Managing security and compliance risks of outsourced IT projects

Abstract

Several sources of constraints, such as business, financial and legal, can lead organisations to outsource some of their IT services. As a consequence, different security risks may be introduced, such as confidentiality, integrity and availability risks. Analysing and managing the potential security risks in the early stages of project execution allow organisations to avoid or mitigate the impact of these security risks. Several organisations have adopted ISMS standards and frameworks in an endeavour to manage outsourced IT project security risks. In this thesis, existing ISMS standards and frameworks have been reviewed and analysed to assess their ability to effectively manage the security and compliance risks of outsourced IT projects and satisfy their security needs. The review reveals that existing ISMS standards and frameworks represent only general security recommendations and do not consider variation in security requirements from one organisation to another. There is also a lack of adequate guidance for implementing or complying with these standards and frameworks, and they are not designed to manage the security and compliance risks of outsourced IT projects. To overcome these weaknesses, a new framework has been introduced. The framework is a structured approach that is designed to manage variation in security requirements, as well as provide a methodology to guide organisations for the purpose of security management and implementation. The framework was evaluated using different evaluation methods including a focus group, questionnaire, and case study, which were also used to generate recommendations and suggestions for improvements. The evaluation results confirmed that the framework provided the participants with an effective approach for managing security and compliance risks in the outsourcing context. It was understandable, easy to use, and independent from different constraints such as project size, cost or execution time. The framework is now ready to be put into practice by organisations that intend to outsource their IT services partially or totally.