WHITE PAPER

INFORMATION
SECURITY CHALLENGES
IN SHARED SERVICES MODEL
BEST PRACTICES THAT WORK

Abstract
As the title suggests, this white paper focuses on some of the unique
IT Security challenges experienced in a Shared Services Model and the
best practices to successfully handle and/or reduce exposure
to these.
Availability of information and the ability to use it in innovative ways
is the success mantra of every organization but this also requires
protection of valuable information from malicious intent, inadvertent
incidents and natural disasters at all times.
The nature and framework of shared services organizations,
characterized by shared infrastructure, service-oriented organizational
units, service groups working in silos, overlapping responsibilities, etc
pose multiple challenges to the adoption and roll-out of an effective
Information Security Plan. But by having the right focus on IT security
governance, creating lean processes, implementing appropriate RACI
and SoD matrices, providing adequate and timely training, etc the
impact of these challenges can be significantly reduced.
 Background
Shared Services Model1 is being increasingly adopted by medium to large organizations with the goal of improving the financial performance
of the corporation. It is achieved by eliminating redundancies, optimizing use of the limited resources, economies of scale and using common/
reusable tools and artifacts.
While the financial upside is encouraging, the pitfalls of IT Security, when not managed appropriately, turn out to be significant deterrents in
adopting a Shared Services Model.
This paper is organized into two distinct sections:

Section I Presents the challenges faced with the intent of increasing awareness
Section II Discusses Best Practices that can help handle/reduce the severity of such challenges

Section I: Challenges faced by IT Security

While the challenges faced in traditional organization, requiring cross-functional Multiple personnel are associated in
IT setups are still prevalent, the Shared interaction, cooperation, and execution. different capacities in the delivery of a
Services Model come with a few additional It cannot be assigned to a single unit or single service unit – playing different
challenges, intrinsic to the very nature of department within an organization and roles in different hierarchies.
the model. should be “Everyone’s” responsibility. • In an effort to enhance the utilization
1. IT Security is assigned a low priority But in a Shared Services Organization (SSO), of limited IT resources, personnel
Migration to a Shared Services Model due to the bundled nature of service delivery get assigned to multiple roles and/
is marked by an organization’s focus and the overlapping responsibilities of or functional teams (extra access
on analyzing the offered functions, different functions, ambiguities develop privileges).
defining the service units/bundles, with respect to the roles and responsibilities • In some situations, the technological
developing the Customer, Financial, of different players. attributes limit the capability to adhere
Supplier, Operations strategies. But • Between SSO and Business to the Separation of Duties principles.
when it comes to IT Security, there is Organizations – due to the lack of a
either an absence or almost no focus. 5. Varied Interpretations of
clear definition and distinction between Security Requirements
2. Ad hoc Security Governance the roles and responsibilities, there is The security requirements are often
Unfortunately, an upcoming audit, a a tendency to assume that this is the defined at a high level and say “what”
security violation or an organization- ‘Other team’s’ responsibility. needs to be done but never state “how”
wide initiative are the core drivers for • Within the SSO – the SSO is divided into the requirements should be met. It is
establishing Security Governance. multiple teams working in ‘silos’ with a left to the IT teams to appropriately
Leaders/Stakeholders initiate more of an number of barriers (lack of knowledge/ interpret, define and implement/
immediate form of Security Governance awareness of other teams, no practice them. Being left open for
to align with these requirements and communication at middle management interpretation, individual preferences
loose focus as soon as the event is levels, insecurity amongst vendors, etc) and biases of IT Managers influence the
over. In addition to these drivers, the to effective communication, effective interpretations resulting in inconsistent
absence of an effective sustenance plan work practices, information sharing, etc. security practices/strategies both
makes this ad hoc nature of security within and outside the SSO.
governance a repeatable and expensive 4. Inadequate Separation of Duties
feature of the organization. The primary reasons for this inadequacy are: 6. Tendency to reduce Risk level
In a Risk based approach, the
3. Ambiguity in roles and responsibilities • Service offerings are the combination of organization defines different levels of
Security responsibilities are meant one or more of the functions (in whole security controls based on the level of
to be distributed throughout an or parts) offered by different teams.

1
Shared Services Model – An internal organization becomes the centralized service provider for all Business organizations in the company, promoting reuse and
sharing. The Business organizations choose and request products and services as necessary from this shared service provider.

