Information security risk factors and management framework for ICT outsourcing / Nik Zulkarnaen Khidzir

Information Communication Technology (ICT) services have become increasingly important in today’s business environment with most private and government agencies without sufficient resources and expertise outsourcing their ICT projects to vendors. However, this strategy could invite potentially damag...

Full description

Bibliographic Details
Main Author: Khidzir, Nik Zulkarnaen
Format: Thesis
Language:English
Published: 2013
Online Access:http://ir.uitm.edu.my/id/eprint/18328/
http://ir.uitm.edu.my/id/eprint/18328/1/ABS_NIK%20ZULKARNAEN%20KHIDZIR%20TDRA%20VOL%204%20IGS%2013.pdf
Description
Summary:Information Communication Technology (ICT) services have become increasingly important in today’s business environment with most private and government agencies without sufficient resources and expertise outsourcing their ICT projects to vendors. However, this strategy could invite potentially damaging information security risks (ISRs). Subsequently, a dedicated framework for information security risk management for ICT outsourcing activities needs to be in place to address and manage its related risk factors. The research focuses on managing Information Security Risks (ISRs) in ICT outsourcing projects in a Malaysian environment. The mixed research method, combining the quantitative and qualitative was employed to achieve the research objectives. 110 respondents participated in a survey while focus groups from eight organizations were interviewed. From the quantitative study, the critical information security risks in ICT outsourcing project were identified and ranked. Furthermore, through an exploratory factor analysis, two additional critical Information Security Risk (ISR) factors were discovered, being information security management defects and the challenges of managing unexpected change of service providers. Results show that organizations practiced Information Security Risk- Identification; Information Security Risk-Analysis; Information Security Risk- Treatment Plan; Information Security Risk-Treatment Plan Implementation; Information Security Risk-Monitoring; and Information Security Risk-Control. However, there was divergence in the key activities practiced due to several factors. The findings were then used as a basis for the framework development. The framework proposed step-by-step processes, activities and guidelines to be taken in managing Information Security Risk (ISR). The case study results discovered organizations had excluded some of the processes and activities due to financial, resources and time constraints. However, the framework confirmatory done through expert-judgement proves that the framework had thoroughly assessed information security risk management from an outsourcing perspective and is applicable to ICT projects implemented in Malaysia. Fundamentally, the development of the framework will enable organizations to identify ISR factors and to urgently address them so that the full benefits of ICT outsourcing may be reaped.