Information security in offshoring business processes
Design and implementation of controls guidelines
More Info
expand_more
Abstract
In the times of emerging technologies and rising individuals’ awareness more light is shed on privacy and associated risks. This does not go unnoticed by regulators, that develop and enforce tighter requirements towards organisations. Simultaneously, outsourcing relationships develop and offshoring as well as nearshoring are still popular among cost-optimisation methods. While many security methods are discovered and developed and numerous standards and best practices exist that talk about information security management systems, there is only limited literature on how to develop and implement these controls so that they bring the expected value. The goal of this research was to present guidelines for designing and implementing information security management system controls on basis of identified risks and issues with controls existing at the time. This was to support existing financial institutions with improving their internal controls for information security when engaging in offshoring relationships. The goal was achieved through qualitative methods: case study observation followed by a questionnaire that was distributed among and answered by information security advisors and specialists with extensive experience in financial sector. Case study is a Swiss globally operating bank that outsources its processes to a number of offshore and nearshore locations. The bank has had a number of controls and processes already well established at the time of the research. This research confirms that financial institutions face various obstacles and issues at different phases of offshoring. The most commonly identified included: dispersed responsibilities, issues arising at the time of offshoring that could be identified prior to decision to outsource and finally – lack of power to enforce technical controls over vendors. The guidelines developed include but are not limited to: focus on additional areas when preparing for offshoring initative, establishing and defining responsibilities across different teams in the organisation and with the vendor and defining detailed contractual clauses. The findings from this thesis also open opportunities for further research – to investigate the relationship between these guidelines and efficiency of information security management system or to quantify impact of these guidelines in order to prioritise them. Similar research could also be conducted in other sectors and organisations to provide evidence for the research generalization.