Describe about the Financial Service Sector Review, Threats, vulnerabilities and consequences assessment and Data Security of Aztec Outsourcing?
This report reflects the overview of outsourcing information technology from third party in business process of Aztec that operates their business in Financial Service Sector in Australia. Outsourcing of information technology from third part encompasses the variety of information technology functions within the business process such as Operation System, Local Area Network Hardware and Software, Transaction Process, Application Development, Distribution of Mini and Micro Computer System, etc.
Therefore, the decision of outsourcing IT functions from third party including the combination of organizational, logistical and financial considerations helps in developing successful business operation within financial service industry. In mainframe of financial service sector industry, outsourcing IT functions from third party is the common factor. In order to run the business successfully especially for the organization in financial service sector such as Aztec, need to outsourced IT functionalities from a third party vendor. It is important because primary motive of outsourcing IT functions considers cost reduction. In operation process of financial service sector, long-term outsourcing of IT functions converts variable cost into fixed cost and become more predictable in order to run the system properly.
For Aztec, outsourcing will be the capital agreement from the point of view of cash flow improvement. If Aztec outsourced functions of information technology from third party, outsourcers takes responsibility for system availability and service guarantee. However, if Aztec outsourced information technology they can get several benefits such as administrator of outsourcing company take responsibility to make appropriate program by their specialist. Make individual log in IDs for the staffs as well as upgrade the system continuously. Aztec can gain overall information system in their environment via outsourcing IT function from third party.
Outsourcer of information technology is playing several responsibilities such as access control and security administrator, installation of information security software and maintenance of installed software. There are also several roles of outsourcer of IT functions such as investigation and violation of review report, plays role for maintenance of procedures and policies of information security for the clients, make relationship with the staffs of outsourcer and clients, building awareness and technique to use information security system via training, etc.
Sharing information with the staffs of outsourcer will be major issue when Aztec implements IT service from a third party. This is because, Aztec store customer information along with several sensitive information that relates to their business such bank details, target market, target customers, etc.
When the company like Aztec outsourced IT service, they have to share this information with the staffs of outsourcer. Apart from that, information security audit rights is also an issue for outsourcing IT function in business process of financial service sector. Majority of companies in financial sector miss to make agreements with the third party when they negotiate for IT functions. As a result, they have to pay extra during system crash in order to make backup of lost information.
Majority of outsourcer do not provide access rights about the daily activities of information generation from database or server to the human resource management of client. This can lead huge issues because staffs of outsourcer do not know exact business process or who the main customer of firm is. It creates huge chance for data lost or data theft. In order to mitigate or address these issues, Aztec has to control in their offshore operations, Apart from that, management of Aztec has to make negotiation with clear definition of access permission.
According to the rules and regulations of information security system, outsourcer has to set up access rights. Individuals log in ID need to set for each staffs and customers. Administrator of outsourcer has to take responsibility of for monitoring customer data along with access of information in server. Moreover, outsourcer of IT service has to ensure that their staffs only use organization’s gadget in terms of making application for the client. Outsourcer have to maintain accurate register of allowed portable media such as Laptops, USB devices, CDs, etc. IT vendor has to set program in their electronics system that automatically encrypted data for attached portable media.
Liu (2011) argued that IT risk management is one of the most important applications of risk management for an organization from the point of view of Information Technology. Information Technology risk management manage the risk that relates to the IT department such as desktop, network, mobile computing as well as other related applications like ERP, ICT, KMS, etc. In the financial service sector, use of information technology increased day to day. Majority of companies especially the bankers in financial service sector outsources IT functionalities suck as desktop, applicator, network from third party vendor in order to digitalize their process. However, Martins et al. (2014) explained that Information Technology is one of the most valuable systems that allow organization in running their process automatically.
This study describes the risk management process regarding outsourcing key IT functionality within the organization or Aztec. The company operates successfully their business in the Australian financial service sector. In order to digitalize the system and to implement automation system within the organizational operation process, Aztec outsourced key IT functionality such as network, desktop management and application development from a third party vendor.
1. Financial Service Sector Review
Mustofa et al. (2013) a financial service is one of the most interesting industries that change their organization process continuously. From the viewpoint of Parent & Reich (2009) Information Technology in financial service industry especially in the business process of Aztec changes overtime in particular real side of the organizational business process. Due to increase of high competition in financial sector, Aztec declines the customer base. However, the uneconomic cost structure of Aztec has become locked.
Prado (2011) stated that due to increase of excessive competition, Aztec has to generate excess capacity within their business process and depresses the margins. Marginal edge of risk thinking will be the best procedure and tempting them towards the failure via building riskier portfolio and removing the margins. Into the financial service industry, Aztec faces high barrier that prohibited their business and make it worse rather than their competitors. Therefore, it has been identified that competition within the business process of Aztec is working asymmetrically due to low development of technology and other general erosion.
On the other hand, Schwalbe (2014) cited that within the financial serve industry it is unable to move further without using Information Technology system. Several authors including Taylor et al. (2013) said that Information System is one of the most important technologies within financial service sector that generates process automatically. There are several string brand within the country of Australia that include Information Technology system for several process such as marketing inventory management, billing, providing information, Information Technology allows the organization in business sector especially in the financial service sector in gathering wide range of customer base (Teymouri & Ashoori, 2011).
Apart from that, using information technology system, Aztec can able to offer more better service to their customers that fulfill customer requirements as well as increase customer base. According to the Vinaja (2008), majority of business organization in financial service sector outsourced information technology functionalities in terms of diversification and generates high revenue growth, Apart from that, IT system within the operational process consolidate the business . From the point of view of revenue growth in financial service sector, information technology reduces complexity and reliance on the interest.
On the other hand, from the point of view consolidation, several organizations in financial service sector consolidate due to major regulatory changes of spurred. According to Volpentesta et al. (2011), majority of organization in financial service sectors increased the use of assess that related to securitization such as anti hacking technology, use of antivirus, etc. Since, last few decades, these types of strategies become more successful within the operation process of financial service sector. However, there are some example of failing revenue diversification that creates mix interest between the non-interest income and interest income (Motaleb & Kishk, 2013). This was one of the bad part of Information Technology system because, third party vendor from where the company outsourced their IT functionalities reacted negatively.
In the financial service sector, it has been identified that majority of bankers shifted their product value from low to high. It has been also identified that baking organization increased products value from savings to fixed deposits by implementing Information technology system (Mafakheri et al. 2012). Apart from that, they increased the products value from annual products to premium products. Information Technology also allows the baking organization in rigid the product’s flexibility, increase of mass marketing, increase of advice level from high to level obtain extending service and new customer base.
