Main functions of IT
IT is an essential component of success in the financial sector. Financial institutions all over the world are trying to come up with new and improved ways of making their services more desirable and efficiently available to their customers. Their efforts have led to theavailability of internet services in the banking sector such as telebanking, internet banking, self-inquiry facilities and anywhere banking-everywhere banking (ATMs). Aztek company has not been left behind in these developments. The organization has incorporated IT in most of its operations with the aim of achieving a competitive advantage (Terlizzi et al, 2017). The major IT functions in Aztek include planning, communication, technology support, network development and data management and security.
Planning is mostly encompassed by Enterprise Resource Planning (ERP), which is a cross-functional technologicalapproach that takes care of all the roles undertaken in an organization. Aztek’s IT team works with the executive management to come up with an IT strategy that supports all the organizational departments as well as its objectives. The team is also responsible for ensuring that there are enough IT resources in the organization (Peppard, J., & Ward, J., 2016).
IT enables efficient and instant communication within and without the organization hence increasing collaboration among the employees and between the management and the workers. This enhances the efficiency and effectiveness of the work done.
Technology support is provided by the IT team whereby they attach manuals for user support on every part of a new or improved technology to enable all employees to make effective use of the new resource. This service is also extended by theprovision of ongoing support to users through a helpdesk in the organization’s intranet.
It is essential for Aztek’s IT team to provide Data Management and Security measures. They should protect the company’s data from viruses and cyber-attacks such as hacking which could result to altering or destroying of crucial information permanently. Critical information should also be encrypted to avoid leaks. Data management is achieved via the use of databases that store, manage and control access to the organization’s data (Chi et al, 2017).
Network Development entails coming up with a new network that supports communication and teamwork within the organization as well as enabling the outside stakeholders such as customers to have easy access to its services. For example, Aztek’s IT team deploy Internet Protocol (IP) networks that can carry data, voice and video messages in a single network.
Outsourcing It Services: Introduction
There has been an increase in the rate at which financial service providers all over the world have been obtaining IT services from outside sources even when their IT team can undertake the obligation (Verwaal, E., 2017).Surveys carried out in the Financial industry in the past have shown that financial institutions outsource substantial portions of their regulated and even unregulated functions, sometimes across a country’s boundaries (offshore outsourcing).Some organizations move their operations to other countries or have foreign subsidiaries in a foreign country carry out their functions for them (offshoring).
The IT services that Aztek is considering to outsource are; desktop management, application development and maintenance, Managed Security Services(MSS)and network development.
Application development and maintenance: this includes coding which should follow a laborious Software Development Life Cycle (SDLC) created as part of the service provider’s standard quality process. The suppliers should therefore strictly follow the specifications given to them by their clients. The organization’s management should monitor the procedures to compare the actual performance with the expected levels of service provider parameters.
Desktop management: this entails physical hosting of servers and other IT assets, continuous monitoring and capacity management of the latter,server builds and application software installation and upgrading, backup and restoration and recovery of server systems in case of a tragedy. Local Area Network (LAN) establishment and maintenance is also includedinthis category.
Managed Security: this takes care of the safety of the entire IT infrastructure and all data assets in the organization.
Regulation of outsourcing is majorly important for theprotection of consumer interests. It also protects stakeholders such as shareholders and policy-holders. Outsourcing is also regulated to protect the rights of the suppliers. Such regulations include:
- Outsourcing agreement should be signed with the service provider
- The outsourcer should be named in the contract
- As a regulated entity, Aztek should have in place a comprehensive policy to guide on whether and how the IT functionality can be appropriately outsourced. The management should retain responsibility for the outsourcing policy and all other activities carried out under this policy
- It should also ensure that the outsourcing activity does not diminish its ability to serve customers or impede operativeregulation
- The entity should exercise due diligence in picking third-party service providers.
