Information security and business continuity management in ...

22 downloads 282014 Views 757KB Size Report
information security management, business continuity management, interorganizational IT relationships, outsourcing, software as a service, interorganizational systems .... 99.1% of companies are small (employing less than 50 persons) and there ..... products, the customer organization could manage the user accounts by ...
Published in: Information Management & Computer Security, Vol. 20 Iss: 5, pp.332 – 349.

Information security and business continuity management in interorganizational IT relationships Jonna Järveläinen, Turku School of Economics, University of Turku

Abstract Purpose This paper aims to understand how managers of IT and information security aim to enhance information security and business continuity management in interorganizational IT relationships, such as outsourcing, cloud computing and interorganizational systems. Design/methodology/approach An explorative study of large multinational or local organizations operating in Finland was conducted. In total, 18 IT and information security managers were interviewed with semistructured questions. Findings First, we discovered that several methods such as contracts, audits and standards were applied to balance power relationships between organizations or transfer responsibilities to other parties. The objectives of these methods are different within organizations. Secondly, we present a comprehensive view of different security and continuity solutions in interorganizational IT relationships. The findings have practical value for IT managers and information security experts. Research limitations The interviews were conducted in different organizations. Therefore, it is suggested that a single in-depth study that examines the phenomenon on different organizational levels within one organization would supplement the findings. Further studies on the power, trust and control balance of interorganizational IT relationships are required. Originality This paper builds on and expands information security and business continuity literature by illustrating that audits and standards play different roles in interorganizational IT relationships within organizations, and that contracts form the basis of those relationships. Information security problems and business continuity breaches caused by external partners and outsourcing vendors affect the reputation and value of the client company. Therefore, managers must have the means to ensure the continuity of operations. Keywords information security management, business continuity management, interorganizational IT relationships, outsourcing, software as a service, interorganizational systems

1 Introduction “OP Bank has problems in telecommunication – several offices have been closed and their bank cards do not function” was headline news in a European country in winter 2011 (Ranta, 2011). The problems resulted from a fault in the switch coupling made by the outsourcing partner of the bank. In the following week, the bank had problems in payment handling resulting from an interruption to the European payment system. Although companies can outsource their IT infrastructure and have interorganizational information systems, they cannot ignore the possible risk to their reputation if their external partners fail to provide the service required of them. Prior intraorganizational research on information security management (ISecM) has focused on policies, technical controls and standards. Business continuity management (BCM) research is based on technical disaster recovery inside an organization. However, the resilience of subcontractors has not received the interest in the area of ICT area that it has in manufacturing. There is also a vast amount of literature on the context area, namely outsourcing (Dibbern et al., 2004; Lacity et al., 2010) and interorganizational systems (Lyytinen and Damsgaard, 2011; Romano et al., 2010), but BCM and ISecM have received very little attention. The research question of this paper is: How can IT and information security managers enhance business continuity and information security management in different interorganizational IT relationships? We aim to contribute to BCM and ISecM literature by extending intraorganizational theoretical frameworks to interorganizational contexts. In addition, we present current management practices used in interorganizational IT as well as the purposes the practices have in the private organizations studied. In this paper we report the results of an interpretive study on business continuity and information security management in interorganizational relationships (IOR). We gathered data by interviewing 18 chief information security officers (CISO) or their equivalent in multinational and local companies operating in Finland that employ at least 250 people. All the organizations had IORs and many used software as a service (SaaS) or had outsourced at least some of their IT services. The findings detail how careful the organizations try to be in their BCM and ISec, although the variety and quantity of different interorganizational IT relationships is challenging.

2 Separate research areas: Business continuity management, information security management, IT outsourcing and interorganizational systems Business continuity management (BCM) aims to identify potential risks and avoid, minimize or prepare for them so as to continue business processes and services without interruption (Gibb and Buchanan, 2006). It is a socio-technical approach, in which the emphasis is on preparation for possible continuity problems. Therefore, it has strategic implications for preserving the value of the organization (Herbane et al., 2004). Service disruptions have been discovered to have significant negative effects on customer loyalty (Wang et al., 2010). BCM also includes social aspects, not just technical back-ups, thus, an awareness of the importance of business continuity is essential for ensuring disruption-free operations (Herbane et al., 2004). Although, BCM literature has focused on the development and planning of business continuity in a single organization, its diffusion and standardization (Herbane, 2010a) within organizations as well as their internal IT relationships should also be studied, especially within networked corporations.

