IT Risk Significant Technology Decision

Question: Discuss about the IT Management Risk Significant Technology Decision. Answer: Introduction IT Risk Management is referred to the application of the methods of managing risks towards the information technology in terms of managing the IT risks (McNeil, Frey and Embrechts 2015). Moreover, the risks over businesses are associated with the utilization, adoption, ownership, influence, involvement as well as operation of IT within a particular organization. Therefore, this report is mainly aimed to interface between the business technologists as well as stakeholders, translating the potential technical difficulties into the risk language for facilitating the effective decision making by the stakeholders. Hence, the project of outsourcing the key functionality of IT systems like application development, desktop management or network to a third party executed by a fictional company Aztec has been considered in this report. This particular project carries few significant risks related to IT those would need to be managed in terms of supporting the business case as to whether the project should go forward or not. Thus, in this regard, this report primarily provides a clear statement of this particular IT technology project as well as outlines the recommendations to the Aztec management as per the merits of the project based on risk assessment. In addition, this study also reviews this project in the context of financial services sector that would incorporate any relevant industry or government regulation or compliance as well as any established best practices. On the other hand, this report also explores the impact of this project on the current security posture of Aztec as expressed by its current maturity against the procedures and policies of IT security. Furthermore, this report also assesses risks based on consequences, vulnerabilities and threats derived from an IT control framework and any existin g recommendations for the industry risks for this project. In particular, this study aims to address the data security risks from the project viewpoint of what data would be utilized and who would have the access to the data and where the data would flow. Project Review Aztec operates in financial service sector in Australia. The management authority of Aztec financial service sector has decided to undertake a particular project of outsourcing the key functionality of IT systems like application development, desktop management or network to a third party (Olson and Wu 2015). This section provides a detailed insight of the project review which has been undertaken by Aztec. This organization has decided to outsource their enterprise network, application development or desktop management. However, this project should be successfully executed through a well-structured process. In case of the network outsourcing, it is the annuity or multiyear relationship or contract incorporating the purchase of telecom management or ongoing network services in order to manage, support, enhance as well as maintain the premises or the core infrastructure of network or the assets of telecommunications (DeAngelo and Stulz 2015). Moreover, Aztec financial service sector aims to execute the network outsourcing because it would be migrating part of the network towards the third party organizational services in terms of effectively shifting the burden of operation and administration away from this organization. The enterprise network outsourcing does not incorporate project-based and discrete professional services or staff augmentation services. Additionally, it does not incorporate services based on the physical cable plant or the other services related to facilities. The network outsourcing solutions portfolio implemented by Aztec is mainly designed for giving the organization a beginning block from that for better understanding the possibilities of where interoute can help driving the network deployments of the company. On the other hand, Aztec has focused on outsourcing desktop management in order to cut operational costs. Outsourcing desktop management permits this organization for reallocating IT resources for focusing on more critical issues and can minimize also the financial risk with the help of limiting up-front capital outlays for resources and equipment and asset shifting like PCs off the balance sheet (Tjader et al. 2014). Apart from that, with the help of the application outsourcing, a wide range of application services is offered incorporating staff augmentation, management of packaged applications, offshore programming, legacy systems maintenance and new development. This particular project can be reviewed with respect to the industry or government regulation or compliance in the context of outsourcing of network, desktop management as well as application development, which are relevant to the financial service sectors. Outsourcing has become a significant component of the management of the cost control and business operations of the financial institutions. In light of the outsourcing of network, application development and desktop management in financial sectors, the Federal Redserve Board (FRB) and the Office of the Controller of the Currency (OCC) has issued guidelines on how the financial sectors can manage the third party risks (Spithoven and Teirlinck 2015). There are major regulations for the Australian financial service sectors such as the Prudential Standard on Outsourcing as well as the Prudential Practice Guide on Outsourcing. However, between the two regulations, Prudential Practice Guide on Outsourcing is applicable to the banks wher eas the prudential standard on outsourcing is generally applicable to the insurance companies. The major purpose of outsourcing regulations is for protecting the customer interests. These outsourcing regulations ensure that the regulators would maintain the control over the regulated institutions. Moreover, these