- Written documents that clearly describe all the important features of the outsourcing arrangement should dictate the latter
- Backup facilities should be provided for by both the outsourcers and the institution to take care of any disaster that may arise
- The organizationshould take appropriate steps requiring that the vendors protect its confidential information and that of its clients
- Aztek should take into account outsourcing activities as an integral partof their ongoing assessment of the regulated entity.
Reasons for outsourcing
An organization’s decision to outsource depends on various on a combination of logistical, organizational and financial considerations. In Aztek’s case, the principal reason for outsourcing would be, cost reduction. This stems from the fact that long-term outsourcing contracts convert the variable costs involved in fixed costs thus making IT usage in the organization more predictable. Cost reduction is achieved by Return on Investment (ROI) by the project over a long period of time. This method is used because Aztek is planning on outsourcing the resources for a while to enhance its growth and expansion.
ROI= (total benefits- total costs)/ total costs
Return on Investment Cumulation- Example
In this case for example, ROI= (213000-181000)/ 181000
ROI = 0.177
This equals to 18 percent which is relatively beneficial to the organization in that period of time. Thus, the organization procures more benefits than losses from the outsourcing.
Other advantages include:
- Tax advantage: outsourcing expenses are deducted from the current earnings that would have otherwise been subtracted from an internal data processing department’s hardware over time which is usually included in taxes.
- Risk sharing: this results from shared responsibilities between the company and the expert undertaking those functions.
- Improved concentration on other business functions: many organizations outsource minor business processes to outside vendors to put all their energy on carrying out core business functions. Software and hardware upgrades become the responsibility of the outsourcer thus the client no longer have to deal with the day-to-day information system operations.
- There is a possibility for yielding capital if the outsourcer purchases Aztek’s hardware assets to use in his or her work.
- Cash flow improvements: this results from the transfer of software licenses andpersonnel to the supplier. This also includes maintenance costs for the data center and release of the organization from the obligation of a previously leased a plant or equipment.
- Expertise: organizations also outsource to ensure that those functions are performed excellently especially in cases where there are no experts in that area within the organization.Their facilities are equipped with excessively designed systems to avert power and cooling failures and to detect leakage of water, smoke or extreme heat and anything else that would adversely affect system action. The vendors’ operation procedures might include advanced system and communication monitoring tools that are designed to ensure uninterrupted processing and network availability.
Impacts Of Outsourcing On Aztek’S Security
Aztek’s infrastructural and data security measures do a very good job in ensuring the organization’s data safety and smooth running of the computer system. The IT team has however been quite occupied lately with trying to fulfill major requirements of the organization such as planning. The current security system has therefore been running for a while and needs an update. Due to the insufficient time by Aztek’s IT team, it is more efficient to outsource these security services. Unfortunately, there are various risks associated with this process, both to the organization as a whole and to the stakeholders (Riggins, F., & Weber, D., 2016).
Cyber risks describe the possibility of loss, disruptionin daily business operation, or damage to an organization’s reputation caused by dysfunction in its Information Communication Technology (ICT), computer networks and systems.
Cyberattacksrefer to any offensive action undertaken by nations, organizations, groups of people or individuals targeting computer information systems, networks or other infrastructure (Page et al, 2017). They include cybercrimes and cyber espionage.
This is any crime involving a computer or a network whereby the latter may have been used in committing the misconduct or where it is the target. These offenses are committed with a criminal motive of intentionally ruining the reputation of the individual or the organization or causing physical or psychological harm or costing the victim otherwise. Cybercrime therefore may threaten an individual’s or organization’s security and financial position (Johnson, A. L., 2016).
Cyber Espionage or Cyber Spying
It refers to the use of computer networks to gain unauthorized access to an organization’s confidential information (Bang et al, 2017). Acquiring those services from outside the organization would expose its important data to the third party. Activities such as desktop management, application and network development enable the developer to come into contact with their client’s crucial data. The vendors could use that information against Aztek later on in case of an argument or a misunderstanding or for their selfish gains. In other words, the outsourcer may not be an individual of great character and may use that opportunity to get into the organization’s system, get confidential information and probably share it with the company’s competitors.