Information security (ISec) management argues that the focus of information security within organizations should be on business and management and not technical issues (von Solms and von Solms, 2004). Furthermore, ISecM should be governed in a comprehensive rather than in project-based manner (Bayuk, 2009; Eloff and Eloff, 2003). Standards and governance systems have been the focus of ISec management research, although they have been found somewhat superficial (Ma and Pearson, 2005; Siponen and Willison, 2009). However, ISec management research has focused mainly on how ISec is ensured within organizations (Fang et al., 2012), or the studies have been general or technically oriented (Luor et al., 2008; Wu et al., 2011). In addition, interorganizational relationships have expanded the need for research that crosses organizational boundaries (Fink, 1994). Practically all organizations have some interorganizational relationships and systems. The most commonly studied IOR is an IT outsourcing relationship. Fink (1994) argues that when IT is outsourced the focus of the security function moves from securing the physical protection of the IT assets to recovering the resources during service interruptions, i.e. business continuity. Software as a Service (SaaS) and virtual environments have also become part of everyday operations, and security issues often affect the relationship between the service provider and client (Steinfield et al., 2011; Wu et al., 2011). Another type of interorganizational IT relationship is based on interorganizational systems (IOS). They have been defined as “an information system used jointly by at least two autonomous organizations that draw upon common and/or shared IT [information technology] capabilities” (Lyytinen and Damsgaard, 2011). There are many kinds of interorganizational systems and many categorizations (Lyytinen and Damsgaard, 2011; Romano et al., 2010). The information security of IOSs has been studied, although the interorganizational part is better covered by governance frameworks than scientific papers (Hardy and Williams, 2010). Studies on BCM in interorganizational systems are scarce; most papers focus on supply chain resilience (Sheffi and Rice, 2005; Starr et al., 2003) and not the IT aspect of interorganizational systems, which this paper attempts to cover.

3 Business continuity, information security frameworks in interorganizational IT relationships Business continuity management has roots in crisis management and disaster recovery, and continuity problems may arise from many sources: the supply chain, customers, employers and facilities (Herbane, 2010a). BCM is often regarded as part of information security, although it can be considered part of the general information system risk (Butler and Gray, 2006; von Solms, 1998). Information security breaches are one of the many possible business continuity threats (Cerullo and Cerullo, 2004). Thus, achieving the availability of data – the primary objective of business continuity as seen from the perspective of information systems – is also one of the main objectives of information security management (Ma et al., 2008; Moreira et al., 2008). Herbane et al. (2004) have analyzed BCM from four different perspectives: 1) human resources and responsibilities; 2) business continuity planning and process; 3) communications and structures; and 4) attitudes and ownership. According to them, the way a BCM team is constituted affects the scope of BCM as business and IT representatives involve their own departments in the process. Continuity processes may also have three levels: disaster recovery, business continuity planning or cross-functional, cyclical BCM. The levels vary according to the type of strategic role that is being achieved (Herbane et al., 2004). The communication of BCM refers to training, exercises and crisis communication, and structures and indicates whether there are formal BCM structures, such as

