that have been set by government organizations about the use of computers. In order to improve security in outsourced environments, it is essential that security policies be followed in the service organizations just as they would be in the government organization.
The Computer Security Acts of 1987 and 1988 declare that improving the security and privacy of sensitive information in federal computer systems is in the public interest and create a means for establishing minimum acceptable security practices for such systems. It assigns NIST responsibility for developing the standards and guidelines needed to assure the cost-effective security and privacy of sensitive information in federal computer systems. NIST draws on the technical advice and assistance (including work products) of the NSA, where appropriate.
Some of the more important laws, regulations, procedures, and policies are as follows:
P.L. 73-416, Communications Act of 1934
P.L. 93-579, Privacy Act of 1974
P.L. 95-511, Foreign Intelligence Surveillance Act of 1978
P.L. 99-474, Computer Fraud and Abuse Act of 1986
P.L. 99-508, Electronic Communications Privacy Act of 1986
P.L. 100-235, Computer Security Act of 1987
P.L. 104-104, Telecommunications Act of 1996
P.L. 104-106, Information Technology Management Reform Act of 1996
P.L. 104-201, National Defense Authorization Act for Fiscal Year 1997
P.L. 104-231, Electronic Freedom of Information Act of 1996
P.L. 104-294, Title I, Economic Espionage Act of 1996
P.L. 104-294, Title II, National Infrastructure Protection Act of 1996
P.L. 105-220, Section 508 Accessibility, August 7, 1998
FIPS 46-3, Data Encryption Standard (DES), 1999
FIPS 73, Guidelines for Security of Computer Applications, 1980
FIPS 87, Guidelines for Contingency Planning, 1981
FIPS 81, DES Modes of Operation, 1980/1981
FIPS 102, Guideline for Computer Security Certification and Accreditation, 1983
FIPS 112, Password Usage, 1985
FIPS 140-2, Security Requirements for Cryptographic Modules, 2001
FIPS 180-1, Secure Hash Standard (SHS), 1993
FIPS 186-2, Digital Signature Standard (DSS), 2000
(800) 12, An Introduction to Computer Security: The NIST Handbook, 1995
(800) 13, Telecommunications Security Guidelines for Telecommunications Management Network, 1995
(800) 14, Generally Accepted Principles and Practices for Security Information Technology Systems, 1996
(800) 16, Information Technology Security Training Requirements: A Roleand Performance-Based Model, 1998
(800) 18, Guide for Developing Security Plans for Information Technology Systems, 1998
(800) 21, Guideline for Implementing Cryptography in the Federal Government, 1999
(800) 23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, 2000
(800) 24, PBX Vulnerability Analysis: Finding Holes in Your PBX before Someone Else Does, 2001
(800) 25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, 2000
(800) 26, Security Self-Assessment Guide for Information Technology Systems, 2001
(800) 27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), 2001
(800) 31, Intrusion Detection Systems (IDS), 2001
(800) 32, Introduction to Public Key Technology and the Federal PKI Infrastructure, 2001
NSTISSC provides policies and instructions for IA for national security applications:
1, National Policy on Application of Communications Security to U.S. Civil and Commercial Space Systems, 1985
6, National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems, 1994
7, National Policy on Secure Electronic Messaging Services, 1995
11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled IT Products, 2000
100, Confidential, National Policy on Application of Communications Security to Command Destruct Systems, 1988
200, National Policy on Controlled Access Protection, 1987
501, National Training Program for Information Systems Security (INFOSEC) Professionals, 1992
502, National Security Telecommunications and Automated Information Systems Security, 1993
1000, National Information Assurance Certification and Accreditation Process (NIACAP), 2000
4009, National Information Systems Security Glossary, 2000
4011, National Training Standard for Information Systems Security (INFOSEC) Professionals, 1994
4012, National Training Standard for Designated Approving Authority (DAA), 1997
4013, National Training Standard for System Administrators in Information Systems Security (INFOSEC), 1997
4014, National Training Standard for Information Systems Security Officers (ISSO), 1997
4015, National Training Standard for System Certifiers, 2000
7000, Confidential NOFORN, TEMPEST Countermeasures for Facilities, 1993
|< Day Day Up >|| |