The derivation of a conceptual model for IT security outsourcing

IT security outsourcing is the establishment of a contractual relationship between an organization with an outside vendor which assumes responsibility for the organisation’s security functions. Outsourcing in IS has had a variable history of success and the complexity of the decision making process leads to a substantial degree of uncertainty. This is especially so in the realm of IS security since the protection of both hardware and software systems is placed in the hands of an external provider. This paper is a fuller and more comprehensive paper of a previous paper outlining the effectiveness of the decision making process by means of a conceptual model using Soft System Methodology techniques that integratessecurity benefits, costs and their respective performance measures. In this paper the methodology used to develop the model is discussed in detail.

A conceptual model for security outsourcing

This research analyses the current literature on IT security outsourcing and the organisational attitudes towards this approach to determine the applicability of outsourcing IT security in a commercial environment. A conceptual model is developed as the main goal of research which provides guidance in the process of outsourcing IT security functions to a third-party security service provider. The research conducted has established a complete process for outsourcing IT security.

The derivation of a conceptual model for outsourcing IT security

IT security outsourcing is the establishment of a contractual relationship with an outside vendor to assume responsibility for one or more security functions. Outsourcing in IS has had a variable history of success and the complexity of the decision making process leads to a substantial degree of uncertainty. This is especially so in the realm of IS security since the protection of both hardware and software systems in is placed in the hands of an external provider. This is the second paper discussing the improvement of the effectiveness of the decision making process by means of a conceptual model using Soft System Methodology techniques that integrates security benefits, costs and their respective performance measures. In this paper the methodology used to develop the model and its validation are discussed.

Anatomia de uma empresa militar e de segurança privada: a empresa DynCorp em perspectiva global

Coordenação de Aperfeiçoamento de Pessoal de Nível Superior (CAPES)

Could the Outsourcing of Incident Response Management provide a Blueprint for Managing Other Cloud Security Requirements?

Postprint

Outsourcing data storage without outsourcing trust in cloud computing

The main theme of this thesis is to allow the users of cloud services to outsource their data without the need to trust the cloud provider. The method is based on combining existing proof-of-storage schemes with distance-bounding protocols. Specifically, cloud customers will be able to verify the confidentiality, integrity, availability, fairness (or mutual non-repudiation), data freshness, geographic assurance and replication of their stored data directly, without having to rely on the word of the cloud provider.

Computer security incidents against Australian businesses : predictors of victimisation

Drawing on data from the Australian Business Assessment of Computer User Security (ABACUS) survey, this paper examines a range of factors that may influence businesses’ likelihood of being victimised by a computer security incident. It has been suggested that factors including business size, industry sector, level of outsourcing, expenditure on computer security functions and types of computer security tools and/or policies used may influence the probability of particular businesses experiencing such incidents. This paper uses probability modelling to test whether this is the case for the 4,000 businesses that responded to the ABACUS survey. It was found that the industry sector that a business belonged to, and business expenditure on computer security, were not related to businesses’ likelihood of detecting computer security incidents. Instead, the number of employees that a business has and whether computer security functions were outsourced were found to be key indicators of businesses’ likelihood of detecting incidents. Some of the implications of these findings are considered in this paper.

Outsourcing income tax returns : convenient and/or controversial

This paper investigates the outsourcing of income tax return preparation by Australian accounting firms. It identifies the extent to which firms are currently outsourcing accounting services or considering outsourcing accounting services, with a focus on personal and business income tax return preparation. The motivations and barriers for outsourcing by Australian accounting firms are also considered in this paper. Privacy, security of client data, and the competence of the outsourcing provider's staff have been identified as risks associated with outsourcing. An expectation relating to confidentiality of client data is also examined in this paper. Statistical analysis of data collected from a random sample of Australian accounting firms using a survey questionnaire provided the empirical data for the paper. The results indicate that the majority of Australian accounting firms are either currently outsourcing or considering outsourcing accounting services, and firms are outsourcing taxation preparation both onshore and offshore. The results also indicate that firms expect the volume of outsourced work to increase in the future. In contrast to the literature identifying labour arbitrage as the primary driver for organisations choosing to outsource, this study found that the main factors considered by accounting firms in the decision to outsource were to expedite delivery of services to clients and to enable the firm to focus on core competencies. Data from this study also supports the literature which ndicates that not all tax practitioners are adhering to codes of conduct in relation to client confidentiality. Research identifying the extent to which accounting services are outsourced is limited, therefore significant contributions to the academic literature and the accounting profession are provided by this ndicates that not all tax practitioners are adhering to codes of conduct in relation to client confidentiality. Research identifying the extent to which accounting services are outsourced is limited, therefore significant contributions to the academic literature and the accounting profession are provided by this study.