In accordance to the Xu et al. (2013), Information Technology system allows the organization in financial service sector in achieving high retention rate of customer by providing excellent service such as e-payment. With the help of Information Technology, insurance company in financial service sector moves their service from cultural products to service culture (Li, 2014). For example, organization in financial sector introduced all embracing protection policy rather than individual products. Apart from that, most important method that utilize by the financial service sector via implementation of information technology is improvement of quality of service.
Through implementing information technology, organizations delivers speedy documentation of products such as information, billing, etc instead of saying “wait for while” (Mitev, 2011). Information technology also allows in better handling process regarding claims and advice through telephone. However, there are some problems of information technology that faced by the organization in financial sector such as standardize the products due to high-specialized system, lot of chance for lost of data or hack of information from the server.
Ward & Sipior (2010) noted that due to introduction of computer system, the whole world of business changed. Information technology ensures the smooth running process within the operation process of organization generates wide range of benefits. With the use of Information Technology, organization in financial sector developed an automatic process including higher range of security (Jin & Du, 2014). Information Technology is very much important for removing the local barrier for each organization not only in financial sector but also in other sector.
Zawia-Niedawiecki & Byczkowski (2009) suggested that use of information technology make the ability of changing the view for organization from the point of view of global markets. In information technology market, several organizations provide hardware and related software packages service to operational process of financial sector. This type of third party vendor provides business solution for larger business organization.
Vinaja (2009) presumed that in complex business environment, information technology creates the value for financial service management within the organizational process. As argued by Xue et al. (2013), information technology created value for the organization in financial service sector at their simplest level. Apart from that, in terms of generating higher revenue from the products delivery or provide service to the customers via exceeding the delivery process costs. However, in order to create value or products in organization of financial service sector informational technology has potential impact at the marginal cost that directly reacted with the revenue (Dadios, 2012).
In financial business sector, Information Technology relies on the purpose of data processing, acquiring market and making fast communication. Following are the key importance of Information Technology in operational process of Aztec –
Development of service: Implementing information technology, Aztec is able to speed up their market easily. Majority of companies in financial service sector write documents for the requirement of service (Borek, 2014). However, if Aztec outsources the IT functionalities from third party vendor they are able to gather the information about intelligence from the customers, sales representative, proprietary database, etc.
Process Development: Taylor et al. (2011) suggested that information technology is one of the key aspects f developing operational process. As argued by Rusu & Hodosi (2011), Enterprise Resource Planning system make the process easy from the point of view of organizational process such as sales review, review of costs, stock inventory, customer billing, generate quick information about products and discounts, etc (Drummond, 2011).
Stakeholder Integration: Engagement of stakeholders within the operational process in financial service sector is one of the key important objectives (Humphreys, 2008). Information technology can allow the Aztec in making regular interaction with the stakeholders via websites.
Improvement of cost efficiency: Implementation of initial cost is the type of plan that may be low or high (Kim, 2012). Therefore, implementation of IT system within the operational process helps in reducing the transaction and implementation costs that will be the products oriented of Aztec. However, use of information technology make the business of Aztec ensures the quality of products that increased benefits for the company.
Globalization: In order to aggrieve higher competition in financial service sector, Aztec has to reduce local barrier. However, in order to reduce barrier and globalize the business, information technology will be the most effective tools and technology (Nazamoaylu & Azsen, 2012). Information technology integrates wide range of aspects for communication or making decision for the business of Aztec.
2. Security Posture Review
Outsourcing of Information Technology fundamentals in the business process of Aztec may create the culmination of sense making for the organization. Sentia et al. (2013) argued that sense making is one of the most important adaptive process for the companies in financial service sector. Sense making allows the organization in scanning the whole environment and interpret with each other properly. Based on interpretation it helps in taking actions. From this point of view, outsourcing the IT fundamentals for Aztec will be the key methodology for maintenance security and appropriate operational process (Roper, 2011).
First step of sense making in an organization is the input of information via scanning organizational aspect. Therefore, outsourcing the IT fundamentals from a third party vendor, Aztec can develop a network and adaptive communication process within their workplace that allows in monitoring working performance of staffs. Therefore, IT network such as knowledge management process or ERP system allows the organization in interpreting with other easily (Stafford, 2008). For example, due to world recession, Aztec face lot of problems in recovering their financial resources.
However, it is not only affected the financial resources of Aztec but also badly affected in growth rate of the company. Under this circumstance, Aztec has to find the appropriate resources such as effective employees, appropriate vendors, shareholders, suppliers, etc (Xu, 2013). This can leads the success for Aztec and increase their growth. If the company acquires IT fundamental from third party, they are able to develop a wide area network where each employee including shareholders, suppliers as well as manager connect with each other (Tibble, 2012). It can help in identifying proper resources for the company that improve working performance of employees and increase growth. Jung (2013) cited that outsourcing the IT fundamental within organizational process scanned the environment where the company culminates their business. From this point of view outsourcing the IT fundamental become effective in the business process of financial service sector.
On the contrary, Lee (2012) depicted that implementation of Information Technology within organizational process efficiently addressed that pressure. Therefore, in terms of increasing higher profitability as well as productivity, implementation of information technology by third party vendors will be the most effective way. Fundamentals of IT that will provide the third party can decrease costs of production and increase productivity. Hsu et al. (2013) noted that information technology fundamentals are also known as the cutting edge of technology. Most important thing of outsourcing IT fundamentals through third party vendor is that the company who provide IT service Aztec will also provide training of IT expert for using the implemented technology.
Moreover, the company takes total responsibility of maintaining security of implemented system (Santos, 2008). Budgetary constraint is also one of the most difficult parts to undertake within operational process of Aztec. If the organization outsourced the specific functions of IT asset, the company Aztec can gain their access of information in financial service sector and constraint the budgetary. Outsourcing of IT fundamental within the business process of organization in financial service industry can represent the transaction cost theory contradiction (Peng et al. 2009). Outsourcing the specific function of IT asset in business process of Aztec, the company is able to monitor their costs in better way. The tools and technique of information technology also reduce production cost when it was outsourced (Marchewka, 2013). When the company outsourced IT fundamentals from a third party vendor, it provides skilled personnel and innovative technology.