departmental coordinators, within a firm (Herbane et al., 2004). Attitudes and ownership, showing how individuals are committed to continuity and to preserving the value of the firm, are the final determinant (Herbane et al., 2004). Hong et al. (2003) present an integrated ISecM theory that shows how the information security architecture of an organization is affected by information security policy, risk management, internal control and auditing, all of which are influenced by the external and internal environment of the organization. They describe the ISec policy as a tool that can be used by management and employees for improving information security. Risk management is required for identifying the assets and threats to ISec (Hong et al., 2003), and it bears close resemblance to BCM. Internal controls refer to technical controls based on different information security related standards and governance frameworks such as COBIT or ITIL and the performance of the ISec architecture is measured by auditing (Hong et al., 2003). Doomun (2008) suggests that security should be considered from technological, risk and compliance perspectives when outsourcing relationships, and therefore the role of human resources and audits are not part of this framework. The BCM and ISec management frameworks are closely related. The purposes of information security policy and attitudes and ownership have the same function: to ensure that the human resources of an organization understand the importance of ISec and business continuity and act accordingly. Internal controls, technical backups, risk assessments and audits (included in BCM planning and processes) are also essential for ensuring ISec and BCM. However, these frameworks are developed for intraorganizational contexts and do not address inter-organizational relationships. The interorganizational perspective lacking from these frameworks is the power and trust balance, which emerges as an important determinant in IOS adoptions as well as outsourcing (Ali et al., 2008; Heiskanen et al., 2008). Trust has a very important impact on adoption in dyadic as well as in hub-and-spoke IOS (Hart and Saunders, 1997; Ratnasingam, 2001). Perceived risks, such as BCM issues, have a negative influence on participation in IOS, and therefore some companies manage BCM and ISec with contracts (Ratnasingam, 2001). Ali et al. (2008) also argue that a more powerful partner can state the conditions of a contract and force less powerful partners into adopting an IOS. The more powerful partner may also be the one less dependent on a single supplier (Hart and Saunders, 1997) due to the fact that it possesses a resilient supply chain (Herbane et al., 2004). Therefore, trust seems to be a prerequisite for engaging in IOS and IS outsourcing, but the power balance can be altered with IOS adoptions, if resilience and BCM are improved.

4 Methodology The methodological approach for this paper is in-depth interviewing, which is suitable for gaining rich and detailed information (Rao and Perry, 2003). We chose the in-depth interviews to understand how IT and ISec managers aim to enhance BCM and ISecM in IORs and systems. A similar multi-organizational interview approach has been applied in a previous BCM study, however, in our study we are not able to use pseudonyms due to confidentiality issues (Herbane, 2010b). In order to find “human articulations of the world” (Wagner et al., 2006), we conducted semi-structured in-depth interviews in large multinational and local companies operating in Finland in 2010. The definition Statistics Finland uses for a “large organization” is that it has more than 250 personnel, which was then used as a selection criterion. According to them, 99.1% of companies are small (employing less than 50 persons) and there were only 610 large companies operating in Finland in 2009 (Official Statistics of Finland, 2010). A group of

60 companies operating in different industries was selected from a public company listing, and the persons responsible for BCM or ISec or technology were contacted by e-mail. After a reminder e-mail, a total of 18 interviews were fixed (see Table 1) and in-depth interviews, lasting 45 to 60 minutes, were conducted. Seventeen interviews were recorded and transcribed, but one respondent forbade recording, and instead the two interviewers took notes. The interviewees did not know the interviewers, so the social dissonance at the beginning of the interviews was large (Myers and Newman, 2007). Table 1 lists the interviewees and their organizations. Only eight of the organizations operate solely in Finland, whereas 10 of them are international corporations. Table 1. Interviewees and the represented companies. Industry/sector

No. of employees

Position of interviewee(s)

1

IT

1 000

ICT Manager

2

IT

5 000

Senior Manager, IT Assurance

3

IT

17 000

CIO

4

Services

510

CIO

5

Services

700

ICT Manager

6

Services

2 300

CFO

7

Services

2 500

IT Security Manager

8

Services

3 000

CISO

9

Services

7 000

Chief Security Officer

10 Insurance/Banking

390

ICT Manager

11 Insurance/Banking

1 000

IT Service Manager

12 Insurance/Banking

5 100

Chief Security Officer, Risk Manager

13 Insurance/Banking

8 000

CISO

14 Manufacturing

250

System Manager

15 Manufacturing

600

IT Manager

16 Manufacturing

1 100

CISO

17 Manufacturing

4 500

CIO, IT Security Manager, Information Security Expert

18 Manufacturing

24 000

CISO

As Walsham (2006) instructs, we chose the theoretical lens that allowed us to gain the most insight, namely ISec and BCM in interorganizational IT systems and relationships. We did not

