Managing Outsourced IT Projects' Security Risks

Abstract

In recent years, IT outsourcing business practices has become widespread across different types of organizations in an endeavor to enhance their business operations and achieve competitive services. While IT outsourcing brings several benefits to organizations such as cost reductions, access to highly skilled human experts, and access to the latest technology, it has inherent risks such as security risks and the loss of control over IT assets. With the lack of a comprehensive approach for managing these security risks, outsourcing security risk management remains a practical challenge. The growing challenge of service integration across multiple outsourced IT service providers, as well as the variations in security requirements, which result from the differences in the scope of outsourced services, expand this challenge further. In our previous work, we developed a framework for managing security risks in the outsourcing context. This framework is designed to manage variation in security requirements, as well as to provide a methodology to guide organizations in security management and implementation. In this paper, we present the results of the case study that we conducted to evaluate the proposed framework. As a case study, we have used two outsourced IT projects. The proposed framework was applied to the two outsourced IT projects from the beginning of the projects' execution until their end. The aim of this case study was to assess the ability of the proposed framework to effectively manage the security and compliance risks of IT projects in the outsourcing context. It also aimed to discover potential changes and improvements that could enhance the proposed framework's performance when outsourcing IT projects.