The Federal Security Management Act (FISMA) initiate was aimed at providing detailed machinery and guidelines to be followed to ensure that there was effectiveness in risk management processes through reporting on a security compliance with a set on internal controls.
The act contains clauses that seek to protect information, assets and systems from unauthorized access, tampering or modification aimed at maintaining the information confidence and integrity (Spring, 2010). These designing of these was meant to protect the government or any institution information systems from any compromised by network attacks. The FISMA act achieves this by monitoring activities of those employees an institution employs and has access to the company’s information and yet they are not directly employed within the organization. This class of employees includes the external service providers, the enterprise service providers as well as use of vendors. When a firm or an institution decides to use an outsourcing firm, there are risks that the company exposes to as revealed in this paper.
The Use of an External Service Provider for Data Storage
An External Service Provider is a legally external and independent body that performs certain activities such as data storage without them being part of the company. Others define an external service provider as a person or an organization outside the firm who holds special skills that the company requires. Whereas there are advantages that exist with acquiring services of an external service provider, there are risks that come along and they include.
If the external service provider is not trustworthy or plans to breach the agreement, he or she can use the company’s data for any other applications other than the specified in the contract. It remains important for the company ensure that personal information, if any, has to be used for the specific purposes of which it is meant for. Another risk can arise if the external service provider decides to provide information to external sources despite there being no cases of freedom of information and requests that may relate to subpoenas.
To ensure minimization of the risks involved when using an external service provider, a company should introduce security and management measures that ensure that non-public information remain private and confidential. The company can also design a contract with the External Service Provider in such a way that it addresses all the risks, security controls and procedures for information systems and ensure that all of the guidelines are attended to.
To mitigate the risks involved, one needs to put more focus on the following items: the service provider contract, the service levels agreed by the involved parties and the reporting and alerting capabilities of the External Service Provider. The External Service Provider should also ensure that the records provided by the council are pit in proper documentation in both manual and electronic formats so that in case of alterations, there can always be a prove for or against the claim. Finally, despite the urgency of information, the External Service Provider should always ensure that the data is not released to any third party in absence of a clearly written agreement.
The Use of an Enterprise Service Provider for Processing Information Systems Applications Such As a Payroll, Human Resources, or Sales Order Taking
The Enterprise Service Providers ensures that their clients achieve the best by making use the best practices and innovative technologies; integration within the system to provide the needed transformation of a company or a business. They achieve this by ensuring that information systems capitalize on agency or company structure; most institutions prefer them because they utilize cost- effective methods in technology and agency wide resources.
However, the risk involved with Enterprise Service Provider is the problem of privacy. If somewhere another company happens to use the same hardware that supports the company’s human resources and payroll, they technically can steal the information from the company and sell it to others if they think it is necessary. If they happen to sell the information to one of the client’s competitors, this can give the company a cutting edge over the said competitor.
To manage the risks involved, the institution needs to identify and prioritize the risks involved and then work at developing tools, processes and structures that can build a sustainable risk management program.
The Use of a Vendor to Support Desktop Computers
Most clients prefer using desktop vendors because of their ability to arrange products according to their origin as it makes the buying process easier because one just clicks the product line, which seems to favor him or her. The use of a vendor to support desktop computers requires remote support from numerous technology vendors. For example in a large company, many vendor technicians may require periodic access to application servers so as to ensure the infrastructure is functioning properly. This is a major threat to the organization because the clients are never able to regulate and control the vendors as they would wish thus information can easily be leaked out
The Use of a Vendor to Provide Network Support
In the recent past, there has been increased reliance on the network for application support. This has been due to the fact that use of vendors as network support providers allows the customers to use the network better and effectively by reducing operational expenses.
Despite this, the risks involved depend on the services provided. If one allow the vendors to manage all the patches firewalls and routers among others and even the logging systems, there is a risk of possessing someone with admin log in access who is not your direct employee. It may also be difficult to monitor or audit the activities of these vendors and thus the client cannot question the vendors’ activities directly.
The risks involved when using a vendor to provide network support are quite numerous and to contain them, the client, and the vendor should both agree on policies and procedures which ought to be followed to ensure the risks are minimal. These policies should be considered for inclusion in the contract to ensure security protection maintenance. There should also be a written contract with the vendor, which makes it mandatory for the vendor to use the protections and also optimally reserves certain rights to the client or the financial institution (Khosrowpour, 2001).
Khosrowpour, (2001). Managing Information Technology in a Global Economy. New York: Idea Group Inc (IGI) Publishers.
Spring, K. (2010). Federal Information Security Management Act: Faulkner Information Services. Web.