• silicon.com
• Management
• CIO Insights

By Andy McCue, 22 July 2003 08:56

NEWS Halifax Bank of Scotland has signed a "multi-million" pound contract with Ernst & Young for managed security services that will focus on the bank's internet services. The five-year 'co-sourcing' deal is a longer term commitment built upon an existing 18 month arrangement from January last year. Ernst & Young will provide security experts to advise the high-street bank on security strategy and architecture, particularly for new web offerings. But John Young, head of IT risk and security at HBOS, said the bank will retain complete control and management of security systems. He told silicon.com: "Essentially they supply us with their security experts to work under our management so we are not actually handing over any of the management of any of the security to Ernst & Young, specifically not operational security. Their people do not have hands on access to our systems." Banks, in particular, have been reluctant to outsource IT security work but Young revealed a ground-breaking deal had originally been on the cards. He said: "We spoke to Ernst & Young about doing an outsource contract when we were just Bank of Scotland and that would have been the first of its kind in our industry. We had regulator approval for that as well. But when the merger came along we decided a better way to operate would be to have a co-sourced or managed service arrangement." Although maintaining the integrity of legacy systems is an important part of the work that Young's team of 30 in-house IT security staff undertake, he said new ecommerce projects are increasingly important because of the inherent risk of putting services online. He said: "We're introducing a new corporate internet banking service at the end of this year so given the risk involved in the ecommerce environment we're quite happy that Ernst & Young can provide us with the necessary depth of experience to help us through that. That is the kind of area where security expertise is scarce." Code reviews, penetration testing, monitoring and policy development will also be part of Ernst & Young's remit. Ken Allan, partner in the information security practice at Ernst & Young, said his firm has built a solid relationship with HBOS over the past 18 months that will be able to meet the challenges of the "digital frontier".