Functions of Information Technology reduce labor within the operational process of an organization that operates in financial service sector (Pappas & Panagiotopoulos, 2009). When the third party vendor involved with the operation process in financial service sector, they design automatic information sharing process within network. However, Gottschalk (2009) argued that outsourcing of specific IT functions from third party are difficult to utilize. According to the point of view of Hatefi & Seyedhoseini (2012), high specificity of IT, resources can encourage the decision making process of the company rather than discouraging the cost theory of transaction. Therefore, Dinsmore & Cabanis-Brewin (2011) argued that IT outsourcing has positive impact on the business process of financial service sector.
Strategy of outsourcing will be the most important functions for business process of Aztec from the view pint of comprises the leveraging the possibility. Jalilvand & Malliaris (2012) explained that outsourcing the IT functions from third party vendor could create strategic advantage for Aztec.
Outsourcing of IT services from third party increase the knowledge capabilities for Aztec and generates strategic advantage (Littlejohn, 2012). Specific IT service firmly focuses on the core competencies of the organization and helps in outsourcing the raw materials that firmly related with the business process of Aztec in financial service sector. In business process of Aztec, transaction cost theory fails to consider the relationship due to short falls of costs (Hutten, 2009). Outsourcing of IT service helps in connecting wide range of stakeholders with the business process of Aztec that make economically rational logic individually.
Outsourcing of IT functions from a third party has potential impact of organizational restructuring and long terms return. Dey & Kinch (2008) suggested that announcement of IT or IS outsourcing from the third party vendor are generally provide the ability to the firm for restructuring their resources and strategy. However, outsourcing to IT functions from third party vendor helps the organization in financial service sector for redirecting their resources based on analyzing the core competencies of the firm.
Apart from that, Cornalba et al. (2008) noted functions of IT outsourcing often associated with the reduction of cost effort. As consequence, Bodea & Dascalu (2010) argued that outsourcing of IT from third party helps in making decision with the intent of cost reduction primarily. In fact, Alhawari et al. (2012) acknowledged that outsourcing of IT from third party within working environment of financial sector initially restructure the operational method. With the use of various types of IT service, organization in financial sector is able to reserve lower cash significantly decline the growth rate of business and debt high. There are several researches on organizational restructuring for in financial service sector by the IT outsourcing.
Caron & Salvatori (2014) cited that information technology create string value that support the notion of business along with strategies. Therefore, it generally elicit negative reaction and ineffective from the point of view of analysts and investors. Moreover, outsourcing of IT function within operation process of Aztec can generate higher advantage in terms of addressing complex strategies. For example, outsourcing of IT from third party can create high relationship between the performance of the organization and announcement (Gray, 2011). If the organization Aztec outsourced information technology functions from the third party especially for their transaction process such as processing of credit or debit card, payroll, data communication, data transfer to the site of client, etc it will be the greater arrangement.
Implementation of transaction process of information technology within the service of Aztec will allow the organization in speed up their transaction process as well as reduce manpower. On the other hand, Elmaallam & Kriouile (2011) opined that if the Aztec implement application development and system operation information technology within their business process, it will allow the company I maintaining hardware and software automatically including the communication of information to client site from the data center. There are several advantages of outsourcing IT service in financial service sector. For instance, vendor of IT service provider to the company along with their security staff can provide information and maintain security with confidential manner (Costa et al. 2012).
Apart from that, IT vendor of Aztec help in maintaining information security system as they already experienced in such type of problems in other service sector. Therefore, implementation of information technology function from outsource vendor will be the better strategy. Therefore, Holzmann & Spiegler (2011) stated that outsourcing company of information technology specialize in information security maintenance. They can help their client in restructuring the existing information technology system for Aztec with the use of valuable asset in order to tighten the security. In this consequence, Kutsch & Hall (2009) cited that IT outsourcing company provides valuable information for developing the application in Aztec from the point of view of update or migration of the involved application security.
Most important method of outsourcing IT functions in financial service sector is that it helps in saving the staffs of client for long-term process of evaluation (Coplan & Masuda, 2011). Besides also, there are wide range of benefits that comes from the data processing experience of outsources and the internal resources. Outsourcing of IT functions from third party helps in gaining overall information security environment. Majority of outsourcer provides contractual obligation to the company in financial service sector (Caldwell, 2008). Moreover, when Aztec outsourced the IT function from third party within their operation process, outsourcer will play the following role such as –
Security Administration and Access Control: Vendor of IT service that will involve at Aztec takes the total responsibility of centralizing or decentralizing the function of IT service. The group members of outsourcers takes the responsibility in setting up log in id, ensure compliance, writing access rules, etc with procedures and policies of information security system. Marchewka (2012) acknowledged that outsourcers are the ultimate responsible person for maintenance of data security in information technology system. Therefore, security staffs of outsourcer plays the role of adding or deleting log in ids and the rules of access writing for the staffs of Aztec. It has been often seen that, staffs of Aztec often limited for making updates of existing information technology applications such as resetting password in regular interval.
Installation and Maintenance of Information security Software: In financial service sector, information security system is the most important part for their operation (Broad, 2013). In this environment, the IT outsourcing company controls system of software and mainframe. Staff of the outsourcer will support the information technology functions within operating system of Aztec.
3. Threats, vulnerabilities and consequences assessment
Due to various innovations and developments in the technological area, there has been a great impact on the interaction process of banks with the counterparties, suppliers and the customers and also the way they undertake their daily operations. The financial organizations are hugely facing issues and challenges in responding, innovating and adapting to various opportunities provided by the technological solutions, telecommunications, networks and also computer systems (Pfleeger, 2003). This is actually helping the financial institutes to drive the business competitively both in global and domestic market. The technology is offering huge opportunities for banks and also helping the banks to expand their services and products. However, the dynamism and accessibility of technology is also bringing in risks. As the banks rely heavily on internet and information technology for operating their business and interaction in the markets, their recognition and their awareness and also technological risks intensifications, which would correspondingly be more discerning and perceptive for both the financial industry and the individual banks. In order to manage the risks the management and the directors of the organizations is mainly responsible for appraise and review the issues related to cost-benefit like how much and what to invest in the security and control measures related to back up facilities, operations, data centres, networks and computer systems (Acquisti, 2008). The following sections mentioned below would discuss the threats and vulnerabilities associated with the outsourcing of IT services in Aztec, which operates in the financial sector of Australia. The consequences assessment would discuss the risk management framework that would help to control the issues.