External Document © 2018 Infosys Limited

 risk; impact and likelihood of Disclosure, share responsibility (either you or me move forward in a planned manner.
Modification and Loss of information. In and never we). 9. Lack of Training/Awareness
such an approach, there is a tendency 8. Business/Operations spread The root cause analysis of security
to assess the content (information) at across multiple geographies incidents showed that most of
lower levels of ‘Risk Exposure’ to reduce In a global setup, it is always a challenge them were a result of unintended or
the rigor of the governing processes; to to have a complete understanding of unauthorized actions of legitimate
be able to bypass certain procedures, all the local information protection users and not from malicious external
review gates and approval mechanisms. policies, procedures and practices. sources. The primary causes for these
7. Multiple vendors Every country and state has their own lapses being
The organization usually employs requirements of certain regulations and • Inadequate training on security
multiple vendors with the intent the same policies may have different practices and/or
of reducing the risk of being over requirements in different regions.
dependent on a single vendor, keeping Apart from the local laws and regulations, • Misunderstanding instructions from the
prices competitive, service levels in a global setup issues come up due management
high and encouraging innovation. to the diversity in culture and thought
But an outcome of this, which is often process across geographies – Language
ignored, is the reduced collaboration issues, lack of context, lack of informal
between vendors, steeper barriers communication, etc. This makes it
in communication (due to a sense of very difficult for an organization to co-
insecurity) and a marked reluctance to ordinate the entire global roll-out and

Summary: Information Security Challenges

Sl # Challenge Description
1 IT Security is assigned a low priority The organization and senior management have not instilled the right focus on
implementing IT security practices.

2 Ad hoc Security Governance Absence of an Information Security Management System (ISMS) or a structured
governance mechanism.

3 Ambiguity in roles and responsibilities Ambiguities exist on the roles and responsibilities of the different players (Business,
teams in SSO, etc.) in an SSO.

4 Inadequate Separation of Duties Overlapping and shared responsibilities in an SSO makes it difficult to implement
appropriate level of separation in duties.

5 Varied Interpretations of Security In the absence of standard interpretations, the different individuals and teams have
Requirements their own interpretations.

6 Tendency to reduce Risk level The teams show a tendency to reduce the ‘Risk Level’ to bypass the rigors of the
governing processes.

7 Multiple vendors Relentless competition and sense of insecurity have led to reluctance in sharing
responsibility and little or no collaboration among the vendors.

8 Business/Operations spread across The organization is based out of and functions from multiple locations spread all
multiple geographies across the globe.

9 Lack of Training/Awareness Inadequate training and awareness on security practices.

External Document © 2018 Infosys Limited

 Section II: Effective Best Practices in IT Security
In its recent engagements with large • Risk Assessment – To assess the business boundaries, we created a Responsible,
pharmaceutical organizations, Infosys processes and identify requirements Accountable, Consulted, Informed (RACI)
was successful in negotiating most of the which were to be met under all chart covering all the control requirements.
challenges listed above; either completely conditions This laid down the role of each individual/
eliminating the issues or significantly
reducing the severity of the issues.
• Ensured alignment to the organization’s
team towards the security control
requirements.
official risk acceptance criteria
Some of the ‘Best Practices’ employed in
these efforts are listed and discussed below.
• Ensured that all applicable legal and
1. Separation of Duties (SoD) Matrix
regulatory requirements and corporate While creating the SoD Matrix, organizations
1. Information Security Governance policies were met often do not take into account the following:
At the beginning of the engagement, • ISO 27K controls which were not • Limitation of a standard template: Often
IT Security was being managed and mandated as per the three gating organizations commit an error when
supported by make-shift ISOs who took criteria mentioned above were they try to adopt a standard template.
this as an additional responsibility to their promoted as controls that at times Though the principles for defining the
regular job responsibilities. People were can be dropped with suitable business SoD are the same and universal, the SoD
assigned to this role on rotation and there justifications, adequate approvals or requirements have to be specific to an
was no continuity. compensating controls. organization and its setup.
To address this, a full-time ISO was 1. Interpretations of all Control • Compensating Controls: Though
appointed and an ISO network was formed Requirements implementing appropriate levels
to manage requirements across multiple of Separation in duties is one of the
As mentioned earlier, the control
sites. The operations were based on the better ways to implement checks and
requirements are typically laid down at a
following principles: balances, it is not the only way. There
high level and often do not specify how
• Adoption of a top-down approach or what should be done to successfully
can be other equally strong methods
like – audit trails, oversight, etc.
• Ensure that senior management meet them. So, to bring in consistency in
commitment was sought and their help the interpretation and implementation of • Technological Limitations: Some
was taken in creating security awareness controls, Infosys, as a central team, defined technologies, by nature don’t/
and promoting good security practices these for all the teams to adopt and practice. can’t allow the implementation
of sufficient layers of separation.
• The scope was not limited to a few Infosys brought together SMEs from all
Hence while creating the SoD, Infosys
business critical systems – Entire cross-sections and developed “discrete
factored in all of the above and created
organizational end to end processes actionable guidelines” for each of the
multiple variations of the SoD matrix
were covered in scope. control requirement. With this Infosys was
suiting different types of services and
able to specify what and how the teams
1. Tailoring ISO 27001/27002 Control processes. Infosys also took the next
need to do to ensure compliance.
Requirements step in identifying compensating
1. RACI Matrix for all Requirements controls deemed adequate to substitute
ISO 27001/27002 outlines hundreds of
potential controls and control mechanisms, In a shared services model (offering separation in certain special scenarios.
trying to cover legislative essentials and infrastructure and/or application support), 1. Create Lean Processes
common best practices and serving as the even after transition of applications to the
The existing organization had processes
best starting point for any organization SSO for IT support, business sponsors retain
but the primary focus and intent was on
attempting to identify the control the ownership of the applications and the
operational performance management
requirements. But how and to what extent business processes (information content).
and standardization. There was no focus on
the requirements need to be met are This arrangement causes the accountability
building the operational security controls
unique to every organization. for individual controls to be split between
into the process. And over a period of time
the Business Sponsors and SSO. But the
Hence, instead of using the ISO 27K controls with multiple modifications, the processes
lack of specific guidelines results in all kinds
AS-IS, Infosys conducted a due diligence gained in complexity and at times became
of confusion and uncertainty in defining
exercise and undertook the following difficult to follow.
these.
to tailor the requirements to suit the So, Infosys conducted a redefinition effort
organization’s needs. To manage this situation and to draw clear
to