Additionally, this information can be obtained by use of malicious software, hacking or proxy servers to hinder Aztek from ever trying the leak to their outsourcers. They may also have the motive to continue control over the organization’s computer system even long after their contract has been depleted, for strategic advantages or sabotaging reasons.
Computer fraud refers to an act of misinterpreting data to make an organization or individual do or refrain from doing something that will eventually lead to losses (Cumming et al, 2017). Procuring IT personnel from outside the organization would make Aztek vulnerable to computer fraud since the outsourcer may alter the data in the company’s system and consequently mislead all the other operators.This can be achieved through, changingof deleting stored data, altering data before entry, entering false data, destroying, stealing or altering theoutput. Thisis easily achievable by the individuals at the desktop management and is usually hard to detect.
This refers to the use of illegal means to obtain money, property or other assets held or owned by a financial institution or the act of fraudulently posing as a bank in order to receive currency from depositors. Not directly affiliated to Aztek, it is possible for the outsourcers to acquire these resources for their benefit or someone else’s. (Kshetri, N., & Voas, J., 2017).There are various types of bank fraud such as stolen cheques and payment cards, forgery in checks and documents, fraudulent wire transfer, bill discounting, skimming or duplication of card information, impersonation or identity theft and money laundering. All these actions can be easily carried out via the internet of by a group of people working together. A fraudulent outsourcer who apart from knowing his or her way around the bank, its operations and its worth also has computer intellect will find it incredibly simple to obtain these resources with limited help or even with no help at all.
A cyber terrorist is someone who threatens or coerces an organization to advance their wishes by launching a computer-related attack against their systems,networks or information contained in them. The outsourcer may take the opportunity of working for Aztek to advance his or her objectives. For example, he or she may create a virus that would attack Aztek’s computer systems long after the work is done and make demands to the organizationwith the aim of achieving his or her goals.
Outsourcing of key IT functionality exposes Aztek to malicious hackers who subjects their computer system to repeated denial of service or other attacks. These hackers may be affiliated with the outsourcers and end up asking for money or other resources in return for ending the attacks.
Cyber Risks Mitigation
Aztek should take proper steps to ensure that connected devices around the institution are well connected to have a chance at beating the cyber criminals at their own game. These steps include regular change of pass codes, creation of complex passwords and disabling unnecessary remote connections and features. The organization’s technology team should have a thorough understanding of the continuously evolving cyber risks and the knowledge on how to mitigate them. This is, however, not a problem just for the IT team but for the organization as a whole. The institution’s management should ensure that it has enough resources to take care of the arising cyber-attacks. In addition, it should constantly educate its employees especially the IT personnel on how to avoid the arousal of those risks or manage them where they are inevitable.
It is evident that outsourcing key IT functionality to the third party is a risky decision for an organization to work. Those risks can however be managed to minimize them, especially since most of them are brought to the company by untrustworthy vendors. An organization should therefore make sure that the outsourcer they are about to work with is trustworthy. It should also make their agreement legal by ensuring that it is a written document and signed by the supplier. The organization should involve its lawyer in this process no matter how well the outsourcer is known to them (Johnson, K. N., 2015).Categorically, the risks involved are:
In the case where the supplier is not an expert there would arise inconsistencies in the workflow such as untimely delivery, inappropriate categorization of responsibilities and low-quality output. The supplier may also not have full focus on Aztek’s requirements which would lead to incompletion of the task designated to him or her. Outsourcing key IT functionalities would also be an expensive exercise due to the nature of those functions. This is important work to the organization and the vendor may take advantage of that fact to make his or her services even costlier.
Exit Strategy Risk
Over-reliance on one firm to work on Aztek’s IT department may put it in jeopardy whereby appropriate exit strategiesare not put in place.This also -arises from theloss of the required crucial skills within the organization preventing it from undertaking its own IT tasks.