On secure outsourcing of cryptographic computations to cloud

For the past few years, research works on the topic of secure outsourcing of cryptographic computations has drawn significant attention from academics in security and cryptology disciplines as well as information security practitioners. One main reason for this interest is their application for resource constrained devices such as RFID tags. While there has been significant progress in this domain since Hohenberger and Lysyanskaya have provided formal security notions for secure computation delegation, there are some interesting challenges that need to be solved that can be useful towards a wider deployment of cryptographic protocols that enable secure outsourcing of cryptographic computations. This position paper brings out these challenging problems with RFID technology as the use case together with our ideas, where applicable, that can provide a direction towards solving the problems.

Crocodiles in the regulatory swamp: navigating the dangers of outsourcing, SaaS and shadow IT

Corporates are entering the brave new world of the internet and digitization without much regard for the fine print of a growing regulation regime. More traditional outsourcing arrangements are already falling foul of the regulators as rules and supervision intensifies. Furthermore, ‘shadow IT’ is proliferating as the attractions of SaaS, mobile, cloud services, social media, and endless new ‘apps’ drive usage outside corporate IT. Initial cost-benefit analyses of the Cloud make such arrangements look immediately attractive but losing control of architecture, security, applications and deployment can have far reaching and damaging regulatory consequences. From research in financial services, this paper details the increasing body of regulations, their inherent risks for businesses and how the dangers can be pre-empted and managed. We then delineate a model for managing these risks specifically focused on investigating, strategizing and governing outsourcing arrangements and related regulatory obligations

IT outsourcing issues in Singapore : the vendor's perspective

Most studies undertaken in the area of IT outsourcing seem to focus only on the customer’s perspective leaving a gap in knowledge about the vendor’s perspective. This study aims to correct this deficiency by investigating the views of four organisations providing IT services in Singapore, and comparing this to the current literature base of customer views. The findings showed that the vendor’s views about security, contract management and flexibility differed from the customer’s point of view. However, two issues, partnerships and vendor inexperience, seem to match the vendor issues found in this study. Additionally, two approaches were found to be used by vendors in the IT outsourcing activities, multiple-team approach and single-team approach. A multiple–team approach is likely to be used by vendors having a contract-based relationship and single-team approach is likely to be used by vendors having a partnership-based relationship.

Above the trust and security in cloud computing : a notion towards innovation

While the nascent Cloud Computing paradigm supported by virtualization has the upward new notion of edges, it lacks proper security and trust mechanisms. Edges are like on demand scalability and infinite resource provisioning as per the `pay-as-you-go' manner in favour of a single information owner (abbreviated as INO from now onwards) to multiple corporate INOs. While outsourcing information to a cloud storage controlled by a cloud service provider (abbreviated as CSP from now onwards) relives an information owner of tackling instantaneous oversight and management needs, a significant issue of retaining the control of that information to the information owner still needs to be solved. This paper perspicaciously delves into the facts of the Cloud Computing security issues and aims to explore and establish a secure channel for the INO to communicate with the CSP while maintaining trust and confidentiality. The objective of the paper is served by analyzing different protocols and proposing the one in commensurate with the requirement of the security property like information or data confidentiality along the line of security in Cloud Computing Environment (CCE). To the best of our knowledge, we are the first to derive a secure protocol by successively eliminating the dangling pitfalls that remain dormant and thereby hamper confidentiality and integrity of information that is worth exchanging between the INO and the CSP. Besides, conceptually, our derived protocol is compared with the SSL from the perspectives of work flow related activities along the line of secure trusted path for information confidentiality.