IT CONTRACTING2
IT Contracting
[Author Name(s), First M. Last, Omit Titles and Degrees]
[Institutional Affiliation(s)]
IT Contracting
The recommendations given by Heiser and Nicolette (2008) and Davis, Schiller, and Wheeler (2011) are essentially very similar. They all agree in that IT services should be watched carefully in order to meet the needs of an organization. According to Heiser and Nicolette (2011)
1. Organizations that already have sourced external services for IT risk assessment should use the same model of service for all aspects of cloud computing.
2. They also recommend that, prior to using cloud-based services, there should be a a legal protocol in place that is used to regulate and audit any potential challenge, issue, or problem that has to do with location independence and service subcontracting.
3. Only contract with vendors who show 100% transparency in their practices, from how they store data, to how they apply analytics.
4. Also, all alternative ways to deliver cloud computing services should be controlled and secured. For this reason, there should be another protocol and strategy in place complete with an approval process that can be accepted and understood by other business managers. This control and security will reflect the appropriateness of the alternate practices of delivery as well.
The recommendations by Davis, Schiller and Wheeler, (2011) are similar in principle, but they go further into the process of contracting, and have different levels of contracts.
1. An onsite model for cloud service entails hiring an external source to provide the service, train the people, and monitor the operations of cloud storage and accessing data. This is done because the IT team should take computing issues away from employees so that they can focus on what they do every day.
2. The offsite model also entails getting a third party involved, but they do it remotely. They still share the same responsibilities.
3. Supplemental labor is not the same as contracting. It is essentially asking an employee with higher skills in technology to double their tasks at work; like an in-house mini task-force. They are ruled by the company’s policies, unlike the sourced services who are their own corporation.
4. Offshoring means contracting a company to solve basic tech issues for the corporation. They operate remotely, and are used only when needed.
The similarities in recommendations are similar to Heiser and Nicolette in the following areas:
1. Transparency from the contractor- The contractor must be willing to produce the procedures and protocols used by them to protect and infiltrate into the company data. They should also be willing to establish the extent to which they protect information.
2. There must be a plan in place in the event that something happens to the data: a) breaches, b) losses, c) mistakes, should all have a solution as well as a preventive plan.
3. The employer should approve and be a part of every aspect of the contracting of IT services.
4. Employees should conduct periodic auditing of data security to determine the effectiveness of the protocols in place.
5. Review the contracts to make sure that the tasks for the contractors meet the real needs of the company.
QUESTION 2
The framework that is all about IT Governance and is comprised of 215 high-level control objectives plus 215 lower-level control activities is Control Objectives for Information and Related Technology, or COBIT. This framework was developed by the IT Governance Institute. published in 1996 and it is the most recognized framework for IT.
The seven qualities that are emphasized by COBIT are:
1. Effectiveness
2. Integrity
3. Confidentiality
4. Efficiency
5. Availability
6. Reliability
7. Compliance
QUESTION 3
The IT controls that must be evaluated to be in compliance with SOX requirements are:
• Access control
• Change control
• Data management
• IT operations
• Network operations
• Asset management
Standard 5 makes requirements and teaches what goes into the auditing of how management assesses the effectiveness of internal control of financial reporting. This is important because it shows that there are processes in place to assure that the reporting is transparent and effective.
This said, three control areas that help with this include: asset management, data management and change control. These control areas were selected for the following reasons:
Asset management allows for managers to see where all the assets are going, who has control over them, how they are being used, and under what circumstances. This is imperative because there is one thing to control the assets, but accounting for them is altogether different. It is comparable with accessing a bank account versus breaking down how the assets within that bank account are being utilized. For example, I could allow access control to my bank account my mother, siblings or my children. However, this does not allow me to see who is taking what from the account, or for what reason. Here is where asset management comes in. It provides that additional and very important data that needs to be known in order to determine whether the assets are being used optimally and are not wasted.
The second control selected is data management. Data management means that managers will know where the data is stored, who accesses it, how it is retrieved, how it is used, and what happens in the event there is a breach. Data access is fundamental to any organization, as it holds the very essence of the organization, from statistics, to employee information, budget, and much more. It is imperative, therefore, to keep control of data as a number one priority in any field.
The third control is change control, that is all the information that is necessary to know who takes over what, and in what intervals will the data, assets, and other information change “hands.” Any change must be accounted for, and there must be a rationale about making changes. Things that are well-established within an organization are put together based on data acquired, a plan, a vision, a mission, and a goal. Hence, change should not be happening anywhere unless there is an element within the organization that is not working, according to the data generated.
This said, every time any change is proposed, from personnel to data access, there must be accountability and awareness by everyone of why this change needs to take place. Also, a system must be in place to look over whatever chance needs to occur, and see that the change was actually effectively made. As it is obvious, IT has a lot to do with every field and the optimal use of IT is imperative for the safety and security of any group.
References.
Davis, C., Schiller, M., & Wheeler, K. (2011). IT Auditing: Using controls to protect information assets (2nd ed.). New York: McGraw-Hill.
Heiser, J., & Nicolett, M. (2008). Assessing the Security Risks of Cloud Computing
(G00157782). Stamford, CT: Gartner, Incorporated.
PCAOB. (n.d.). Auditing Standard No. 5. Retrieved from http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx#introduction