Team LiB   Previous Section   Next Section

13.4 Integrated Web Portal Service Providers

OCTAVE can help an organization establish the means to effectively communicate its information protection requirements with its service providers or system maintenance contractors. It can also provide a common framework for communicating with customers, partners, and contractors about information security issues. This section looks at a small company that consolidates access to the Web sites and services of many other organizations. This organization needs to coordinate its information security efforts with those of several organizations.

Company SP

Company SP provides an integrating service that consolidates access to Web sites and services provided by other organizations. Figure 13-4 shows how the company must work with several partners, service providers, and customers.

Figure 13-4. Company SP and Its Interrelationships

graphics/13fig04.gif

Company SP has approximately 40 staff members and is located at one site. It depends upon a prime contractor and a large number of subcontractors to build and maintain the integrating Web portal. The prime contractor is located in the same city as the company, but many of the subcontractors and vendors are based in other cities. Company SP provides only one service, but its customer base is solid.

One primary system provides the Web portal service and is linked to all customer Web sites. The system physically exists at the company's facilities but is managed remotely from the prime contractor's site. The company has a second system that it uses to manage its internal business processes.

The Web portal exists as a dynamic environment, because the customer Web sites to which it links change frequently. The dynamic environment coupled with number of organizations involved in maintaining the Web portal creates a complex situation for Company SP. Management at the company is worried that the complexity could lead to information security problems.

Senior managers at Company SP have decided to conduct a comprehensive information security risk evaluation. They understand the value of having their staff involved in the evaluation, but they did not want their staff to lead the evaluation process. Management contracted with an independent consultant to lead the evaluation. Two staff members from Company SP and one staff member from the prime contractor were members of the analysis team.

Their Approach

The approach that Company SP implemented for OCTAVE involved the following steps:

  • Contracting with a consultant to lead the evaluation

  • Keeping the scope narrow (evaluating only Company SP)

  • Allowing the consultant to select and run vulnerability evaluation tools in cooperation with the prime contractor

  • Continuing the relationship with the consultant after the evaluation, making the consultant responsible for revising security policies and procedures based on the results of the evaluation

Results of the Evaluation

The analysis team conducted knowledge elicitation workshops with personnel at Company SP, the prime contractor, and one subcontractor. From these workshops, an organizational vulnerability related to contracting was identified. Company SP had not explicitly communicated its security requirements to the prime contractor, and there was no mechanism in place to monitor what the contractor was doing with respect to information security. With the number of subcontractors and service providers involved, Company SP had no idea what was being done to secure its Web portal.

The analysis team suggested that Company SP use the information gathered during OCTAVE to generate security requirements. It further recommended that Company SP and its contractors establish a formal mechanism for communicating security requirements and verifying that they are being met.

OCTAVE highlighted a complex interorganizational problem for Company SP. The complex web of relationships among all parties created unique security issues related to the Web portal service. Company SP staff need to review all of these relationships in light of the organization's security requirements and then determine how they can work with multiple organizations to meet their business goals and their security requirements.

    Team LiB   Previous Section   Next Section