regulations also protect shareholders and others who are related with the financial service sectors or who fund this kind of enterprises. Therefore, in order to conduct this particular project, Aztec has typically set the regulations which need the outsourcing contracts in order to accomplish several objectives to sustain in the financial service industry such as: Providing levels of robust services Requiring the service provider for protecting confidentiality Containing provisions for business continuity Restricting sub-contracting Containing government law clause (it should be normally the laws of the jurisdiction of Aztec) Aztec Financial Service Sector has adopted an outsourcing policy approved the management authority of the organization as well as an approval process for all the proposed outsourcing of desktop management, application development and network (Hopkin 2017). Aztec Financial service sector has also implemented a framework to assess materiality. On the other hand, Aztec has also made the periodic review of capability of the chosen providers of services. Project Impact on the Current Security Posture As expressed by the current maturity of Aztec against the procedures as well as policies of IT security, this particular outsourcing project has a huge impact over the current security posture of the organization. The financial service industry is regulated with several contradicting regulatory requirements on the state as well as country levels (Pritchard and PMP 2014). The financial service sectors like Aztec are facing numerous challenges with several views on the obligations regarding compliance with a large inconsistencies and overlap between mandates. Therefore, silo-based solutions and excessive controls are leading to the increase in complexity and cost. Several important breaches in regards to security at JPMorgan Chase, Montana Department of Public Health, KB Kookmin Card, Target and others demonstrate that being complaint isnt a guarantee necessarily that the entire risks are mitigated as well as managed adequately (Hirschheim and Dibbern 2014). Therefore, the industry reg ulations adopted by Aztec in order to execute the outsourcing project have both the positive as well as negative impacts over the project implementation in regards to the current security aspects lie within the operations performed in the financial service sector. Most significantly, it is very important for monitoring as well as identifying compliances. Nevertheless, it is important equally for preparing the company for responding to the previously unknown vulnerabilities through a proper timely approach. In addition, it can easily be achieved by constructing adequate flexibility into the risk-and-control framework of the organization for ensuring the constant monitoring as well as recognition of the emerging as well as new vulnerabilities over the framework of a comprehensive security risk management. The overall growth of the outsourcing has been declined. However, in spite of the decline in the overall outsourcing market development remains the biggest customer sector. The organizations in todays world enable the multinational operation with the help of the regional hubs and centralized shared services (Marti and Scherer 2016). On the other hand, financial service sectors are more depending on the partner ecosystems in terms of providing customer focused, efficient as well as cost effective business services. The information security has become a serious concern in any kind of outsourcing management, in particular while that arrangement includes the shifting of services, workloads or applications for saying nothing of the sensitive data overseas. Therefore, with the help of the industry regulations discussed above, the financial service sectors have also demonstrated few progresses as well as enhanced its maturity and advancements over the security posture of the financial operations undertaken by Aztec (Nienaber, Hofeditz and Searle 2014). The financial organizations like Aztec has become forward learning while it comes to the collaboration of cyber security. For an example, a forum is there, which is known as the FS-ISAC that encourages the industry collaboration on the cyber security in regards to the outsourcing operations undertaken by this organization. Moreover, a core value of this forum is the essence of sharing the threat intelligence among the companies. However, it is also fai r for saying that Aztec would always be the target for the security issues especially for the cyber security attacks. On the other hand, this organization has also developed an overreaching international compliance framework by recognizing all the applicable requirements followed by the elimination of overlapping the obligations with the help of the outsourcing regulations adopted by Aztec. Risk Assessment After reviewing the entire project with respect to the financial service sector and the impact of the project on the current posture of Aztec, it is also important for assessing the threats, consequences as well as vulnerabilities derived from an IT control framework (Gill, Bunker and Seltsikas 2015). In addition, it is also very essential to derive and explore existing recommendations relating to the industry risk. Risk Identification There are several risks, which have potential existence over the outsourcing project undertaken by Aztec. These are as follows: Regulatory Compliances across Geographies Aztec financial service sector is facing certain issues regarding several views on the compliance obligations with inconsistencies and a large overlap between mandates (Chakrabarty and Bass 2015). Thus, the silo-based solutions and the excessive controls are leading to a rise in complexity as well as cost. Most importantly, the information security is also a delicate concern in regards to the compliances. Cross Border Data Transfer, Data Protection and Data Security Aztec financial service