find a single framework for focusing on all the external connections we expected the ISec and BC managers to be concerned with. Therefore, we combined the context of outsourcing and interorganizational systems and focused on ISec- and BCM-related meanings in the analysis and used them as a “sensitizing device” for our interpretations (Klein and Myers, 1999). However, Rao and Perry (2003) argue that the “level of prior theory requirement” is low in in-depth interviewing. Herbane et al’s (2004) BCM framework was used as an initial guide for design and data collection (see Walsham, 1995), and for presenting the preconceived notions (prejudices) of the authors (Klein and Myers, 1999). The principles of interpretive research were applied in order to ensure rigor (Klein and Myers, 1999). Three interviewers participated in data collection, and sense-making happened during the interview sessions by applying mirroring and flexibility (Myers and Newman, 2007) and in the iterative data-theory analysis phase. Initial interview questions are presented in the Appendix. Four interviewees asked to see the transcripts. Three of them made clarifying remarks, which were useful in correcting some misinterpretations. A database (based on the mindmapping software XMind) was used in the analysis for coding purposes. All the findings from the transcripts related to interorganizational IT relationships were gathered to a mindmap and then in several phases clustered with similar findings into themes to explain all the findings. The themes, which finally emerged were contracts, audits, standards and governance frameworks, technical methods and training. The analysis is similar to the grounded theory approach, although it was not chosen as a strategy in the beginning. The final results were also discussed with other IS researchers familiar with interorganizational research, which is a new area of interest for the author. Contextualization was essential in the analysis phase. Information on interorganizational relationships of the selected organizations was gathered from their web pages (such as their customers or important suppliers), and from the news as well as during the interviews. For example, although the interviewees from the financial sector were very proud of their BCM and ISsec practices and referred to the strict government obligations they followed, several interruptions occurred in those companies after the interviews had taken place (some of which were due to the errors of the outsourcing partner). These contextualizations have been included in the analysis section, where applicable.

5 Results 5.1

Contracts

Outsourcing was used very widely in the studied companies. The only companies managing all their IT were the smallest ones in our study – although they used external help in emergency situations – as the interviewees felt that outsourcing would only slow down IT services and affect business continuity. “For example, changing the firewall: We order it and we have agreed that when we order it […] the firewall change will be effective in 24 hours at the latest […] Then it becomes effective and we notice that it does not work, and we need a second change […], which will again take 24 hours.” The quote describes the power relationship between a supplier and smaller company with a few hundred employees. Larger organizations can afford to pay for quick service and negotiate good terms, but amongst dozens of clients a smaller firm may not have enough power to negotiate the same terms unless they pay much more (c.f. Ali et al., 2008). Therefore it might be reasonable not to outsource but to use experts only when necessary – in disaster situations.

Since the power balance is so delicate, and relationships between clients and vendors complicated, many methods were used to balance power, trust and control. Through the use of contracts, clients and vendors ensure that responsibilities are clear and roles distributed. Consequently, power is balanced between the parties. For example, clients require that suppliers name the contact persons, crisis teams, and communication means in contracts. “Actually, our main task is to inform our staff about what is going on, since we cannot do anything to our systems, […] since [the outsourcing vendors] handle [the situation] totally and they do not allow us to enter [server rooms] because it is their responsibility.” This quote describes the distributed roles from an ISec manager’s perspective on the client’s side. The role of an IT department during interruption management had changed from ISec management to ensuring BC with contracts and communication in disasters as Fink (1994) has noted. Some organizations had “outsourced” their IT services to a corporate IT supplier, which was owned by the corporation. The subsidiaries paid for the services and could choose the complementary services from a selection, although some systems were mandatory, such as the online banking system for a bank or a point of sales system for a supermarket chain. In these cases, the roles and responsibilities were distributed and planned in service level agreements (SLA). For example crisis communication was clear; the subsidiaries knew who and how to inform and who manages interruptions. The subsidiaries made their business continuity plans (BCP)s and managed their own BCM and smaller interruptions by themselves, and the supplier managed disaster recovery planning and recovery, and ISec management. The BCM practices were very similar to other outsourcing relationships, but the difference was the perception of ISec, which was considered risk-free in corporate outsourcing. “From an ISec perspective, we don’t perceive any risks, since it is the corporate network […] Any system can be broken into, but the same risk is for the bank and the corporation.” That quote shows how the corporate client trusted their supplier’s ISecM. The managers were not concerned about ISec, since it was not their responsibility, as awareness studies have shown to be the case with users (compare with Albrechtsen and Hovden, 2009). However, Goo and Huang (2008) have in fact discovered that in traditional IT outsourcing relationships the characteristics of SLAs affect trust in the service provider. This kind of trust in ISec management was not mentioned by companies who had external outsourcing vendors, instead they used multiple control mechanisms to ensure both ISec and BCM in outsourcing. The companies had some interorganizational systems and many either used or hosted an extranet in a hub-and-spoke configuration as part of their supply chain (see Lyytinen and Damsgaard, 2011 for IOS typology). Some also used industry wide IOSs for sharing information. Almost all IOSs were hub-and-spoke configured extranets, but there are some critical, industry-wide IOSs where an interruption could cause difficulties for hundreds of other companies relying on this information such as a global travel distribution system. Although contracts details were not discussed, the interviewees raised some conflict situations. Some companies had suffered several hour interruptions in their industry-wide IOS. In those situations, all the client company could do was explain that the interruption was caused by an interorganizational system problem affecting hundreds of other companies also. In these cases, the power of the company managing the industry-wide IOS may be so great, compared to a single airline or bank, that the service level agreement might