3.1 Threats of outsourcing IT services
The security threats can affect the financial institutions like Aztec through various vulnerabilities. A single device of security or single control will not be just adequate to protect the overall system of Aztec with a public network. It is to be noted that Aztec can make the information security more effective by setting up different control, testing and monitoring methods that would help to mitigate the risks that are dependent on various factors. Even though, the utilization of IT services have benefited the financial institutions like Aztec, the outsourcing if it services have created threat for many organizations. This shifting from brick to click tradition in financial services has exacerbated various threats to the financial authorities. These increasing threats might persist even if the organization uses a closed network system (Dogra, Khara & Verma, 2007). The threat involved in outsourcing the IT services may involve reputational risks, security risks, strategic risks, legal risks, money laundering risks, people risks, cultural risks, quality standard risks, financial risks, knowledge risks, multi-vendor risks etc (Shah & Clarke, 2009). Other threats associated with the IT applications and services might involve requirement of software and hardware, where the company has to invest lot of money. This leads to issues related to integration of old system with the new system, excess capacity issues and also cost-control issues. Further, as there is rise in the technical inventions, there is also issue of getting the current system outdated (Uppal, 2008).
The internet is connecting the whole world into a global network. Thus, the issues of security risk is also increasing due to different forms of malware, spamming, snuffing, spoofing, service attacks, interception of middle man, mutating virus, hacking and keylogging. It is very important that the financial institutions have a high security measures that can help to control and address the security threats and risks. Aztec should give the assurance that the transactions performed by the customers and online access and login details are adequately authenticated and protected. However, the organization need to be clear about the threats that might surround Aztec while outsourcing their IT functionalities like such as the network, desktop management or application development to a third party which would include threats like:
- Customer Protection
- Data Confidentiality
- System Availability
- System Integrity
- Transaction and Customer Authenticity.
Customer Protection is very important for internet financial services. Aztec must make sure that their customers are properly authenticated and identified before they access to the sensitive information of the customer.
Outsourcing the IT functionalities may lead to the hacking exploits and threats. As the customers are generally logging in for accessing their accounts, there is information are stored in a particular database which is accessible by the outsourcing partner (Reiffen & Robe, 2010). There is a chance of direct attack on the system or the customer’s confidential information through spamming, worms, keylogging, spyware, phishing or viruses ('Phishing and countermeasures: understanding the increasing problem of electronic identity theft', 2007). Since, the third party will be acting as a middle-man between the customer and the organization, there is a chance of “man-in-the-middle attack (MITMA)”, “man-in-the-application attack” or “man-in-the-browser attack” (Pfleeger, 2003). Thus, it better to minimise the middle man exposure by not outsourcing the IT functionalities.
Further, if Aztec outsources its IT functionalities, the need to distribute their software that they have been using for making their services effective. Distributing software may lead to inadequate safeguards and securities for the customers. Also, while outsourcing, Aztec might not be aware that the third party is using genuine software or not. This will lead to loss of customer data.
Data confidentiality generally refers to protection of confidential information through prying eyes and also permitting authorized access (Reiter, 2011). If the IT functionalities are been outsourced, then, there is no control over the data that Aztec uses or gathers from the customers (Shaw, 2014). Thus, ability to protect the data through software and also recover data in case of loss of data, thorough back-up, recovery policies, redundancy, replication etc also gets reduced for Aztec (Yau, An & Buduru, 2012). Since Aztec, is not sure about the IT environment of the third party, there are chances of malignancy, cyber attacks etc.
A high level of system availability is mainly needed for maintaining public confidence in an online network framework. All the precious control and security components are of importance while working online (Schiesser, 2010). The customers who are depended on the online systems expect 24hours online service each day of the year. Thus, it is important for Aztec to understand the significant factors that are mainly associated with availability of high systems like quick recovery system, scalability system, quick response time, reliable performance and also adequate capacity (Mehan, 2008). Thus, by outsourcing the IT functionalities, Aztec will not be able to make sure that there is ample of capacity and resources in terms of software, operating capabilities and hardware (Somasundaram & Shrivastava, 2009).
According to Stack et al., (2011) system integrity is all about the completeness, reliability and accuracy of information that is being processed, transmitted and stored between the financial agency and the customers (Mercuri & Neumann, 2001). By outsourcing the IT functionalities, Aztec might face operating flaws and transaction errors that might result due to latent transmission or processing as the system would b totally an automated process (Flowerday & von Solms, 2005; Serious Security Flaws Identified in Cloud Systems', 2011).
Transaction and Customer Authenticity
If the outsourcing partner is not authentic, there might be issues related to transaction and customer authenticity (Wever, Wognum, Trienekens & Omta, 2012). By outsourcing, Aztec needs to make sure about the methods that their outsourcing partner is utilizing for protecting the customer authenticity and transaction. Are they using the cryptographic technologies ensuring the integrity, authenticity and confidentiality of the information of the customers. Further, is the partner using the two-factor authentication to prevent cyber attacks or not. However, the organization will not have control to maintain all these principles (Acquisti, 2008).
3.2 Vulnerabilities of outsourcing IT services
Banks may be being misled due to the security risk exposures and also risks of becoming victim of security breach, which might become a serious problem for the banks and their users. If Aztec focuses on utilizing the present automated system of vulnerability management, which is mainly useful for monitoring the informational risks, it contains some hidden flaws which do not have the capability to accurately resolve the outcomes (Khidzir, Mohamed & Arshad, 2013). This impact may include inappropriate security vulnerabilities, inefficient utilization of IT resources, and possible exploitation due to cybercriminals and also inundated resources of IT security that might lead to high turnover rate of employees, lower satisfaction level of job and also erroneous risks of security which will destroy the credible information security system of Aztec (MacKay, 2015).
There is also risk of security breach as outsourcing IT services is totally dependent on third-party contractors and it is quite risky in providing the confidential data to the third party agents. There issues, if the third party is not authentic like, selling of personal data or sensitive data of the consumers like consumer transactions data or the social security data etc to other individuals or organization which might lead to fraudulent cases (Javaid, n.d.). Even, disclosing client passwords for fraudulent withdrawal of funds from the customer’s accounts, stealing classified formation and passing the information to other call centers or agencies that would lead to drop in the production and profitability of Aztec (Endorf, 2004).
Information Security Risks are probability of threats action on vulnerabilities to cause impacts contributed to the incidents of information security. Thus the risks associated with the information security are unauthorized exploitation or loss of intellectual properties, theft of confidential data or personal data and leakage of information. These risks are mainly due to lack of control of vulnerabilities and threat (Hui, Hui & Yue, 2012). This shows that vulnerability is nothing but weakness or absence of safeguarding the assets, which makes the threat potential more costly and harmful, which are likely to occur more frequently and also threat of potential (Parley, 2010).