If Aztek decides on offshore outsourcing, the other nation’s political, economic and legal climate may create added risks. This would increase the complexity of the outsourcing process in addition tothat of business continuity, growth and expansion.
This is the possibility of loss arising from failure in contract performance. This happens when one or all the parties fail to honor the terms of their agreement.
Outsourcing may hinder a regulated entity from providing required information to the regulators in thetime leading to unplanned for misunderstandings and delay in the organizationn’s workflow.
Lack of Ownership
In outsourcing the client has to give over control to the supplier. Aztek would therefore lose ownership of their outsourced IT functionality up until the installation of the project is over.
This is the process of organizing data into various groupings for efficiency and ease of data retrieval and usage.
Data classification is important because it enablesorganizations to cut storage and backup costs while speeding up data searches. It can also help the company meet legal and regulatory requirements for retrieving a certain piece of information within the given timeframe.
Written procedures and approaches for data classification should define the groups and conditions the organization uses to organize data and stipulate the duties and responsibilities of all employees in the company regardinginformation stewardship. A data steward is a senior-level employee who oversees the lifecycle of all the institutional data.
Data lifecycle provides an overview of stages involved in successful management and preservation of an organization’s data for use and reuse. This management is achieved via a policy-based approach called Data Life Cycle Management (DLM) that supervises the institutional data throughout its lifecycle.
The process of data classification begins with creating a data classification scheme, followed by formation of security standards that stipulate appropriatedata management practices for each class and storage specifications that outline the data’s lifecycle necessities. For effectiveness, aorganization scheme should be simple and easy enough so that all employees can implement it without major setbacks. A data classification scheme can appear as indicated below:
Category 1: data that may be freely exposed to the public such as an organization’s contact information
Category 2: internal data that can only be disclosed to stakeholders of the company, for example, organizational charts
Category 3: sensitive internal data that can negatively impact the organization’s operations is disclosed. This may include employee reviews and contracts with third- parties such as outsourcers
Category 4: highly sensitive data that could put the company in legal of financial risk if disclosed, for example, customer account information and employee social security numbers.
data loss, imperfect deletion
encryption, digital signatures
biometrics, authorization and
Risks and Risk Mitigation for various data categories
Risks To Data
This is a deliberate attack on an institution’s stored data by outsiders probably with malicious intent, for example criminals looking to sell the data for money. Thiscan sometimes cause more damage than theexposure of the data to the public.
Data loss or Accidental loss
An organization’s data can land in the hands of the wrong people through daily careless handling of the latter by those responsible for it. Mishandling involves actions such as losing, misplacing or forgetting a laptop in a public place, file and backup tapes misplacement (Maurer et al, 2017).
Imperfect or Improper data deletion
Before an organization decides to sell all its old computers and other IT infrastructure the personnel responsible should ensure that they have properly and completely erased all the data that the components previously contained. Once those devices have been sold, they no longer belong to the company and therefore any information that may have been retained in them is susceptible to the public (Puthal et al, 2017).
In addition, leaving important data without encrypting it with a password or some code makes it vulnerable to hackers and even thieves. Important paper files should be properly disposed of as well, by use of a cross-cut paper shredder, recycling or trustworthy trash pickup service regarding appropriate disposal.
Effective Data Risk Management
This is one of the most popular and competent data security methods used by organizations currently. It refers to the process of translating data into another form of code whereby only persons with a specific password or a secret key, formerly decryption key can have access to it (Mazumder et al, 2017).
Data encryption is done by use of encryption algorithms and its main importance is to protect digital data confidentiality while it is being transmitted to other computer networks via the internet or during storage. Encryption algorithms offer non-repudiation, integrity and authentication, that is, they ensure that the sender cannot deny having sent the message, the message has not changed since it was sent and that the origin of the message can be verified.
This entails specifying access rights or privileges. In an organizational situation this applies to category 4 of data whereby due to its highly sensitive nature, only the directors or the management of the company are allowed access to this data (Bertino, E., & Ferrari, E., 2017). This restriction of access to certain class of data may be achieved via the use of certain cards that are only issued to the senior management or other personnel who are allowed access.