not be sufficient for ensuring the BC of the clients, although they are compelled to join the system to operate (Ali et al., 2008). However, reputation damage mainly affected the client companies, since the news focused on their problems and affected their customers. Nevertheless, client companies were satisfied with their BCM. Contracts with extranet customers are extremely valued. All interviewees agreed that the criticality of their systems was prioritized based on impact on customers, thus customer service systems, extranets and e-mail were highly critical. Customers should not notice any interruptions. ”If the order is done online [via extranet], and we have to deliver in 24 hours, we prioritize these [orders], of course, even if they are smaller ones.” The interviewees emphasized that reputation had to be protected with continuous operations and that reputation was at risk if customers saw problems. The managers considered BCM and ISec to have competitive value; if their company could not manage BC or ISec, they would lose customers to competitors. Many referred to the problems of Finnish bank, Sampo Pankki, who lost thousands of customers in the failed system integration process to Den Danske Bank (Luoma-aho and Paloviita, 2010). The managers thus understood that BCM can preserve the value of the company (Herbane et al., 2004), and reliable service increases the trust of customers.

5.2

Audits

Audits are used inside organizations to get feedback and update ISec or BCM measures. Externally, audits are used to control vendors and increase the power of the client. “We – in our contracts – require that our suppliers make the recovery plans and we test them regularly. For example, in March, we tested our mainframe system and its continuity plan and also our VOIP [voice over Internet protocol] system” In the contracts, clients require BCPs and disaster recovery plans from the vendor, which are tested regularly and audited by the client or a third party. Auditing was used frequently when selecting a vendor, contract phase or before new system adoption. Some companies were audited dozens of times a year, although ISec or BCM was not always part of the audit. Audits were thus used as control mechanisms, to ensure that the vendor was actually trustworthy. Many studied companies also used cloud computing. With SaaS or infrastructure as a service (IaaS) the experienced outsourcers used auditing to increase their power over vendors. If the data was confidential, the client would audit the prospective supplier, reserve the right for an audit or, in some cases, not use a SaaS at all. SaaS systems were also relatively small systems and the possible vendor was only audited “if it held HR or customer data”. Traditional outsourcing was preferred with strategic systems. Sometimes the clients could dictate the strict requirements before and after contracts were made, and suppliers merely reacted and set the price level of the agreement. The power balance of SaaS contracts is thus similar to that of IOS (Ali et al., 2008). “There was an incident where we realized that a [SaaS] providing company was not using any antivirus software and this resulted in us telling them that it would end our agreement and they said they would correct that right away, although this was not entirely audited.” That quote describes the bargaining power of the clients in a conflict situation. If a client company finds out about a supplier’s violations, dissolving the outsourcing or SaaS contract is used as a threat to constrain the supplier. The power of the client company was so great

that the vendor obeyed by their rules immediately and the client did not even have to do the actual audit. It seems that the interviewees prefer control and high bargaining power when dealing with SaaS suppliers, and if this was not possible they find other ways to satisfy the needs of the organization. Companies thus try to avoid catastrophes and ensure business continuity by controlling their vendors (Marston et al., 2011; Sultan, 2010).

