Outsourcing Information Technology Risk Management

Question: Describe about the IT Risk Management? Answer: Introduction This report is about outsourcing information technology from a third party in business process of a company named Aztec that operates in Australia. Outsourcing IT involves variety of function such as operating services, local area network and software hardware and software, application development, etc IT outsourcing is a common phenomena in financial service (Herbane, 2005). It is so because primarily outsourcing helps in cost reduction. There are also several roles of the outsourcer of it function such as investigation and violation of review report, plays role for maintenance of procedures and policies of information security of clients, building awareness and techniques to use information system via training etc When companies like Aztec outsourced it services they have to share this information with the staff of the outsourcer. Majority of the companies in financial sector miss to make agreements with the third party when they negotiate for the IT function (Hopkins, 2003). As the result they have to pay extra during system crash in order to make back up of lost information (Merna Al-Thani, 2008). Financial service sector review Financial sector is a sector which changes their organization process constantly. Information technology in financial service industry, especially in business process of Aztec changes in very small time span in particular real side of organizational business process (Macdonald, 1995). Financial sector industry is unable to moving forward without using information technology system. Information system is one of the most important technologies within financial sector that generates process automatically. Due to increase of excessive competition, Aztec has to generate excessive capacity within their business process and depress their margin. Marginal edge of the risk thinking will be the best procedure and tempting them toward the failure via building riskier portfolio and removing the margins (Merna Al-Thani, 2008). In the financial service industry, Aztec faces high barrier that prohibited their business and make it more badly than its competitors. Hence it is identified that competition within the business of Aztec is working asymmetrically due to low development of technology. Using information technology Aztec would be able to offer better services to their customer that fulfill customer requirement and also increase customer base. According to vinaja(2008) most of the business organization in financial service sector outsourced IT functionalities in terms of diversification and generates high revenue growth. Security posture review Outsourcing information technology fundamentals in the business process of Aztec may create the culmination of sense making in for the organization. Sense making allows the organization in scanning the whole environment and interpret with each other properly. Based on the information it helps in taking action. The shifting from brink to click in financial services like Aztec has created various risks like reputational risk, system risk, money laundering risk, financial risk, strategic risk etc. it also includes other problems like requirement of software and hardware which includes high investment by the company which also leads to the problem of integration of the old system with the new system, excess capacity and also cost control issues. There also is the problem of the current system being outdated. The company takes total responsibility of maintaining security of implemented system. Budgetary constraint is also one of the most difficult parts to undertake within operational process of Aztec. If the organization outsourced the specific functions of IT asset, the company Aztec can gain their access of information in financial service sector and constraint the budgetary. Outsourcing of IT fundamental within the business process of organization in financial service industry can represent the transaction cost theory contradiction. Outsourcing the specific function of IT asset in business process of Aztec, the company is able to monitor their costs in better way. The tools and technique of information technology also reduce production cost when it was outsourced. Aztec would the following threats while outsourcing its it functionalities like desktop and network management or application development to a third party: 1] Customer protection 2] Data confidentiality 3] System availability 4] System integration 5] Transaction and customer authenticity Customer protection Aztec must make it sure it sure that their customers are properly authenticated before the access the sensitive information of the customer. As the customer are logged into their account for quite a long time their information are stored in the data base which creates chance of it being directly attacked on the system or the customers confidential information through worm, spamming, key worming etc Data confidentiality Data confidentiality refers to protection of valuable information and at the same time permitting authorized access. The ability of data protection through software and also recover data in case of their loss through backup, recovery policy etc gets reduced for Aztec. System availability The customers who are online depended online expect 24hrs service online each day. Thus by outsourcing it will not be ensuring that there is ample of capacity and resources in terms of software, operating capabilities and software for all round service. System integrity By outsourcing the It functionalities, Aztec may face operating flaws and transaction error that might result due to latent transmission or processing as the system would be totally automated. Transaction and customer authenticity If the outsourcing partner is not authentic, there might be issues related to transaction and customer authenticity. By outsourcing Aztec needs to make sure about the methods that their outsourcing partners are utilizing for protecting the customer authenticity and transaction. Vulnerabilities of outsourcing Banks may be misled due to security risk exposures and also risks of becoming victim of security breach, which might become a serious problem for banks and their users. If Aztec focuses on utilizing the present automated system of vulnerability management, it have some hidden flaws which do not have the capabilities to accurately resolve the outcomes. This impact may include inappropriate security vulnerabilities, inefficient utilization of utilization of IT resources and possible exploitation due to cybercriminals and also inundated resources of IT security that might lead to absenteeism of the employees, lower satisfaction level of job and as also erroneous risk of security which will destroy the credible information security system of Aztec. Risk mitigation The risk treatment process aim at selecting security measure to avoid reduces, transfer and reduce risk and produce a risk treatment plan that is the output of the process with the residual risk subject to the assessment of the management. It risk management includes following five steps 1] Understand and define your information risk universe To develop a comprehensive information risk management{irm} framework the organization must fix each member its responsibility. 2] Determine confidentiality integrity and availability requirement Not all level of business requires the same level of protection. Contractual obligation and legislative mandate may determine business control for some organization, but for others informed judgment calls in conjunction with partners in line of business is necessary. When accessing the criticality of a function, answering these three questions can be done How confidential is the function Is the accuracy of the functions information relied on heavily? If this functions not there when needed, what are the consequences? 3] Define your control Ciso needs to measure the security controls in all of these business groups to be able to do their jobs effectively. ciso should also employ a framework based approach to identify and measure these areas in order to track their progress over time. 4] Develop enforcement, monitoring and response mechanism An irm framework must ensure that these controls are defined, enforced, measured, monitored and reported. For areas where these controls may not sufficiently mitigate the risk, cisos must ensure that those risk are reduced transferred and accepted, 5] measure and report. Many security mangers are focused on gathering and reporting tactical and status update information. To develop a successful security metrics metrics program, cisos need to identify, prioritize , monitor and measure security based on business goal and objectives. They should then focus on translating those measurements into business language that can be of use to executive management. Conclusion: This report is adopted for providing detail information about information technology process when an organization of financial service sector outsourced IT function from third party. In the first phase of this report analyst report represents an overview of financial service sector in Australia. In this part the analyst include all the relevant information about the IT the financial services including government regulation. In the second part of the report analyst describes the review of current security posture of Aztec from the point of view of the IT security policies. After described the current scenario posture of information technology system when it outsourced from the third party analyze the threat, vulnerabilities and consequence for it control frame work. At the last part of this study , analyst described the possible data security issues when the IT system outsourced and provide recommendation to mitigate that identified issues. References: Chorafas, D. (2007).Risk management technology in financial services. Burlington, MA: Butterworth-Heinemann. Clinical Waste and Its Risk Management. (2001).Clinical Risk,7(6), 251-252. doi:10.1258/1356262011928572 Dionne, G. (2013). Risk Management: History, Definition, and Critique.Risk Management And Insurance Review,16(2), 147-166. doi:10.1111/rmir.12016 Herbane, B. (2005). Risk Management on the Internet.Risk Manag (Bas),7(2), 65-66. doi:10.1057/palgrave.rm.8240213 Hopkins, A. (2003). Risk.Risk Manag (Bas),5(1), 85-85. doi:10.1057/palgrave.rm.8240143 Macdonald, J. (1995). Quality and the financial service sector.Managing Service Quality: An International Journal,5(1), 43-46. doi:10.1108/09604529510081794 Merna, T., Al-Thani, F. (2008).Corporate risk management. Chichester, England: Wiley. Merna, T., Al-Thani, F. (2008).Corporate risk management. Chichester, England: Wiley.