3.3 Consequences assessment of outsourcing IT services
Due to complex and risk nature of internet, there are various risks that the organization might face with outsourcing their IT functionalities. Thus, Aztec needs to make a proper risk management process, in the organization instead of outsourcing their IT functionalities. This risk management process helps to get a clear understanding of the interaction between the customers and the organization through internet based applications and also support systems. This would help to ensure that the technical controls, management and operational activities are adequate and effective.
Practices, procedures and policies should effectively characterize threats, stipulate obligations, indicate security prerequisites, execute protections to secure data frameworks, regulate inside controls and authorize agreeability ought to be set up as vital determinations of the danger system. Management ought to conduct intermittent security hazard appraisal to distinguish inward and outer threats that may undermine framework uprightness, meddle with Management or result in the disturbance of operations. Vulnerability and threat assessment would help Management in settling on choices with respect to the nature and degree of security controls needed. Training and development programs and also security awareness programs should likewise be led inside and remotely to advance and sustain a security cognizant environment.
Aztec can follow the following risk management process:
- Risk Identification:
- Risk identification stage will help Aztec to identify different vulnerabilities, threats and exposures different external components etc. At this stage, Aztec needs to take into account all the risks that are arising due to IT applications and their interfaces. Security threat and vulnerabilities may cause severe disruptions in the operation of Aztec. Thus proper monitoring would help to reduce the affect of risks.
- Risk Assessment:
- Aztec should understand the inspiration, assets and capacities that may be obliged to do a fruitful assault ought to be created when sources of dangers and related vulnerabilities have been distinguished. Further, Aztec should develop a proper vulnerability and threat matrix that would help to assess the impact of the identified threats on the IT environment of the organization.
- Risk Treatment:
- It is imperative for Aztec to manage and control all the IT risks that would allow them to reduce the loss and also mitigate the financial risks. For different risks, Aztek should create and implement different control strategies and risk mitigation strategies. A combination of functional, procedural, operational, technical controls would help to reduce the IT risks. If Aztec finds that the threats of running or implementing the IT systems are insurmountable then it should refrain the system.
- Risk Reporting and Monitoring
- Aztek need to maintain a proper risk register that would help to report and monitor the identified risks. Then the identified risks should be update periodically in the register and should be reported to the authority to mitigate the risks as soon as possible. Further, for facilitating the risk reporting management system, Aztec need to develop a proper IT risk metrics that would help to highlight the infrastructure, systems and process that are highly prone to the risk exposure.
The above mentioned framework would help to analyse the risks that Aztec can face while outsourcing their IT services. However, since Aztec is planning for outsourcing their IT functionalities, it is important for them to manage the outsourcing risks. This can be done by due diligence.
- Due Diligence
- The senior management and the board of directors of Aztec need to understand various risks of outsourcing their IT functionalities. By carrying out a proper due diligence, Aztec can determine the financial position, reliability, capability, viability and track record of the service provider. Further, Aztec should also make sure that the terms and conditions of the contract that governs the responsibilities, obligations, relationships and roles are hand written agreements and duly signed by both the parties. Aztec should also make sure that the service provider is granting access to all the nominated parties, the facilities, operations, systems and documentations for compliance and regulatory purpose. Further employing a high standard diligence and care in the practices, procedures and policies of maintaining the security and confidentiality of the data would help to reduce the degradation of internal control of Aztec on IT outsourcing.
- Aztec should also pay attention on the abilities of the service providers that would help to clearly identify and isolate the data of their customers and also assets of information system for protection. Further, Aztec need to ask from the service provider about establishing and developing a recovery contingency framework that would help to define the responsibilities and roles for testing, maintaining and documenting the recovery plans and procedures. The financial agency should also make sure that proper training is held regularly in executing and implementing the recovery procedures. Verifying the ability of the service provider would help to recover the outsourced services and systems of IT within the predetermined recovering time objective (RTO) before contracting with the service provider. Further, the recovery plan should be tested, updated, reviewed consistently.
- Lastly, Aztec should place a proper contingency plan for dealing with the probable worst case scenarios due to service disruptions that its service provider cannot deal with. The plan should include viable alternatives that would help to resume its IT operations.
4. Data Security
4.1 Security Issues of Outsourcing
From the viewpoint in the project, this part addresses several data security issues when Aztec outsourced IT functions from third party vendor.
Access of Outsourcer to the data of Aztec: When Aztec outsourced IT function from third party they have to provide permission for accessing company’s information to the staffs of outsourcer. Therefore, the main issues is the, staffs of the outsourcer do not understand what information is important and develop higher level of data security from the point of view of authority of access of data (Bryson, 2011). Therefore, it has been often founded that majority of organization in financial service sector do not consulted about this issues during contract to the outsourcer.
As a result, majority of organization in financial service sector faces wide range of challenges that relates to the data security. Moreover, it has been also identified that organization in financial service sector never creates a format of agreement. As a result, staffs of the outsourcing company freely access the information that create huge chance of hacking of data. Apart from that, Nichols (2014) explained that financial service sector never stated clearly about the disciplinary and enforced the procedures and policies for the staffs. Scherling (2011) argued that if the organization in financial service sector plans to outsource the information technology functions from third party, must to ensure about the methodology of data testing and copying current production of information into the test file.
The application programmer of third party must to prevent data or protect data from being hacked during up gradation of data production (Better et al. 2008). Majority of application programmer of outsourcing company could not process the fix production that controlled data flow during data up gradation.
Data destruction, backup and retention: It is one of the major issues in financial service sector when the organization outsourced IT function from third party vendor. Majority of outsources do not mentioned clearly about the responsibility of data retention and backup. The system of backup facility is most efficient and cost effective for the company that operates in financial service sector (Bellini, 2009). Majority of outsourcing vendor provide automatic backup tools when they implement information system and programming for the firm. The automation system of data backup increased high.
Therefore, organization in financial service sector forgets to document the contract for data backup responsibility with the outsourcing company. The outsourcing company of IT service demand for price including backup facility, If the organization do not defined to take responsibility of data backup during system failure, outsourcer demand for extra payment for performing to take backup of data from the server. In order to make higher profit, outsourcer of information technology set up low disk space instead of high performance disk drive due to expensive rate.
On the other hand, Vinaja (2013) cited that management of the financial service sector do not mentioned the policies and procedures to the outsourcer regarding data backup or archived of data in the storage device. Agreement of service level for management of data does not defined clearly to the outsourcer of information technology service (Mustofa et al. 2013). Organization often mistake to spell out clearly about the performance of staffs, retention, data backup and destruction. As a result, data or information of the company do not protect properly by the vendor (Faculty-staff.ou.edu, 2015). As consequence, when data destroyed, third party vendor demand for extra payment in terms of taking backup from destroyed server.