External Document © 2018 Infosys Limited

• Create ‘lean’ and ‘fit for purpose’
“how to execute” to work instructions,
guidelines, templates, etc as necessary
for each topic/process area. Though the
primary intent was compliance to security
processes with all the required controls
and applicable requirements, the scope of the training
(covering all laws and regulations)
enablement process was extended to
• Retain information showing “what and
1. Training
all aspects of IT operations and not just
why required” in the parent document A structured training enablement process security.
and transfer process content depicting was established which defined the
training requirements for each role and

External Document © 2018 Infosys Limited

 Summary: Successful Best Practices

Sl # Challenge Best Practices Benefits

1 IT Security is assigned the least Information Security • Renewed focus on developing and supporting the Security
priority Governance – Adopted a Management System
top-down approach

2 Ad hoc Security Governance Information Security • Security strategies became an integral part of enterprise
Governance – Setup the governance
ISO Network

3 Ambiguity in roles and Created a RACI chart to • Removed ambiguities in roles and responsibilities
responsibilities cover all security control
requirements

4 Inadequate Separation of Duties Created multiple • Made it easier to adopt and comply to the SoD principles
variations of SoD matrix,
• Provided other equally efficient means to manage checks and
while accounting for
compensating controls and balances
technological limitations • Provided means to counter technological limitations

5 Varied Interpretations of Process Re-definition to • All the security requirements were built into the processes
Security Requirements create ‘lean’ and ‘fit for and were not left open for individual interpretations
purpose’ processes

6 Tendency to reduce Risk level Tailoring of ISO 27001 / • Provided the option to bypass controls which did not make
27002 Requirements business sense – cost wise
• Allowed the organization to drop requirements which were
not applicable/meaningful to their operational setup

7 Multiple vendors Creating and implementing • Removed ambiguities in roles and responsibilities – Reduced
appropriate RACI chart avenues to blame ‘others’

8 Business/Operations spread Established a structured • Increased awareness and focus on local information
across multiple geographies training enablement protection policies, procedures and practices
process

9 Lack of Training/ Awareness Established a structured • Increased awareness on organizational mandates and
training enablement requirements
process
• Better enablement for process compliance
• Reduction in repetition of mistakes/violations

External Document © 2018 Infosys Limited

About the Author
Binoy Kumar Singh
He is a Senior Project Manager with
Infosys Limited and has 11 plus years of
IT experience. He has been managing
global enterprise projects and directing
teams with multi-million dollar budget
for Fortune 100 clients in Life Sciences,
Insurance and Health-care domains.
Recently, in one of the engagements
with a major pharmaceutical client, he
helped in defining and establishing
the ISO Network, implementing and
managing the Information Protection
Program and developing ITIL aligned
processes in Shared Service Model.

External Document © 2018 Infosys Limited

For more information, contact [email protected]

© 2018 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys
acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this
documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the
prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.

Infosys.com | NYSE: INFY Stay Connected