Category: Cyber Security

TelecityGroup Nederland realiseert ISAE 3402 certificering

TelecityGroup Netherlands

realises ISAE 3402 certification


Amsterdam, 19 May 2015 – All TelecityGroup locations in Amsterdam have been certified according to the international outsourcing standard ISAE 3402. With this certification, TelecityGroup Netherlands demonstrates that its data centres meet internationally accepted quality and security standards. For customers, this certification provides proof that their outsourced processes are effectively controlled within the data centre.

Secure Data Centres

The certification indicates that the processes in TelecityGroup’s data centres comply with the security requirements of the internationally recognised ISAE 3402 (International Standard for Assurance Engagements). TelecityGroup customers who have placed their IT equipment in one or more data centres in Amsterdam can use the ISAE 3402 report to demonstrate that security processes within the data centre are in order. “Many companies using our data centre services want transparency on how we, as a service organisation, ensure the quality and security of our data centres,” says Alexandra Schless, Vice President Western Europe & Managing Director at TelecityGroup Netherlands.

Different Types

Securance has implemented ISAE at TelecityGroup. In the certification process, the auditors distinguish between Type I and Type II. In a Type I ISAE 3402 report, they assess the control organisation at a specific point in time. During the audit, Securance evaluates the design and existence of control measures. In a Type II audit, they also assess the operating effectiveness of these measures. Schless: “We are working to ensure that our control organisation also operates according to the ISAE 3402 standard and expect to have the Type II report completed later this year. This will provide our customers worldwide with a clear and definitive guarantee.”

Telecity is pleased with this certification: it shows both Dutch and international organisations that we have correctly set up all processes regarding security.

  • Alexandra Schless | Vice President Western Europe –

About Telecity Group

TelecityGroup is a leading provider of premium carrier-neutral data centres with locations across Europe. TelecityGroup’s data centres offer high connectivity and secure environments for IT and telecom equipment, which are the driving force behind the digital economy. In these data centres, the networks that make up the internet converge, and data-intensive online applications, content, and information are securely hosted. TelecityGroup is listed on the London Stock Exchange (LSE: TSY).

Agency Theory in Outsourcing

Agency Theory in Outsourcing

 

Economies of Scale

Since the Industrial Revolution, organizations have been questioning how to leverage their competitive advantage to expand their market share and profitability. The dominant model in the 19th and 20th centuries was the large integrated organization. In the 1950s and 1960s, companies broadened their bases to benefit from economies of scale.

The large integrated organization diversified its product range, and expansions required more management layers. Technological developments, such as the internet, forced organizations in the 1980s and 1990s to compete more globally. They were handicapped by a lack of flexibility due to bloated management structures. To increase agility, many large organizations developed a strategy focused on their core activities and core processes.

Principal-Agent Problem

The focus on core processes sparked a discussion about which processes were essential and crucial for business continuity and which could be outsourced to external service providers. Processes or functions lacking internal resources were outsourced to specialised agencies or providers. Consequently, the principal-agent problem evolved between the user organization and the service organization, and the principal-agent theory and related information asymmetry gained importance in line with the growth of outsourcing.

Information Asymmetry

The most common agency relationship in the financial domain occurs between investors (or shareholders) and the management of a company. The principal may be unaware of the agent’s activities or prohibited by the agent from obtaining information. The result is information asymmetry between the principal and the agent. For example, management might want to invest in emerging economies, while the principal’s risk tolerance is unfavourable. This management strategy might sacrifice short-term profitability and increase company risks, potentially leading to higher future revenues. Investors desiring high current capital income with low risks might not be aware of these management plans. If the consequence of this strategy is certain losses, management may be inclined not to disclose this information to shareholders. The development of the accounting profession was a crucial step in mitigating the agency problem globally. In 1992, the SAS 70 standard became relevant for outsourcing assurance, later replaced by the ISAE 3402 standard in 2011. Outsourcing assurance reduced information asymmetry and improved trust between the user (organizations outsourcing) and the service organization (organizations providing services to these organizations).

Agency Theory in Outsourcing

In general terms, agency theory concerns all relationships between two parties where one party is the principal and the other is the agent representing the principal in transactions with third parties. Agency relationships occur when principals hire agents to perform a service on behalf of the principals. Principals typically delegate decision-making authority to agents. Since contracts and decisions with third parties are made by the agent, affecting the principal, agency problems can arise.

In the situation where activities are outsourced by a user organization to a service organization, agency theory is relevant to all described aspects: information asymmetry, risk tolerance, and engaged resources. For instance, a financial institution outsources IT services to a managed services provider. The managed service provider may not be aware of the institution’s risk tolerance and might decide that a weekly backup is acceptable or that data storage outside the EU is permissible. The service provider might not inform the organization about certain server failures if the network issue is not identified by the financial institution. The service organization might also be inclined to minimise the resources performing activities while attempting to maximise received fees. A service organization may also have a different tolerance towards fraud or may commit fraud itself. In the pension sector, asset managers might profit from front-running pension fund transactions. This results in the principal-agent problem described above.

 Front running is also known as tailgating, is the prohibited practice of entering into trade to capitalize on advance, nonpublic knowledge of a large pending transaction that will influence the price of the underlying security.