sector cannot be able to clearly classify as well as identify the data depending on the criticality and sensitivity. This organization focused traditionally on the deployment of several point solutions for managing unintentional or intentional data (Feng, Wang and Li 2014). Moreover, the other issue is the difficulty in aligning the operating model as well as the supporting environment of this company for meeting the regulatory requirements of the process of outsourcing of network, desktop management and application development. Concerns regarding the sensitive informations privacy have resulted in adopting particular regional and specific jurisdictional mandates in several countries worldwide. Information Security Management requirements beyond the boundaries of this enterprise outsourcing has become the accepted business practice for the financial organizations for enabling the customer-focused, efficient and cost effective business operations. The conventional models utilized for outsourcing the unimportant internal features like the IT equipment maintenance whereas the new or advanced models are able to reach prominently into the supply chain. Aztec has begun for consuming actively the cloud services and engaging several business partners for providing the material business functions like insurance brokerage and claims management (Chance and Brooks 2015). However, these trends have introduced new information security challenges and complicated data-sharing requirements that need to be managed proactively for ensuring that the services accomplish the business goals and details are protected over its lifecycle from its collection and destruction as well. Cyber Risk Management from Advanced and Emerging Threats Cyber-security is a dynamic problem of value, volume and velocity in regards to the outsourcing of network, desktop management and application development within which, the threat agent is laced, covert and unknown with the arms as well as skills concerning about the weakest link for exploitation (Hopkin 2017). Moreover, cybercrime is aggressive and widespread and it also poses key threat towards the national and economic security where several financial service sectors dont share information regarding cooperate or threats externally. Risk Resolving Recommendations Finding proper risk recommendation is the significant part of risk assessment after identifying the risk threats, consequences and vulnerabilities (Spithoven and Teirlinck 2015). Therefore, Aztec financial service organization should follow few significant recommendations in order to resolve the risks associated with outsourcing network, desktop management and application development. This organization should implement an overarching framework of global compliance by recognizing the entire applicable requirements followed by the overlapping obligations elimination. Moreover, the requirements should be mapped with the specific regulations of Australia and operating environment (Sadgrove 2016). Reporting and testing on the control effectiveness should be centralized where feasible for ensuring consistency for further reducing the compliance cost. It would enable Aztec for providing a status for compliance for several regulatory bodies by control mapping facilitation towards the regulations governed by Australia. Aztec should have a holistic view holistic view regarding the requirements of data security maintained by the comprehensive framework of data governance (Bromiley et al. 2015). It incorporates the geographic compliance requirements, roles and responsibilities, reporting on assets, inventory, data handling and classification and technical solutions like data leak prevention. Aztec should implement constant assessment of risk by introducing the process of monitoring for the unknown vulnerabilities (Mortimer and Mortimer 2015). Enhancing the information source utilizing the behavior of threat indicator monitoring with the analytical abilities and notification would increase of an organization. Addressing Risks for Data Security Risks are generally encountered within the data security system in outsourcing operations performed by an organization due to the non-accomplishment of three major criteria such as availability, integrity and confidentiality of data information. Confidentiality, integrity as well as availability are the most important aspects of data security and these aspects should be maintained properly in order to implement the successful financial operations (Ho et al. 2015). The data breaches pattern over the previous few years can show that few security controls are effective particularly in order to mitigate the types of attacks in regards to data security. Therefore, the data security or the information security issues generated in this project can better be addressed through application of more convenient processes as well as controls. Moreover, these risks mitigation techniques can improve greatly the security posture of Aztec financial service sector. Aztec financial service sector should utilize the network access controls and network segmentation for protecting the sensitive data. However, it can be more relevant for the internal stakeholders of this financial service sector in terms of interconnecting all of the digital functionalities of this organization (Lam 2014). Doing such thing can eave Aztec more vulnerable to thee breaches. Instead of it, systems should be identified that store and process the sensitive information of the financial operations performed by this enterprise and segment them onto several networks. In addition, this organization should employ application blacklisting as it is greatly capable of reducing the chances for a non-approved application or user for infiltrating the system. On the other hand, Aztec should review the vulnerability or patching management program (Galliers and Leidner 2014). The security patch installation for fixing the flaws in software has