Sharing resources of computer with the outsourcer: As outsourcer plays the major function in developing IT service for the firm, they have to provide permission for accessing information to the outsourcer. As a result, staffs of the outsourcer access information about the firm. It is high risk from the point of view of business. Yokouchi (2007) argued that staffs of IT vendor sometimes comprised data with other intentionally or unintentionally due to lack of knowledge. In order to maintain proper security, outsourcer access information from the main data server. Security is the big issue in that case.
However, organization in financial service sector, often do not make any agreement with the outsourcer in terms of data security or sign with staffs of outsourcer (Martins et al. 2014). Majority of companies in financial sector commonly mistake to develop IT function by the third party. Majority of companies in financial service sector do not include several network securities into their mainframe of information security system. However, the common mistake identifies in financial sector during implementation of IT service by third party that company involved information security software without test or evaluates (Taylor et al. 2013). In terms of controlling the desired outcomes of implemented system, specified service level agreement never maintained by the company in financial service sector.
Determination of data ownership and programs: In business, organization in financial service sector owns data from several environments. Therefore, outsourcer of IT function has to be more responsible with that data. However, in major cases it has been seen that due to lack of knowledge staffs of outsourcer is unable to develop prominent life cycle of data ownership and programs. Often, organization of financial service sector is unable to determine the actuality of data from where it belongs and what is the exact purpose or requirement of this data (Nyu.edu, 2015). Distinction of use of data into operation is more important for the company when they outsourced information technology function from a third party. Most of the organization not only in financial service sector but also in other industry unable to specify or spell out the distinction of used data or information in the agreements of service level (Ward & Sipior, 2010). Information security never takes prominent place when the company outsourced information technology from a third party.
Audit rights of information security to the outsourcer: In most of cases, it has been identified that outsourcer provides the information to client’s staffs when they update or modify information technology system but never provide audit authority to the management or staffs of the client. As a result, organization in financial service sector who outsourced IT service unable to understand the exact access rules and regulation. It creates complexity. Outsourcer never allowed the management or staffs of their clients in auditing the overview of details of designed system. Apart from that, outsourcer does not provide information about the results of new development system regularly (Ittoday.info, 2015). As a result, organization in financial service sector does not understand the accurate problem of their system and provide information to the outsourcer for mitigation.
4.2 Process of controlling security issues of Outsourcing
In order to control the above security issues when an organization outsourced information technology from third party, need to maintain the following procedures –
Controls in offshore operation: Company in financial service sector has to control the recruitment and physical security that equivalent to their business process. Higher physical security will be the significant approach for addressing these issues. Application of rigorous security policy will be the best methods for Aztec in when they implement information technology function from outsourcer.
Rights of Access: When the company is involving the third party for IT service, they need the mention properly about the access rights for outsourcer’s staffs. Essential tools and process will be the appropriate security method for data security. Company has to mention east privilege access for the staffs of outsourcer with sign (Rusu & Hodosi, 2011). Apart from that, Aztec has to determine the access right case-by case basis. In order to maintain good access right, Aztec has to make specific profiles for each member within their organization as well as staffs of outsourcer.
Management of the company has to make an agreement and sign it by the outsourcer for changing password or access control when the staffs change their role or leave the job. Same process has to be applied for the new joiner at the organization. Moreover, Aztec as to define clearly about their process and notify the IT vendor for access control permanently. Aztec has to make a negotiation with the outsourcer of IT functions that they regularly conciliation with the Human Resource Management about ongoing system’s result. It is required because regular information about access rights ensures no anomalies. In order to know the purpose of customer, management has to set priority for least privilege access.
Most importantly, customer’s authentication will be the best method of developing proper access right. Peng et al. (2009) argued that for maintaining proper access right, Aztec has to mask bank account details, user id and password of staffs, credit card information, etc.
Password and User Accounts: In order to make proper security within the organization, Aztec has to comprise their idea with outsourcer and make individual user account for staffs and customers. In terms of containing customer’s data, required to set up programming of requiring password. In order to make standard password, Aztec need to take review from group of Get Safe Online. However, Aztec has to make password with the combination of letters, numbers and special symbols at least 10 characters in length. Moreover, after setting up the password, it needs to change regularly. To ensure the password has to be set with the policy of password checking software.
Authentication: Authentication is the big issue in every industry in their information security system. Therefore, in order to maintain authentication, organization has to develop effective and suitable authentication process and need to protect customer data. As a organization of financial service sector, Aztec has to help their customers to be more conscious about security.
Data Backup: From the data backup process, Aztec has to conduct appropriate risk assessment of the data security to threat. Need to use encryption method for backup of data during transition and offsite. Need to take continuous review at the level of encryption at data security process for development of appropriate risk environment.
This report is adopted for providing detail information about information technology process when an organization of financial service sector outsourced IT function from third party. In the first phase of this report analyst represents an overview of financial service sector in Australia. In this part, analysts include all relevant information about IT in the financial service sector including governmental regulation. Thus, make a best practice for financial service sector in this report. In second part of report, analyst described review of current security posture of Aztec from the point of view of IT security policies. After described the current security posture of information technology system when it outsourced from third party analyze the threats, vulnerabilities and consequence for IT control framework. At that last part of this study, analyst described the possible data security issues when IT system outsourced and provide recommendation to mitigate that identified issues.
Acquisti, A. (2008). Digital privacy. New York: Auerbach Publications.
Borek, A. (2014). Total information risk management. Waltham, MA: Morgan Kaufmann.
Broad, J. (2013). Risk management framework. Amsterdam: Syngress, an imprint of Elsevier.
Bryson, J. (2011). Managing information services. Farnham: Ashgate Pub.
Coplan, S., & Masuda, D. (2011). Project management for healthcare information technology. New York: McGraw-Hill.
Dinsmore, P., & Cabanis-Brewin, J. (2011). The AMA handbook of project management. New York: American Management Association.
Dogra, B., Khara, N., & Verma, R. (2007). Strategic outsourcing. New Delhi: Deep & Deep Publications Pvt. Ltd.
Garton, C., & McCulloch, E. (2012). Fundamentals of Technology Project Management. Chicago: MC Press.
Jalilvand, A., & Malliaris, A. (2012). Risk management and corporate governance. New York: Routledge.
Jin, M., & Du, Z. (2014). Management Innovation and Information Technology. SOUTHAMPTON: WIT Press.
Jung, H. (2013). Future information communication technology and applications. Dordrecht: Springer.