5.3

Standards and governance frameworks

Standards and governance frameworks are used by many of the studied companies. The selection requirements of an outsourcing vendor are based on either IT governance tools, such as ITIL (Information Technology Infrastructure Library) or COBIT (Control Objectives for Information and Related Technologies) or security standards. Although there is evidence that ISec standards are superficial and do not consider the differences of organizations (Siponen and Willison, 2009), companies picked the most suitable “cherries” from the frameworks and combined them: “For example in our ISec, we do not comply with the ISO 27001 or ISO 27002. Rather, we pick cherries from them and use the best parts as the basis [of the information security management].” These “cherries” mentioned in above quote were used in the selection of the vendor and contract drafting phase in the outsourcing and SaaS contexts. The experienced outsourcers did not want to leave ISec and BCM to be handled later, they preferred being proactive and saving costs. Many of the studied organizations have discovered that it is advisable to consider ISec when beginning to plan a new system, and have used the same preventive model in vendor selection for outsourcing (Straub and Welke, 1998). ”We have a control system, the requirements of which [the vendor] has to fulfill. If they do not, we will not use them.” In particular, the requirement sets for SaaS vendors are fixed and not often changed. Before approving a SaaS supplier, some companies first consider access management, data storage and possible exit strategies and data handling in contract ending situations. The requirement sets are thus used for setting the suitable level of BC and ISec between the client and vendor. However, few actually have standard certification, although some used compliance with them as a sales argument. “Yes, […] we can use these as part of our marketing information when we make contact with a new customer. They are usually quite interested to know how we are carrying out our ISec functions and so on and we can notify them that we are operating under these ISec standards” Governance tools and standards are used to ensure that vendors are trustworthy. If the vendor itself has certification, the outsourcing decision is easier for the client. This indicates that standards are valuable for organizations in increasing trust; in setting a suitable level of BC and ISec between parties; and that organizations know how to apply standards for their particular purpose.

5.4

Technical methods

Technical methods were also used to enhance BC and ISec between organizations, also on the system and individual level. The purpose of technical methods is mainly to control and limit damage, but also to transfer responsibility. Control is demonstrated in the service level agreements, which play a central role in the outsourcing relationships. In SLAs, BCM and ISec

requirements were defined, such as maximum recovery time allowed for an interruption. With these requirements vendors are controlled. After an outsourcing contract has been made, operations begin and practical matters have to be solved. In the studied organizations, the employees of the supplier have to sign a nondisclosure agreement (NDA) and information security policy. If they access a company’s network, a virtual private network and an individual account – restricted to a certain system – is used. In heavily regulated sectors, a security clearance was made for all employees, including the suppliers’ employees accessing the firm’s network. The technical methods were thus used for controlling the users and limiting possible damage. The external users had no access to the company network, but the extranet (or some other IOS) was separated from the internal network. If company hosted an extranet, the customers using it were separated from the company network. One solution was to let customers access only the DMZ area and open a port in the firewall for a single IP address. However, if employees used an external extranet, the security did not concern the interviewees. “We use the same ISec methods [in this and other IOSs], but communication with external parties is not so critical as the incoming communication. The external partner has to control that we cannot access any extra systems. Incoming communication is always controlled more carefully.” In contrast to earlier studies, in which the security of IOS was seen as a prerequisite for sharing information (Hart and Saunders, 1997; Lawson-Body and O’Keefe, 2006), the interviewees were not concerned about communication with external parties. As many studies have discovered, when users or top management are not responsible for security themselves, they prefer to leave it for others to handle (Albrechtsen and Hovden, 2009; von Solms and von Solms, 2004). In this study, the ISec managers responsible for the company information security had passively transferred some of their responsibilities to other parties. “We have these clients or partners who sell our products and they use our extranet services, which has a separate access management, which we can partly delegate to the partners. […] They can have several internal users and they can manage their own users, so we don’t have to manage all of them.” If a key customer has several employees using the company’s extranet for ordering products, the customer organization could manage the user accounts by themselves. In this way, the continuity of ordering products via the extranet was partly transferred to client companies. They could ensure that several persons know the ordering process and that ordering can continue, even if a key person is absent. This practice increases the supply chain resilience, and can be understood as root-level disruption management (Pereira, 2009). In another firm, the personnel of a key client had access to a company extranet and they used a two-factor authentication, which was described as “heavy and rigid” by the interviewee. With these access management techniques companies transfer some responsibilities to their clients, although it was not always user-friendly. Certain companies handling confidential customer information had also considered secure communication channels. They used encrypted e-mail messages when communicating with individual customers or special communication tools implemented in the extranet application. Although the main target of a secure communication channel is in ISec, both channels are part of a highly prioritized system from the BCM perspective. According to the interviewees, individual customers should not see any interruption, not even in communication. Although the studied companies were not concerned with the security of external IOSs, they wanted to portray themselves as trustworthy partners to their

customers, and ensure that even confidential information could be shared with them (Lawson-Body and O’Keefe, 2006).

