| | |  | | Home » Outsourcing Information Security (Computer Security Series) | | | | | | | Product Promotions: | | | | | Description: | | This comprehensive and timely resource examines security risks related to IT outsourcing, clearly showing you how to recognize, evaluate, minimize, and manage these risks. Unique in its scope, this single volume offers you complete coverage of the whole range of IT security services and fully treats the IT security concerns of outsourcing. The book helps you deepen your knowledge of the tangible and intangible costs and benefits associated with outsourcing IT and IS functions. Moreover, it enables you to determine which information security functions should be performed by a third party, better manage third-party relationships, and ensure that any functions handed over to a third party meet good security standards. From discussions on the IT outsourcing marketplace and the pros and cons of the IT outsourcing decision process, to a look at IT and IS service provider relationships and trends affecting outsourcing, this essential reference provides insight into how organizations are addressing some of the more thorny issues of IT and security outsourcing. | | | Product Details: | | | Author:
| C. Warren Axelrod | | Hardcover:
| 266 pages | | Publisher:
| Artech House | | Publication Date:
| September 30, 2004 | | Language:
| English | | ISBN:
| 1580535313 | | Product Length:
| 9.3 inches | | Product Width:
| 6.42 inches | | Product Height:
| 0.78 inches | | Product Weight:
| 1.12 pounds | | Package Length:
| 9.13 inches | | Package Width:
| 6.14 inches | | Package Height:
| 0.79 inches | | Package Weight:
| 1.1 pounds | | Average Customer Rating:
|  based on 5 reviews |
| | | | Used and New: | | | |
| All | |
| $31.42 | Used
- Good | | | $31.43 | Used
- Good | | | $31.50 | Used
- Mint | | | $33.41 This item ships for FREE with Super Saver Shipping. | Used
- Acceptable | | | $34.00 | Used
- Good | | | $35.75 This item ships for FREE with Super Saver Shipping. | Used
- Mint | | | $44.30 | Used
- Good | | | $58.98 | Used
- Good | | | $84.00 | Used
- VeryGood | | | $92.99 | Used
- VeryGood | | | $93.00 This item ships for FREE with Super Saver Shipping. | New | | | $120.65 | Used
- Mint | | | $134.85 | New | | | $221.33 | New | |
| New | |
| $93.00 This item ships for FREE with Super Saver Shipping. | New | | | $134.85 | New | | | $221.33 | New | |
| Used | |
| $31.42 | Used
- Good | | | $31.43 | Used
- Good | | | $31.50 | Used
- Mint | | | $33.41 This item ships for FREE with Super Saver Shipping. | Used
- Acceptable | | | $34.00 | Used
- Good | | | $35.75 This item ships for FREE with Super Saver Shipping. | Used
- Mint | | | $44.30 | Used
- Good | | | $58.98 | Used
- Good | | | $84.00 | Used
- VeryGood | | | $92.99 | Used
- VeryGood | | | $120.65 | Used
- Mint | |
| | | | Customer Reviews: | |
Average Customer Review:
 ( 5 customer reviews )
Write an online review and share your thoughts with other customers.
Most Helpful Customer Reviews
10 of 10 found the following review helpful:
 OUTSOURCING INFORMATION SECURITY MAY POSE DIRE CONSEQUENCES FOR BUSINESS AND GOVERNMENTAug 06, 2005
By John R. Vacca
"Tech Write Independent Reviewer"
Despite the widespread controversy surrounding the outsourcing of information security, organizations must understand and consider what costs and benefits are incurred and gained, respectively. Author C. Warren Axelrod has done an outstanding job of presenting the controversy surrounding the intersection of the two most dynamic, difficult, and controversial areas of information technology today, namely, outsourcing and security.
Axelrod begins this book by defining the scope of the treatment of the joint topics of outsourcing and security. Next, the author lays out the range of information security risk that are confronted daily, whether an activity is outsourced or not. Then, he looks at the risk of outsourcing. In addition, the author describes in detail the categories of costs and benefits. He also describes how the outsourcing costs and benefits relate to the Request for Information (RFI) and Request for Proposal (RFP) processes. Then, he looks at the outsourcing evaluation process that takes place once the information has been collected and sorted. The author then delves into the specific security considerations that affect the outsourcing decision and how they should be handled. Finally, he summarizes the full flow of the outsourcing evaluation and decision processes.
