Just ask Shane Fuller, information security & compliance manager for the Irish operation of RSA Insurance Group PLC. His infrastructure is outsourced to IBM Global Services, and development is done through Accenture Ltd. He is part of a retained management team that basically checks that the work is being done to the company's standards.
"When you are working with an outsourced model, you don't have access to the systems at first-hand. So you go through a cycle of getting compliance reporting from the outsourcer, challenging it, refining it and so on. It has been a fairly hard slog," he admits.
"Reality has shown us it would be very naïve to take an arm's length approach, because at the end of the day the outsourcing company won't take the wrath of the FSA if anything goes wrong. We could end up very exposed."
Over the last three years, therefore, he has worked to pull back control of IT governance and to reassure his senior board that the company is both compliant with all relevant regulations, but also has all risks under close management.
He decided that there was a lot of information sitting on repositories in SQL databases for the most part. "Most of the answers to the questions we wanted to answer were in there somewhere. If we could get to that, discussion over remediation would go away," he says.
Fortunately, the RSA group has a well-established global control framework based on ISO 27001. "The control framework is based on a number of key controls that they have focused on for the last three years, and they have driven a number of remediation projects," says Fuller.
"We just needed to get the data and put in some thresholds or checks for compliance. We could then take the data that IBM would need, for example to remediate unpatched machines, attach that to an email, send it to our service desk, and then generate a service-desk ticket for the IBM service guys to work on. It becomes a much more streamlined process. And a lot more hands-off from our perspective -- we just want to know the picture and to know IBM has a plan in place to remediate."
His company is a big McAfee user, and in addition uses Foundstone for vulnerability scanning, Appscan for application vulnerability scanning, Tivoli for identity management, Altiris for asset management, and MessageLabs for email management.
Being able to synthesise the feeds from those systems would give him a good picture of the state of his systems. Fuller initially considered putting together a custom system to pull together all the information and analyse it, but then decided to see if there was anything on the market that could do the job.
A combination of Google searching and discussions with Gartner brought his choice down to a few options. Companies like McAfee and Symantec had system monitoring products, but Fuller doubted they would provide broad support for all his other third-party data feeds.
Gartner rated Archer Technologies very highly, but Fuller rejected this. "Archer didn't really have anything out of the box as far as automation was concerned. In Gartner's eyes they are the leaders, but for us it wasn't an option because it would have required a custom consulting exercise. It would have been horrendously expensive."
He decided instead to go for Agiliance, a recent start-up company , whose approach to IT governance is to interface with a wide range of data sources and bring them together for central analysis.
"Agiliance had a good pedigree. Its founder had also founded ArcSight, and being a start-up company they were extremely flexible. When I asked whether it could do this or that, I didn't get the usual stuff about it being 'on the roadmap for 2010', they were willing to take our feedback and use it on the basis that if we wanted it, other companies would too."
This means that Agiliance has been willing to create new connectors for Altiris, Foundstone and Appscan, as well as providing Fuller with a generic SQL query connector, and another for CSV files, allowing him to make ad hoc queries where necessary.
Having taken on Agiliance at the end of last year, the project is due to finish in September. He has taken the ISO framework and extended it to create a framework of 326 controls in total.
"The scary thing is that we found that each control could have several questions in it, which means arguably that we have several more sub-controls," says Fuller. "We were lucky that we had a standard control framework across the group, so we didn't have to create one from scratch."
One aspect of Agiliance that has proved useful is its online survey feature, which allows assessments to be sent out to the relevant individuals to check the state of compliance.
For Fuller, this has been a revealing exercise. "As you go through the different controls and think about who should be answering the questions and who should be signing off on the answer, you start to realise that there are lots of people who should have had sight of this in the past, who didn't.
"The key thing about getting an online survey is that it allows you to aggregate all the control-related questions that relate to a certain party and send them out together. They certainly get a shock when they receive it, but it changes their mindset totally around the accountability aspect of it, when they have to go and think about it, maybe attach some evidence and sign it off, and maybe give you some remediation action if it is not 100%. The accountability that comes from the survey is really good and useful in its own right."
Fuller says the system is already delivering not only on ensuring compliance, but more importantly in mitigating risks that could damage the company. It is an important distinction, he says.
"We have found already that some of the information we are discovering around key risk indicators (KRIs) is going to be of real value. You can be 100% compliant with some of your controls -- for instance, with change management you could be following all the controls but you could have every second change failing, which is much more of a KRI.
"Our framework is definitely compliance-based, but we are starting to get some meaningful KRIs into the mix. In the past when we have got together as a group to discuss data safeguards, some people worried that even though we appeared to be compliant with the control framework, we weren't in a good enough position. I'm not sure that taking a compliance view of the world gives you the real story. The KRI approach adds much more value from a business perspective."
Current work is focusing on a number of remediation projects including USB lockdown, central use policy, and implementation of Tivoli Identity Manager. "All of those things will have repositories from which we can suck information through the generic SQL connector," says Fuller.
And with the pressure from the FSA on control of personal data, they are looking to use the online survey engine from Agiliance to create business process surveys and third-party business partner surveys to get a better view of any risk or gaps that might exist in those areas.
Fuller expects that the approach will be adopted more broadly through the RSA group. "In Ireland because of our size [600 employees], we can move quickly on this, and we are acting somewhat as a guinea-pig on behalf of the rest of the group. There is some certainly some interest from a group-wide perspective."
For the moment, he has his hands full in completing the current project in Ireland. So far, it has given him a much more accurate picture of the state of compliance, and has allowed him to focus remediation where the risk was highest. It also means he can provide IBM with clear guidelines and instructions rather than relying on the supplier to perform.
As he says: "It would be foolhardy to trust third-party outsourcers. If you think it's all going to happen because you have it down in a contract, then you're living in La-la Land."