Use of Digital Signature
In financial institutions, digital signatures are used to prove the authenticity and integrity of customers, for example, during account opening in banks. They are equivalent to handwritten signatures and stamped seals. Digital signatures have an advantage over handwritten paperwork since they cannot be easily forged, tampered with, refuted or destroyed (Tiwari, P. K., & Joshi, S., 2016). They are also time-saving in that customers don’t have to wait long for the paperwork to be completed. This also applies in the case of account opening where the process can take only an hour or even minutes unlike a while ago when it took days sometimes. The digital medium also enables documents to be tracked as they move from the sender to the receiver. The only disadvantage posed by these documents is that they are not allowed in court in every jurisdiction, unlike paperwork.
It is used as a means of identification and in controlling access to specific data. This controlis achieved by the use of distinctive measurable characteristics known as Biometric identifiers, whichare categorized as either physiological characteristics (fingerprints, face recognition, iris recognition and DNA) or behavioral characteristics which include, typing rhythm, gait and voice recognition.The biometric identity system specifies an individual using these quantifiable biological features. Biometrics authentication is an effective method of securing data from unauthorized individuals since the identifiers cannot be shared between persons.
In summary, it is evident that outsourcing key IT functionality is a weighty decision for a financial institution like Aztek and therefore should not be taken lightly. It is an incredibly advantageous action if the organization is cautious in choosing its outsourcers as it allows the IT team more time to concentrate and work on other core activities that affect the company such as planning for the future. This leads to growth and expansion of the organization, which is the main goal for many developing companies Aztek included.Outsourcing IT functionality also has other benefits such as possible increase in cashflow, tax and expenses reduction and decrease in the work load for the institution’s IT personnel. Outsourcing can be a very risky activity, however, especially if the organization does not have perfect knowledge or no acquittance with the service provider. It would therefore be a smart decision for the organization to have adequate security on their data. Securing important information about a company such as Aztek would ensure that there is no leakage of facts to the public and unauthorized individuals have no access to it. Currently, the most common and effective methods of securing data used by many organizations all over the world are biometrics, digital signatures, authorization and encryption.Aztek should also adopt these means of data security and be ready to employ any other systems that are devised in the future regarding the latter.
Lacity, M., Yan, A., & Khan, S. (2017, January). Review of 23 Years of Empirical Research on Information Technology Outsourcing Decisions and Outcomes. In Proceedings of the 50th Hawaii International Conference on System Sciences.
Verwaal, E. (2017). Global outsourcing, explorative innovation and firm financial performance: A knowledge-exchange based perspective. Journal of World Business, 52(1), 17-27.
Cumming, D., Johan, S., & Schweizer, D. (2017). Information systems, agency problems, and fraud. Information Systems Frontiers, 19(3), 421-424.
Terlizzi, M. A., & Albertin, A. L. (2017). IT benefits management in financial institutions: Practices and barriers. International Journal of Project Management, 35(5), 763-782.
Chi, M., Zhao, J., George, J. F., Li, Y., & Zhai, S. (2017). The influence of inter-firm IT governance strategies on relational performance: The moderation effect of information technology ambidexterity. International Journal of Information Management, 37(2), 43-53.
Peppard, J., & Ward, J. (2016). The strategic management of information systems: Building a digital strategy. John Wiley & Sons.
Riggins, F., & Weber, D. (2016). Exploring the impact of information and communication technology (ICT) on intermediation market structure in the microfinance industry. The African Journal of Information Systems, 8(3), 1.
Galliers, R. D., & Leidner, D. E. (Eds.). (2014). Strategic information management: challenges and strategies in managing information systems. Routledge.
Clark, G. L., & Monk, A. H. (2013). The scope of financial institutions: in-sourcing, outsourcing and off-shoring. Journal of Economic Geography, 13(2), 279-298.
