Case Study:

It may seem like an odd question, one that gets an immediate “no,” but think again. Many businesses realize that they do not possess the expertise, time, or money to detect, identify, isolate, and stop the hundreds of hackers, viruses, worms, and other malcontents that daily bombard most IT systems. Moreover, most organizations wouldn’t identify “security” as a unique core competency, so there is some argument for outsourcing it. The following statistics come from a survey performed by InformationWeek/Accenture Global Information Security. They identify the percentage of respondents who use an outsourcer for some form of security. Firewall management—29 percent Intrusion detection management—25 percent Messaging protection—18 percent Security strategy development—15 percent Security governance—11 percent End device security—11 percent The numbers show that many companies are willing to outsource IT-related security. BOILING SPRINGS SAVINGS BANK Most likely, the number one reason why companies outsource security functions is because they lack the resources and expertise to handle it themselves. According to Ken Emerson, director of strategic planning and CIO at Boiling Springs Savings Bank in New Jersey, “In the security world, it’s a game of catch-up. I couldn’t possibly throw enough resources at it internally.” Ken contracted Perimeter Internetworking to provide security for e-mail and handle the function of intrusion detection and prevention. As Ken explained it further, “I didn’t feel like I had the necessary knowledge on my staff, especially with the rapidly growing volume of spam.” But before hiring Perimeter, Ken thought about his customers who rely on Boiling Springs to keep their money safe. So, he did a background check on Perimeter and learned that it had passed the Statement of Auditing Standards No. 70, an in-depth audit of a service provider’s control activities. He also found that none of the other security firms he was evaluating had received that sort of certifi cation. Perimeter electronically linked to Boiling Springs’s systems and monitored all e-mail traffic and intrusion attempts. It even found a worm on a specific Boiling Springs PC and notified the bank so it could shut down the infected computer. KETTERING MEDICAL CENTER NETWORK Kettering Medical Center Network, a group of 50 health care facilities in the Dayton, Ohio, area, turned over some of its IT security to Symantec. Specifically, Kettering contracted Symantec to analyze all of its data collected by Check Point Technologies and Cisco Systems firewalls. The focus here was to protect remote physicians’ offices that are on the network. These types of remote access areas are prime targets for infi ltrating a much larger network. As Bob Burritt, IS network and technology manager at Kettering, explained it, “We need to be concerned if someone is trying to do a port scan against our systems or if our network contains ad bots or spy bots trying to communicate out.” If someone did succeed in penetrating Kettering’s network and shutting down the system, the results would be catastrophic. Not only could doctors and other health care professionals not communicate with each other and share information, Kettering would lose approximately $1 million a day if it couldn’t bill patients or its health care partners or collect fees. Boiling Springs Savings Bank and Kettering Medical Center Network are just two examples of the many companies that are effectively outsourcing some portion of IT security. Overall among U.S. companies, 25 percent are now outsourcing some aspect of IT security.

Q1. If you were developing a new system using the traditional systems development life cycle (SDLC), at what point would you need to identify that you needed to outsource some aspect of IT security?

Q2. In reference to the first question, how would you continue with the in-house systems development effort and, at the same time, carry on the process of outsourcing IT security with another company?

Q3. Boiling Springs Savings Bank did a background check on Perimeter before hiring it. Search the Web for resources than can help an organization do background checks on IT security firms. What did you find? Did you fi nd a couple of Web sites or certifi cation organizations that offer some guarantee of IT security firms? If so, whom did you fi nd?

Q4. Turning over IT security to an outside organization is tantamount to giving another organization complete access to all your systems and information. What stipulations would you include in a service level agreement with an IT security outsourcer to ensure that it didn’t exploit the openness of your systems and steal strategic and sensitive information?

Q5. Do some research on the Web for companies that specialize in IT security outsourcing besides Perimeter and Symantec. Whom did you find? Do they seem to be reputable? Do they include a list of clients you can contact for references?

Your answer must be, typed, double-spaced, Times New Roman font (size 12), one-inch margins on all sides, APA format and also include references.