Securance advises TelecityGroup

Securance advises TelecityGroup


TelecityGroup is Europe’s leading carrier-neutral data centre provider. TelecityGroup’s data centres offer high connectivity and secure environments for IT and telecom equipment, which are the driving force behind the digital economy. Telecity has data centre clusters in 12 major European cities. In Telecity’s data centres, the networks that make up the Internet converge, and bandwidth-intensive applications, content, and information are securely hosted. Telecity’s newest 9MW data centre, AMS 5, located in Amsterdam South-East, provides not only robust power supply, efficient cooling, and extensive security but also unparalleled connectivity. Besides connectivity, security and control are crucial for data centres. There are several standards for this, with ISAE 3402 being one of the most important.

 

ISAE 3402 and Data Centres

As of December 2014, the COSO framework has been replaced by COSO2013. De Nederlandsche Bank has mandated CObit 4.1 and its maturity model in the information security assessment framework. Due to these developments, multinationals are increasingly demanding ISAE 3402 from hosting providers, in addition to SaaS providers. This trend is supported by the increase in the number of registered data centres in the ISAE 3402 register from 3 to 10 within one year. Securance will support and advise Telecity in the implementation of ISAE 3402.

Telecity and Securance

Emile ten Hoor is delighted that Securance has been selected as the assurance and security advisor for the Telecity Group. Within our current portfolio of asset managers, SaaS, and hosting providers, the Telecity Group is a welcome addition. We are highly motivated and enthusiastic to support Telecity in this process. We support every step towards professionalization and strive for better security and control in the ICT sector.

Outsourcing Excellence™

Outsourcing Excellence™


When impro
ving processes in an organization, the Theory of Constraints (TOC) emphasizes the importance of including the supply chain and market engagement in the analysis. Operational Excellence is achieved by eliminating constraints throughout the entire process, from procurement to production (operations) to sales. This seems simple, but according to Goldratt (the creator of TOC), “The more complex a system is, the more profound its inherent simplicity.” The execution is complex, not the solution. The same applies to outsourcing; the process is straightforward, but adapting it to a user organization’s processes is complex. Outsourcing is essentially always based on comparative advantages.

 

Comparative Advantages – Ricardo

One of my mentors said, “Processes that others can do better or cheaper than you should be outsourced.” Why? Because it gives you more time and space to focus on what you are truly good at. This is essentially the theory of David Ricardo on comparative cost differences, or rather comparative advantages. More processes are being outsourced; accounting software is more often offered as a SaaS solution than as a software package.

More Outsourcing

Outsourcing also happens unnoticed; LinkedIn replaces networking events, Evernote replaces the traditional notebook. We are increasingly dependent on these outsourced activities. This also means that assurance about this outsourcing becomes more important, and standards like ISAE 3402 or ISO 27001 exist for this reason. Outsourcing only works if it is optimally organized; better or cheaper. Additionally, alignment with the processes of the user organization is crucial.

Example

On island A, sheep are kept, and on island B, grain is grown. Trade between A and B will result in a higher level of prosperity for both islands than if both islands kept sheep and grew grain.

Relationship with ISAE 3402

An ISAE 3402 certification or implementation project is an opportunity to optimize outsourcing, remove constraints, and view outsourcing within the total business process, from procurement to production to sales. Outsourcing Excellence is derived from Operational Excellence, based on LEAN and TOC. In the change process, three questions are important:

  1. What needs to change?
  2. What should it change to?
  3. How can the change be achieved?

Optimization Process

The optimization process can be broadly divided into the following phases:

  1. Identify and analyze the bottleneck that is the main limiting factor for achieving goals (cf. strategic objectives COSO ERM).
  2. Exploit the bottleneck and align all business processes (including the processes at the user organization; user control considerations) to fully exploit the bottleneck.
  3. Increase the capacity of the bottleneck to enhance throughput. Once the bottleneck is resolved, start again at point

Example An IT service provider (application management and hosting) struggles with structuring internal processes, maintaining security guidelines, and spends a lot of time on unnecessary incidents. By analyzing these processes, structuring them, and leveraging the natural discipline that arises from monitoring and audit procedures, the organization achieves significant internal improvements. Through ISAE 3402 certification, the organization qualifies for various tender processes, winning two important ones. Due to ISAE 3402, the organization gains new customers and, through process improvements, can deliver 100% service to these important new clients.

Key Points

It is important to realize that:

  • Outsourcing is part of processes that occur at the outsourcing party; process improvements can only occur if constraints are analyzed within this context.
  • Bottlenecks can only be resolved if all processes, including those at the user organization, are adjusted accordingly. It is important to document this in SLAs or user control considerations.
  • ISAE 3402 is an effective tool for reviewing processes, improving discipline, and genuinely enhancing processes; outsourcing excellence.

What next?

At SASconsult, we have developed various tools to ensure organizations not only align their processes with the ISAE 3402 standard but also improve internal processes. This approach serves dual purposes; ISAE 3402 provides more market opportunities (more customers), and these customers receive a better product or service through simultaneous process improvements at the service organization.