Kim, H. (2012). Advances in technology and management. Berlin: Springer.
Lee, G. (2012). Convergence and hybrid information technology. Heidelberg: Springer.
Littlejohn, E. (2012). Information risk management. Delhi: Research World.
Marchewka, J. (2012). Information technology project management. Hoboken, NJ: John Wiley & Sons.
Marchewka, J. (2013). Information technology project management. Hoboken, N.J.: Wiley.
Mehan, J. (2008). CyberWar, CyberTerror, CyberCrime. Ely: IT Governance Pub.
Nichols, A. (2014). A guide to effective internal management system audits. Ely, Cambridgeshire, UK: IT Governance Pub.
Pfleeger, C. (2003). Security in computing (3rd ed.). Upper Saddle River, NJ: Prentice Hall PTR.
Roper, A. (2011). Forecasting and management of technology. Hoboken, N.J.: John Wiley & Sons.
Scherling, M. (2011). Practical risk management for the CIO. Boca Raton: CRC Press/Auerbach Book.
Schiesser, R. (2010). IT systems management. Upper Saddle River, NJ: Prentice Hall.
Schwalbe, K. (2014). Information technology project management. Boston, MA: Course Technology.
Shah, M., & Clarke, S. (2009). E-banking management. Hershey, PA: Information Science Reference.
Somasundaram, G., & Shrivastava, A. (2009). Information storage and management. Indianapolis, Ind.: Wiley Pub.
Tibble, I. (2012). Security de-engineering. Boca Raton, FL: CRC Press.
Uppal, R. (2008). Banking with technology. New Delhi, India: New Century Publications.
Xu, B. (2013). 2012 International Conference on Information Technology and Management Science (ICITMS 2012) proceedings. Berlin: Springer.
Xu, J., Yasinzai, M., & Lev, B. (2013). Proceedings of the sixth International Conference on Management Science and Engineering Management. London: Springer.
Alhawari, S., Karadsheh, L., Nehari Talet, A., & Mansour, E. (2012). Knowledge-Based Risk Management framework for Information Technology project. International Journal Of Information Management, 32(1), 50-65.
Bellini, C. (2009). Mastering Information Management. Journal Of Global Information Technology Management, 12(4), 79-81.
Better, M., Glover, F., Kochenberger, G., & Wang, H. (2008). Simulation optimization: applications in risk management. International Journal Of Information Technology & Decision Making, 07(04), 571-587.
Bodea, C., & Dascalu, M. (2010). IT Risk Evaluation Model Using Risk Maps and Fuzzy Inference. International Journal Of Information Technology Project Management, 1(2), 79-97.
Caldwell, F. (2008). Risk intelligence: applying KM to information risk management. VINE, 38(2), 163-166.
Caron, F., & Salvatori, F. (2014). Managing Information for a Risk Based Approach to Stakeholder Management. International Journal Of Information Technology Project Management, 5(2), 30-43.
Cornalba, C., Bellazzi, R., & Bellazzi, R. (2008). Building a Normative Decision Support System for Clinical and Operational Risk Management in Hemodialysis. IEEE Transactions On Information Technology In Biomedicine, 12(5), 678-686.
Costa, F., Santos, P., VarajÃ£o, J., Pereira, L., & Costa, V. (2012). Proposal of an Information System to Support Risk Management â€“ The Case of the Portuguese Hospital Center CHTMAD. Procedia Technology, 5, 951-958.
Dadios, E. (2012). Fuzzy-Neuro Model for Intelligent Credit Risk Management. Intelligent Information Management, 02(25), 251-260.
Dey, P., & Kinch, J. (2008). Risk management in information technology projects. International Journal Of Risk Assessment And Management, 9(3), 311. doi:10.1504/ijram.2008.019747
Drummond, H. (2011). MIS and illusions of control: an analysis of the risks of risk management. J Inf Technol, 26(4), 259-267.
Elmaallam, M., & Kriouile, A. (2011). Towards A Model Of Maturity For Is Risk Management. International Journal Of Computer Science And Information Technology, 3(4), 171-188.
Endorf, C. (2004). Outsourcing Security: The Need, the Risks, the Providers, and the Process. Information Systems Security, 12(6), 17-23.
Flowerday, S., & von Solms, R. (2005). Real-time information integrity=system integrity+data integrity+continuous assurances. Computers & Security, 24(8), 604-613.
Gottschalk, P. (2009). Knowledge management technology for organized crime risk assessment. Inf Syst Front, 12(3), 267-275.
Gray, P. (2011). Analytics, Risk, Management. Information Systems Management, 28(3), 275-279.
Hatefi, M., & Seyedhoseini, S. (2012). Comparative Review on the Tools and Techniques for Assessment and Selection of the Project Risk Response Actions (RRA). International Journal Of Information Technology Project Management, 3(3), 60-78.
Holzmann, V., & Spiegler, I. (2011). Developing risk breakdown structure for information technology organizations. International Journal Of Project Management, 29(5), 537-546.
Hsu, C., Backhouse, J., & Silva, L. (2013). Institutionalizing operational risk management: an empirical study. J Inf Technol, 29(1), 59-72.
Hui, K., Hui, W., & Yue, W. (2012). Information Security Outsourcing with System Interdependency and Mandatory Security Requirement. Journal Of Management Information Systems, 29(3), 117-156
Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247-255.
Hutten, H. (2009). Ventricular Intramyocardial Electrograms and Their Expected Potential for Cardiac Risk Surveillance, Telemonitoring, and Therapy Management. IEEE Transactions On Information Technology In Biomedicine, 13(4), 426-432.
Javaid, M. Outsourcing Information Security: Contracting Issues and Security Implications. SSRN Journal.
Khidzir, N., Mohamed, A., & Arshad, N. (2013). ICT Outsourcing Information Security Risk Factors: An Exploratory Analysis of Threat Risks Factor for Critical Project Characteristics. Journal Of Industrial And Intelligent Information, 1(4), 218-222.
Khidzir, N., Mohamed, A., & Arshad, N. (2013). Information Security Requirement: The Relationship between Information Asset Integrity and Availability for ICT Outsourcing. LNIT, 1(3), 118-123.
Kutsch, E., & Hall, M. (2009). The rational choice of not applying project risk management in information technology projects. Project Management Journal, 40(3), 72-81.
Li, Z. (2014). Construction of the Operational Risk Management System of Bank by Information Technology. AMR, 926-930, 3774-3777.
Liu, L. (2011). Mirage or implementation pitfalls â€“ in defence of risk registers as an effective risk management tool. J Inf Technol, 26(4), 277-279.