With the preceding in mind, the author has done an excellent job of presenting how outsourcing opportunities have become a continuous process as new services become available, new services of those services appear, and business takes on more of a global aspect. At the end of the day, it behooves a nimble organization in a competitive market to keep its outsourcing options open and its ability to evaluate choices finely tuned..
5 of 5 found the following review helpful:
At Least It Explains the ProblemDec 02, 2004
By John Matlock
"Gunny"
There are a bunch of reasons to outsource information security. You can get specialists who have a broader range of experience than your own company. You can get an outside view of everything from how to read the various logs your system puts out to what anti-virus program to install. There may be a cost savings to have someone else be monitoring your systems along with several other companies at the same time.
There are a bunch of reasons that you don't want to outsource information security. When it hits the fan, you are still the one responsible (especially so now with Sarbanes-Oxley in force, the real rules of which we still do not understand and won't until it's been to court a few times). You have more control over your own people, and you can much more carefully monitor them. This is especially true if the outside company has reduced its cost by establishing the monitoring center in some place like India. You can much more easily check to see if your new employee has just come from a few years vacation in Marion, Illinois.
It would be interesting to see how outsourcing information security would be treated by upper management. It's a cinch that they wouldn't understand enough to make a valid decision. You have to make the decision yourself, and unfortunately then you have to live with it.
This book is just about the only one on this subject. The author reports on some good situations, and some that didn't turn out so well. If this is a decision you have to make, here's at least a good start.
4 of 4 found the following review helpful:
At Least It Explains the ProblemDec 02, 2004
By John Matlock
"Gunny"
There are a bunch of reasons to outsource information security. You can get specialists who have a broader range of experience than your own company. You can get an outside view of everything from how to read the various logs your system puts out to what anti-virus program to install. There may be a cost savings to have someone else be monitoring your systems along with several other companies at the same time.
There are a bunch of reasons that you don't want to outsource information security. When it hits the fan, you are still the one responsible (especially so now with Sarbanes-Oxley in force, the real rules of which we still do not understand and won't until it's been to court a few times). You have more control over your own people, and you can much more carefully monitor them. This is especially true if the outside company has reduced its cost by establishing the monitoring center in some place like India. You can much more easily check to see if your new employee has just come from a few years vacation in Marion, Illinois.
It would be interesting to see how outsourcing information security would be treated by upper management. It's a cinch that they wouldn't understand enough to make a valid decision. You have to make the decision yourself, and unfortunately then you have to live with it.
This book is just about the only one on this subject. The author reports on some good situations, and some that didn't turn out so well. If this is a decision you have to make, here's at least a good start.
4 of 4 found the following review helpful:
Required reading for anyone considering outsourcing informatNov 05, 2004
By Ben Rothke
"Author of 'Computer Security: 20 Things Every Employee Should Know'"
When it comes to the outsourcing of information security functions specifically, the situation is even worse. Far too few organizations know the inherent risks involved with outsourcing security, and don't properly investigate what they are getting into. The same company that makes it nearly impossible for an employee to enter the office supply closet to get much needed toner cartridge will outsource their intrusion detection, email and firewall systems without a blink.
One of the many reasons companies turn to security outsourcing and managed security services providers (MSSP) is to use their limited internal security staff for more interesting areas such as web development, VPN and e-commerce applications. They will then outsource the boring activities such as firewall and IDS monitoring and maintenance to a MSSP.
Given that activities such as firewall monitoring and administering an IDS in large enterprise requires 24/7 support, it is not unusual for a company to want to outsource such activities; monitoring and administering are not core functions of most organizations.
The trouble comes from the lack of due care often given to choosing a MSSP. With that, Outsourcing Information Security is a long-overdue book that asks the questions that are necessary before an organization decides to outsource any information security function.
The author's general tone is against the outsourcing of information security; but provides readers with the various benefits and risks involved in outsourcing security, and let's them ultimate decide if outsourcing security is right for their organization. It is the reader who must define, evaluate and manage those risks and determine if outsourcing is a viable solution. These include technology, business and legal risks.
