CitationDownload as .RIS
Emerald Group Publishing Limited
Copyright © 2006, Emerald Group Publishing Limited
The term outsourcing is extensively used to describe several different types of services provided by third parties. Information technology (IT) outsourcing is known as the provision of IT goods and services or business processes by an external contractor. This external contractor controls, to a large extent, the overall organization and provision of the outsourced computer-based services.
During recent years, major IT outsourcing companies have exhibited substantial growth in outsourcing revenues, while revenues in other areas actually fell. Companies usually choose to outsource peripheral functions in a cost-saving way, aiming to concentrate on core activities. The present and future of IT outsourcing, both as a whole and as a percentage of IT expenditure, looks promising.
Information security and privacy issues in IT outsourcing
At the same time, there is a rapid increase in the number of information security threats and vulnerabilities. Threats originate from sources that may be internal or external, amateur or professional, motivated by personal gain, business profit, political cause, etc. The vulnerabilities, that threats may exploit in order to cause a security incident, may be technical, procedural, organisational, etc.
It is, therefore, clear that the demand for highly qualified security experts will increase a demand that in real-market terms cannot be fulfilled. Consequently, businesses, in particular small and medium ones, are in a way forced to outsource IT security services. The outsourcing security services paradigm is in line with the typical service provider model. Nowadays, managing security service providers is the fastest growing service type across all vertical markets.
Clearly, IT outsourcing poses new security and privacy problems. These are even more intense when IT security services are outsourced.
In this special issue papers address aspects of security and privacy issues of IT outsourcing.
M. Karyda, E. Mitrou, and G. Quirchmayr in their paper entitled “A framework for outsourcing information systems security services” stress that outsourcing of IS/IT security functions is a relatively new management practice that brings organizations in front of difficult dilemmas that have not yet been looked into. Security and privacy are among the primary concerns that prohibit organizations from outsourcing their functions. In their paper, authors describe the fundamental aspects of IS/IT security outsourcing and bring in the foreground the specific organizational, technical and legal issues that should be considered for making an IS/IT security outsourcing arrangement. Moreover, the paper examines the privacy requirements pertaining to IS/IT security outsourcing, by adopting the perspective of the European Union, and suggests how outsourcing arrangements can comply with these requirements.
H. Debar, and J. Viinikka in their paper entitled “Security information management as an outsourced service” describe their point of view that security information management has emerged as a strong need to ensure the ongoing security of information systems. Given the cost and knowledge required to deploy intrusion detection and prevention devices and build a successful security information management environment, several service providers offer outsourced security information management within their managed security services offerings. In this paper, authors introduce and describe an architecture for outsourcing a security information management platform, and discuss the issues associated with the deployment of such an environment.
The paper by D. Lekkas, and C. Lambrinoudakis entitled “Outsourcing digital signatures: a solution to key management burden” points out that the major drawbacks of client-generated digital signatures is the requirement for effective and secure management of the signing keys and the complexity of the cryptographic operations that must be performed by the signer. Authors introduce the idea of outsourcing digital signatures to a trusted third party; they claim that this could be an elegant solution to the key management burden. Authors investigate whether this is legally and technically feasible and they propose a framework for outsourced digital signatures. In this approach, a relying party trusts a Signature Authority for the tokens it issues, rather than a Certification Authority for the certificates it creates in a traditional PKI scheme. Given that a signing request is strongly authenticated, authors argue that passing the control of signature creation to a Signature Authority rather than the signer herself/himself is not a stronger concession than the dependence on an identity certificate issued by a Certification Authority.
Sokratis K. Katsikas and Stefanos GritzalisGuest Editors