Security risk management in the BT HP alliance

Abstract

This paper describes the way BT and HP have agreed to collaboratively manage security risks within the BT HP alliance. BT and HP have worked together to establish an environment of mutual trust. A rigorous alignment of policy, coupled with an effective governance framework, has enabled the development of an agreed risk assessment and mitigation process. This paper examines the way in which the foundations of mutual trust were developed and how these enabled the development of a federated security model. The challenge within any outsource arrangement is to determine how security risk assessment and management, built up through policy compliance and developed best practice in a single company in-house environment, should change when the responsibility for a significant part of the delivery and future development of service capability is transferred to a third party. The additional challenge to BT and HP was to ensure that the solution should be scalable and enduring in the context of a strategic alliance. The initial work of the security communities in the two companies was focused on the assessment and management of the risk associated with the managed service agreement to transfer the management responsibility from BT to HP for the mid-range server estate and the end-user workspace (or desktop). This managed service agreement was one of the three core agreements included within the strategic alliance agreement entered into by the two companies. There was a clear objective of ensuring applicability to the other work streams and scalability across all commercial activities of the BT HP alliance. The main focus of the work was to build on top of the technical capabilities of both companies to ensure that formal governance processes were put in place and that security risks were consistently measured, assessed and managed. The trust established between HP and BT as result of the adoption of a common risk assessment methodology and creation of a robust governance framework enabled a swift resolution of early issues concerning HP agent access to BT systems. A Security Federation model was established to facilitate the accreditation of users within their home domains, which delivered significant operational savings to both parties. The paper describes the value obtained from this approach with respect to security issues during the first twenty-four months of the BT HP alliance.