Author:
Giacchero Andrea, ,Moretti Jacopo,
Abstract
Third-party risk for external ICT services, which concerns both the outsourced services and the third-party products, is a crucial issue for a financial institution, because a cyber attack on a vendor can be a threat for the data of its customers. For this reason, financial institutions should adopt a holistic risk management framework to stress the effectiveness of the mitigating actions even when they engage a third-party provider. Risk analysis of external ICT services is necessary to prepare proper mitigation plans that provide enough resources allocation. This paper proposes a possible management framework whose aim is providing indications on security measures and controls to implement against the possible sources of ICT third-party risk, and defining a proper internal process that a financial institution should adopt. In this context, the framework also embodies a model to pick the best vendor among those that a financial institution could choose for an ICT service, which is based on a risk assessment technique focused on the three information security dimensions (confidentiality, integrity, and availability) and on the Borda method.
Publisher
Italian Association of Financial Industry Risk Managers (AIFIRM)
Reference80 articles.
1. Analysis and application of an outsourcing risk framework;Abdullah;The Journal of Systems and Software,2012
2. The effects of Outsourcing in Information Security;Alner;Information Systems Security,2001
3. Just right outsourcing: understanding and managing risk;Aron;Journal of Management Information Systems,2005
4. Managing the risk of IT outsourcing;Aubert;In Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences 1999 HICSS-32 Abstracts and CD-ROM of Full Papers pp,1999
5. 5) Aubert, B. A., Patry, M., & Suzanne, R. (2005, Fall). A Framework for Information Technology Outsourcing Risk Management. ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 36(4), 9-28.