Worried about this question?  Well, you’re not the only one.  As more and more IT functions are outsourced, we’ll keep wondering and trying to figure it out through trial and error.
Consider all the responsibilities that a security program in the public sector has:

• Policy and procedures creation and maintenance
• Risk Management
• Security Monitoring
• SSP Support
• Incident Response
• Continuity of Operations
• Project team support
• Audit and Compliance

Just about all of these can be fulfilled by contractors.  The interesting thing is that, most of the time, the government doesn’t know how the outsourced system is built because they are only providing oversight.  They depend on the contractor to tell them what the system looks like.
So what parts of security can we never outsource?  Well, the role of system owner has to be
a government employee because it’s a conflict of interest for the contractor to be the ultimate authority on the scope of their project–they can chose the security posture that is more advantageous to their bottom line instead of the needs of the government.

The  rest of security can be outsourced, either as a stand-alone service or bundled with general IT outsourcing.  The trick is, as I have mentioned earlier this week, that you need to do your homework up front before you decide to outsource.

The best approach is to come to the outsourcing RFP with an understanding of what gaps you have in your security program and getting the outsourcing provider to fill those gaps.

So, since we here at ISM-Community believing in bridging from the theoretical to the practical, and since I’ve just given you the theoretical part of this post, how about I give you a couple samples of working models that I have seen in use out around town?

The first example:

• Large contract
• Outsourcing most IT services
• 25+ inventory systems (systems in agency portfolio with an Exhibit 300)
• Existing security organization

While the government already had a fairly well-staffed security organization, they realized that a large contract would require personnel to augment their existing staff.  The security solution provided by the vendor was to staff at one person on the contract as a counterpart to each section in the government security structure (Risk Managment, C&A, Architecture, Policy and Procedures, Incident Response).  The contractors were matrixed and dotted-lined directly into the agency’s security organization.

Another example:

• Medium-sized contract
• Complex data-management system
• One inventory system
• One security person on government side

The security team for the program management office was small–just one person who served as the ISSO for the system and who worked directly for the program management office.  The security solution from the contractor included 5-10 people who provided an end-to-end security solution with the ISSO’s only role to manage the government-side politics and to be the ultimate authority for security decisions on the contract.

Final example:

• Medium-sized contract
• Outsourcing of large web application
• One inventory system
• Well-established, well-staffed security organization

You might think that the contract really doesn’t need a security person, but I have a belief that both the government and the contractor need at least one security point-of-contact.  So this contract was staffed with one person to manage the inter-contractor politics and to provide support to the existing security organization.

• You Didn’t Outsource Your Responsibilities
• Keys to the Outsourcing Kingdom
• Build a Security Program
• Compensating Controls
• Effective Inventory Management