become a routine task for teams of IT all over the world. Moreover, it is also very essential to have the means to validate that the entire necessary patches have been applied. Furthermore, this outsourcing project of Aztec should have the intrusion and detection capability incorporating both of the log as well as traffic monitoring. The cyber criminals bank on this financial service sector being complacent with their intrusion and detection monitoring (Samarati 2014). The network infrastructure as well as the servers should be monitored regularly for the attempts of unauthorized incoming connection incorporating modifications of the file systems, administrator access activity or unusual root and incoming port scans. This organization should properly focus on all the risk mitigating techniques over data security would effectively serve for reducing the risk of security breaches associated with the outsourcing operations involving the process (McNeil, Frey and Embrechts 2015). Furthermore, the financial service sectors like Aztec should incorporate a holistic view on the requirements of data security maintained by the framework of comprehensive data governance that incorporate proper the reporting on assets and inventory, data handling and classification, geographic compliance requirements as well as roles and responsibilities. Conclusion This entire report has successfully portrayed a project review in regards to the financial service sector and it has also significantly done the risk assessment associated with the project of outsourcing network, application development and desktop management undertaken by Aztec. Therefore, in this regard, this study has provided an in-depth view regarding the relevant and major industry or government regulations adopted by Aztec financial service sector while proceeding with the outsourcing project. Hence, it can be seen that this organization follows the guidelines of the Federal Reserve Board (FRB) and the Office of the Controller of the Currency (OCC). Moreover, Prudential Standard on Outsourcing as well as the Prudential Practice Guide on Outsourcing are two major Australian regulations on outsourcing, which have been followed by this organization. Moreover, the project impact on the current security posture has also been interpreted successfully in this study by analyzing the c yber-security issues and way of resolving the issues. Furthermore, this study has successfully identified all the threats and vulnerabilities and portrayed the techniques for mitigating these risks in terms of risk assessment. Lastly, this report has also tried to address the data security risks, which actually help this organization to maintain information security during the implementation of the outsourcing project. References Bromiley, P., McShane, M., Nair, A. and Rustambekov, E., 2015. Enterprise risk management: Review, critique, and research directions.Long range planning,48(4), pp.265-276. Chakrabarty, S. and Bass, A.E., 2015. Comparing virtue, consequentialist, and deontological ethics-based corporate social responsibility: Mitigating microfinance risk in institutional voids.Journal of Business Ethics,126(3), pp.487-512. Chance, D.M. and Brooks, R., 2015.Introduction to derivatives and risk management. Cengage Learning. DeAngelo, H. and Stulz, R.M., 2015. Liquid-claim production, risk management, and bank capital structure: Why high leverage is optimal for banks.Journal of Financial Economics,116(2), pp.219-236. Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis.Information sciences,256, pp.57-73. Galliers, R.D. and Leidner, D.E., 2014.Strategic information management: challenges and strategies in managing information systems. Routledge. Gill, A.Q., Bunker, D. and Seltsikas, P., 2015. Moving Forward: Emerging Themes in Financial Services Technologies' Adoption.Communications of the Association for Information Systems,36(1), p.12. Hirschheim, R. and Dibbern, J., 2014. Information technology outsourcing: towards sustainable business value. InInformation Systems Outsourcing(pp. 1-19). Springer Berlin Heidelberg. Ho, W., Zheng, T., Yildiz, H. and Talluri, S., 2015. Supply chain risk management: a literature review.International Journal of Production Research,53(16), pp.5031-5069. Hopkin, P., 2017.Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers. Hopkin, P., 2017.Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers. Lam, J., 2014.Enterprise risk management: from incentives to controls. John Wiley Sons. Marti, E. and Scherer, A.G., 2016. Financial regulation and social welfare: The critical contribution of management theory.Academy of Management Review,41(2), pp.298-323. McNeil, A.J., Frey, R. and Embrechts, P., 2015. Quantitative risk management. Mortimer, S.T. and Mortimer, D., 2015.Quality and risk management in the IVF laboratory. Cambridge University Press. Nienaber, A.M., Hofeditz, M. and H. Searle, R., 2014. Do we bank on regulation or reputation? A meta-analysis and meta-regression of organizational trust in the financial services sector.International journal of bank marketing,32(5), pp.367-407. Olson, D.L. and Wu, D.D., 2015.Enterprise risk management(Vol. 3). World Scientific Publishing Co Inc. Pritchard, C.L. and PMP, P.R., 2014.Risk management: concepts and guidance. CRC Press. Sadgrove, K., 2016.The complete guide to business risk management. Routledge. Samarati, P., 2014, May. Data security and privacy in the cloud. InInternational Conference on Information Security Practice and Experience(pp. 28-41). Springer International Publishing. Spithoven, A. and Teirlinck, P., 2015. Internal capabilities, network resources and appropriation mechanisms as determinants of RD outsourcing.Research Policy,44(3), pp.711-725. Tjader, Y., May, J.H., Shang, J., Vargas, L.G. and Gao, N., 2014. Firm-level outsourcing decision making: A balanced scorecard-based analytic network process model.International Journal of Production Economics,147, pp.614-623.