The book comprises nine chapters and three appendices totaling a bit under 250 pages. The first two chapters provide a good introduction to and overview of outsourcing and information security, and the associated security risks.
Chapter 3 details various reasons why outsourcing information security makes sense. The chapter includes various tables and references to the many reasons why a company would want to outsource security.
Chapter 4 takes the other side and analyzes the risks of outsourcing. The chapter details the traditional risks, in addition to other factors such as hidden costs, broken promises, phantom benefits and more. The book shows that while many organizations hand over information security responsibility to their MSSP, when things go wrong, they can't effectively blame the MSSP. When things go wrong -- and they will -- all of the fingers in the world can be pointed at the MSSP, but the ultimate responsibility falls on the organization itself. With outsourced security, if something goes wrong, those fingers will point back to the company's security manager, not the incompetent firewall administrator in Bangalore.
The chapter provides a balanced look at the risk of outsourcing, and while calm in its overall approach, the chapter should at least make the person considering outsourcing information security think twice. In fact, the author concludes the chapter by stating "when all of the risks of outsourcing are considered, one wonders how anyone ever makes the decision to use a third party." Nonetheless, there is plenty of evidence that many security activities are indeed outsourced to MSSP, and are often satisfactory from both the buyer's and seller's perspective.
Chapters 5 and 6 provide a thorough summary of the costs and benefits of outsourcing, and provides a method with which to categorize them. The chapter is well suited for a CFO with its discussion of direct vs. indirect costs, controllable vs. non-controllable costs, and much more. These two chapters show that creating meaningful financial numbers to see if outsourcing makes financial sense is not such an easy task. It is important to understand that outsourcing sometimes makes financial sense, but certainly not all the time. For those organizations that don't crunch the numbers seriously at the beginning, these costs can later come back to haunt them in a big way.
Chapters 7 and 8 detail the processes involved in commencing an outsourcing project, from requirements gathering to placing policy against the outsourced company. A mistake many organizations make is failure to ensure that the MSSP is abiding by the client's information security policies, rather than their own.
Similarly, one of the most overlooked areas of outsourcing information security functionality is regulation. A U.S. company may be under numerous regulations, from HIPAA to Sarbanes-Oxley, GLBA, SEC and more; when they outsource their security functionality, the remote technician may not be under the jurisdiction of the SEC; but the corporate data still must be protected according to those regulations.
The main part of the book concludes with chapter 9, which provides a 20-step process to determine if an outsourced security solution is appropriate. In seven pages, the author specifies the various events, tasks and steps that make up the typical outsourcing project.
Appendix A provides a breakdown of the various services that can be outsourced, with Appendices B & C providing brief histories of IT Outsourcing and Information Security.
The only downside to the book is its $85.00 price, which is at the high-end for technology and business books. While the price is high, the book is a huge value for anyone considering outsourcing security. The book asks the questions that are often never asked, and details how the outsourcing of information security is not the slam-dunk that the MSSPs often portray it to be.
For those who know what their security issues are and look to outsource their security functionality to a trusted MSSP, Outsourcing Information Security shows how it can be done. On the other side, for those who are drunk with the panacea that outsourcing security is supposed to provide, Outsourcing Information Security will be a sobering wake-up call.
1 of 2 found the following review helpful:
 A bit thin on the security-specific aspects of outsourcingDec 12, 2008
By Jacob Gajek
Outsourcing Information Security by C. Warren Axelrod was intended to guide the uninitiated through each step of the outsourcing process, helping to steer clear of the pitfalls and achieve a partnership with the service provider that is of lasting benefit. However, much of the content is not specific to information security, which was not only disappointing, but a missed opportunity as well. I picked up this book hoping to find advice on selecting risk assessment specialists, auditors, penetration testers, policy developers, and business continuity consultants. Instead, the focus was on generic business issues related to outsourcing that would be considered common sense by most managers. In short, the book would have been more useful had it been aimed at an audience with sound knowledge of business management and limited exposure to information security, not the other way around.
| | |
|
