|
|
|
13.4 Integrated Web Portal Service ProvidersOCTAVE can help an organization establish the means to effectively communicate its information protection requirements with its service providers or system maintenance contractors. It can also provide a common framework for communicating with customers, partners, and contractors about information security issues. This section looks at a small company that consolidates access to the Web sites and services of many other organizations. This organization needs to coordinate its information security efforts with those of several organizations. Company SPCompany SP provides an integrating service that consolidates access to Web sites and services provided by other organizations. Figure 13-4 shows how the company must work with several partners, service providers, and customers. Figure 13-4. Company SP and Its Interrelationships
Company SP has approximately 40 staff members and is located at one site. It depends upon a prime contractor and a large number of subcontractors to build and maintain the integrating Web portal. The prime contractor is located in the same city as the company, but many of the subcontractors and vendors are based in other cities. Company SP provides only one service, but its customer base is solid. One primary system provides the Web portal service and is linked to all customer Web sites. The system physically exists at the company's facilities but is managed remotely from the prime contractor's site. The company has a second system that it uses to manage its internal business processes. The Web portal exists as a dynamic environment, because the customer Web sites to which it links change frequently. The dynamic environment coupled with number of organizations involved in maintaining the Web portal creates a complex situation for Company SP. Management at the company is worried that the complexity could lead to information security problems. Senior managers at Company SP have decided to conduct a comprehensive information security risk evaluation. They understand the value of having their staff involved in the evaluation, but they did not want their staff to lead the evaluation process. Management contracted with an independent consultant to lead the evaluation. Two staff members from Company SP and one staff member from the prime contractor were members of the analysis team. Their ApproachThe approach that Company SP implemented for OCTAVE involved the following steps:
Results of the EvaluationThe analysis team conducted knowledge elicitation workshops with personnel at Company SP, the prime contractor, and one subcontractor. From these workshops, an organizational vulnerability related to contracting was identified. Company SP had not explicitly communicated its security requirements to the prime contractor, and there was no mechanism in place to monitor what the contractor was doing with respect to information security. With the number of subcontractors and service providers involved, Company SP had no idea what was being done to secure its Web portal. The analysis team suggested that Company SP use the information gathered during OCTAVE to generate security requirements. It further recommended that Company SP and its contractors establish a formal mechanism for communicating security requirements and verifying that they are being met. OCTAVE highlighted a complex interorganizational problem for Company SP. The complex web of relationships among all parties created unique security issues related to the Web portal service. Company SP staff need to review all of these relationships in light of the organization's security requirements and then determine how they can work with multiple organizations to meet their business goals and their security requirements. |
|
|
|