MacKay, G. (2015). Poor Vulnerability Management is Increasing Data Breach Risk. PaymentsSource. Retrieved 5 February 2015, from https://www.paymentssource.com/news/interchange/poor-vulnerability-management-is-increasing-data-breach-risk-3020324-1.html
Mafakheri, F., Breton, M., & Chauhan, S. (2012). Project-to-Organization Matching. International Journal Of Information Technology Project Management, 3(3), 45-59.
Martins, C., Oliveira, T., & PopoviÄÂ, A. (2014). Understanding the Internet banking adoption: A unified theory of acceptance and use of technology and perceived risk application. International Journal Of Information Management, 34(1), 1-13.
Mercuri, R., & Neumann, P. (2001). Inside risks: system integrity revisited. Commun. ACM, 44(1), 160.
Mitev, N. (2011). Beyond health warnings: risk, regulation, failure and the paradoxes of risk management. J Inf Technol, 26(4), 271-273.
Motaleb, O., & Kishk, M. (2013). An Investigation into the Risk of Construction Projects Delays in the UAE. International Journal Of Information Technology Project Management, 4(3), 50-65.
Mustofa, K., Neuhold, E., Tjoa, A., Weippl, E., & You, I. (2013). Information and communication technology. Berlin: Springer.
Nazamoaylu, A., & Azsen, Y. (2010). Analysis of risk dynamics in information technology service delivery. Journal Of Ent Info Management, 23(3), 350-364.
Pappas, A., & Panagiotopoulos, P. (2009). Information Technology risk management in e-commerce: classical and catastrophic risk approaches. IJASS, 2(3), 250.
Parent, M., & Reich, B. (2009). Governing Information Technology Risk. California Management Review, 51(3), 134-152.
Parley, F. (2010). What does vulnerability mean?. British Journal Of Learning Disabilities, 39(4), 266-276.
Peng, Y., Kou, G., Wang, G., Wang, H., & Ko, F. (2009). Empirical evaluation of classifiers for software risk management. International Journal Of Information Technology & Decision Making, 08(04), 749-767.
Phishing and countermeasures: understanding the increasing problem of electronic identity theft. (2007). Choice Reviews Online, 44(11), 44-6276-44-6276.
Prado, E. (2011). Risk analysis in outsourcing of information technology and communication. JISTEM, 8(3), 605-618.
Reiffen, D., & Robe, M. (2010). Demutualization and customer protection at self-regulatory financial exchanges. J. Fut. Mark., 31(2), 126-164.
Reiter, J. (2011). Data confidentiality. Wiley Interdisciplinary Reviews: Computational Statistics, 3(5), 450-456
Rusu, L., & Hodosi, G. (2011). Assessing the risk exposure in IT outsourcing for large companies. IJITM, 10(1), 24.
Santos, F. (2008). FMEA AND PMBOK APPLIED TO PROJECT RISK MANAGEMENT. JISTEM, 5(2), 347-364.
Sentia, P., Mukhtar, M., & Shukor, S. (2013). Supply Chain Information Risk Management Model in Make-To-Order (MTO). Procedia Technology, 11, 403-410.
Serious Security Flaws Identified in Cloud Systems. (2011). Computer, 44(12), 21-23.
Shaw, D. (2014). Care.data, consent, and confidentiality. The Lancet, 383(9924), 1205.
Stack, R., Armstrong, J., Eure, D., Johnson, R., Tipler, S., Wagner, T., & Werkmeister, S. (2011). High integrity protective system design using a risk-based approach. Process Safety Progress, 30(2), 115-121.
Stafford, T. (2008). Technology in the Middle East. Journal Of Global Information Technology Management, 11(3), 1-3.
Taylor, A., Alexander, D., Finch, A., Sutton, D., & Taylor, A. (2013). Information Security Management Principles. Swindon: BCS Learning & Development Limited.
Taylor, H., Artman, E., & Woelfer, J. (2011). Information technology project risk management: bridging the gap between research and practice. J Inf Technol, 27(1), 17-34.
Teymouri, M., & Ashoori, M. (2011). The impact of information technology on risk management. Procedia Computer Science, 3, 1602-1608.
Vinaja, R. (2008). Information Systems Reengineering and Integration. Journal Of Global Information Technology Management, 11(2), 84-86.
Vinaja, R. (2009). Event-Driven Mobile Financial Information Services. Journal Of Global Information Technology Management, 12(3), 82-83.
Vinaja, R. (2013). IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing. Journal Of Global Information Technology Management, 16(3), 82-84.
Volpentesta, A., Ammirato, S., & Palmieri, R. (2011). Investigating effects of security incident awareness on information risk perception. International Journal Of Technology Management, 54(2/3), 304.
Ward, B., & Sipior, J. (2010). The Internet Jurisdiction Risk of Cloud Computing. Information Systems Management, 27(4), 334-339
Wever, M., Wognum, N., Trienekens, J., & Omta, O. (2012). Managing transaction risks in interdependent supply chains: an extended transaction cost economics perspective. Journal On Chain And Network Science, 12(3), 243-260. doi:10.3920/jcns2012.x214
Xue, L., Zhang, C., Ling, H., & Zhao, X. (2013). Risk Mitigation in Supply Chain Digitization: System Modularity and Information Technology Governance. Journal Of Management Information Systems, 30(1), 325-352.
Yau, S., An, H., & Buduru, A. (2012). An Approach to Data Confidentiality Protection in Cloud Environments. International Journal Of Web Services Research, 9(3), 67-83.
Yokouchi, A. (2007). Introduction of Weather Risk Management Technology in Farm Management. Agricultural Information Research, 16(4), 226-234.
ZawiÅ‚a-NiedÅºwiecki, J., & Byczkowski, M. (2009). Information Security Aspect of Operational Risk Management. Foundations Of Management, 1(2).
Faculty-staff.ou.edu, (2015). Retrieved 5 February 2015, from: https://faculty-staff.ou.edu/M/Shaila.M.Miranda-1/K&M01.pdf
Ittoday.info, (2015). Retrieved 5 February 2015, from: https://www.ittoday.info/AIMS/DSM/82-01-90.pdf
Nyu.edu, (2015). Retrieved 5 February 2015, from: https://www.nyu.edu/intercep/lapietra/FSA_DataSecurtiyinFinancialServcies.pdf
Warwick.ac.uk, (2015). Retrieved 5 February 2015, from: https://www2.warwick.ac.uk/fac/soc/wbs/conf/olkc/archive/olkc1/papers/109_singh.pdf