Puthal, D., Nepal, S., Ranjan, R., & Chen, J. (2017). A dynamic prime number based efficient security mechanism for big sensing data streams. Journal of Computer and System Sciences, 83(1), 22-42.
Bertino, E., & Ferrari, E. (2017). Big data security and privacy. In A Comprehensive Guide Through the Italian Database Research Over the Last 25 Years (pp. 425-439). Springer International Publishing.
Makeshwar, P. S., & Borse, G. (2017). Improving Security in Group Based Data Sharing Using Multicast Key Agreement. International Journal of Engineering Science, 4468.
Mazumder, S., Shaw, N. K., Dey, B., & Mahmuda, F. (2017). ENHANCE THE DATA SECURITY BY CHANGINGTHE ENCRYPTION TECHNIQUE BASED ON DATA PATTERN IN BLOCK BASED PRIVATE KEY DATA ENCRYPTION. International Journal, 8(7).
Tiwari, P. K., & Joshi, S. (2016). Data security for software as a service. In Web-Based Services: Concepts, Methodologies, Tools, and Applications (pp. 864-880). IGI Global.
Page, J., Kaur, M., & Waters, E. (2017). Directors’ liability survey: Cyber-attacks and data loss—a growing concern. Journal of Data Protection & Privacy, 1(2), 173-182.
Bang, S. W., Jung, B. S., & Lee, S. C. (2017). Research on financial institutional network partition design for anti-hacking. Journal of Computer Virology and Hacking Techniques, 1-7.
Kshetri, N., & Voas, J. (2017). Banking on Availability. Computer, 50(1), 76-80.
Matania, E., Yoffe, L., & Goldstein, T. (2017). Structuring the national cyber defense: in evolution towards a Central Cyber Authority. Journal of Cyber Policy, 2(1), 16-25.
van Wegberg, R. S., Klievink, A. J., & van Eeten, M. J. G. (2017). Discerning Novel Value Chains in Financial Malware. European Journal on Criminal Policy and Research, 1-20.
Kolini, F., & Janczewski, L. (2017). Clustering and Topic Modelling: A New Approach for Analysis of National Cyber Security Strategies.
Johnson, A. L. (2016). Cybersecurity for Financial Institutions: The Integral Role of Information Sharing in Cyber Attack Mitigation. NC Banking Inst., 20, 277.
Maurer, T., Levite, A., & Perkovich, G. (2017). Toward a global norm against manipulating the integrity of financial data (No. 2017-38). Economics Discussion Papers.
Wang, J., Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS quarterly, 39(1).
Malhotra, Y. (2015). Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics, Operations, &, Intelligence: Enterprise Risk Management to Model Risk Management: Understanding Vulnerabilities, Threats, & Risk Mitigation (Presentation Slides).
Johnson, K. N. (2015). Cyber Risks: Emerging Risk Management Concerns for Financial Institutions. Ga. L. Rev., 50, 131.
Uma, M., & Padmavathi, G. (2013). A Survey on Various Cyber Attacks and their Classification. IJ Network Security, 15(5), 390-396.
Broadhurst, R., Grabosky, P., Alazab, M., Bouhours, B., & Chon, S. (2014). An analysis of the nature of groups engaged in cybercrime.
Mikhed, V., & Vogan, M. (2017). How Data Breaches Affect Consumer Credit.
Qiu, M., Gai, K., Thuraisingham, B., Tao, L., & Zhao, H. (2016). Proactive user-centric secure data scheme using attribute-based semantic access controls for mobile clouds in financial industry. Future Generation Computer Systems.
Grossman, S. A., & Roy, P. (2016). Learn the 5 keys to boosting effectiveness of your cybersecurity program. Campus Security Report, 13(4), 1-6.
Martins, C., Oliveira, T., & Popovi?, A. (2014). Understanding the Internet banking adoption: A unified theory of acceptance and use of technology and perceived risk application. International Journal of Information Management, 34(1), 1-13.