5.5

Training

On the individual level, training was used for enhancing BCM and ISecM in interorganizational IT relationships. Training created awareness of and embedded practices for external users working for outsourcing vendors. In some cases, when the help desk was outsourced, help desk employees were treated in the same manner as the client’s own employees; they went to the same IT training and signed ISec policies and NDAs. “We have instructions on where to start. So, if anyone notices that there is a disruption, he or she should inform the service desk.” Some interviewees explained that the company had clear instructions about who to contact if an interruption was identified, which improves organizational alertness (see Herbane et al., 2004). This indicates that personnel (internal or external) are trained for some BCM practices, and that the social aspect of BCM is embedded in the studied organizations. In order for an organization to be prepared and alert to possible interruptions, BCM practices must be embedded in processes and known by personnel (Herbane et al., 2004). If an interruption occurs, communication with customers and press is the responsibility of the communications department or CEO. Thus, the purpose of the training was to create awareness and embed company specific practices into internal and external employees.

6 Conclusions and further research This paper sets out to understand how managers of IT and information security aim to enhance ISec and BC management in interorganizational IT relationships. We conducted 18 semi-structured interviews in large multinational and local organizations. Several implications for academics and practitioners were made. First, the organizations used contracts, audits, standards and governance frameworks, training, and technical methods to enhance BCM and ISecM (see Table 2.). In contrast to internal ISec and BCM frameworks, this finding shows that internal IsecM and BCM measures are complemented with contracts. Audits, standards and governance frameworks have different objectives in interorganizational IT relationships than they do within an organization as a whole. The methods are used for several purposes, such as controlling as well as balancing and increasing power or trust towards the other party (outsourcing, SaaS vendor or customers). Most of the methods were used in outsourcing contexts, since the outsourcing relationships are central to the daily operations and management of the IT function, and the interviewed managers had been involved with outsourcing decisions, contract drafting, etc. Therefore, managers had experience and knew how important it was to balance bargaining and negotiation power between vendors and their own company in order to protect their company’s value and reputation. This implies that the power and trust relationship should be further studied in interorganizational IT relationships and from an ISecM and BCM perspective. Table 2. Methods for enhancing business continuity and information security in interorganizational IT relationships. Method

Level

Internal objective

External objective

Contracts

Organizational / Individual

Contracts not used internally

Balance of power and distribution of roles

between client and vendor Audits (tests)

Organizational / System (SaaS)

Control ISecM and BCM measures and improve them

Control vendor, improve service and increase power to the vendor

Standards and governance frameworks

Organizational

Setting the most suitable level for ISec and BCM internally

Increase the trust of possible clients in the vendor and find the most suitable level of BC and ISec controls between client and vendor

Technical methods

Organizational / System / Individual

Control internal ISec

Control vendors, IOS partners, users

Limit damage by internal users

Limit damage by external users Transferring responsibilities to IOS partners

Training

Individual

Creating awareness of and embedding practices in internal users

Creating awareness of and embedding practices in external users working for outsourcing vendors

Compared to the outsourcing relationships, which were discussed in detail, the IOS and SaaS relationships seem to be routine; products were ordered with extranets and systems were used in the cloud and ISec measures were fixed. Further research on this area is needed. As we know from the statistics, B2B e-business has been active for a long time and volumes are large, which may explain the routines on the system level (Official Statistics Finland, 2010; US Census Bureau, 2011). Another reason might also be that extranets and SaaS are usually used and managed in other departments, such as sales or HR. In these cases, the IT and ISec managers are involved only as practical advisors. Thus, they manage only the technical system – where IOSs and SaaS have been separated from the company network or placed in the cloud. However, companies do not have much experience of SaaS relationships and it would be interesting to investigate why the SaaS relationships are managed with fixed contracts and audits. Interorganizational IT relationships from the ISec and BCM perspective should be studied on different levels, since that perception is relevant for IT and ISec managers. More theoretical discussion is therefore required. The second interesting finding was that IT and Isec managers had transferred their ISecM responsibilities to other parties and were not concerned about security. As von Solms and von Solms (2004) have stated; one of the greatest threats to ISec is “not realizing ISec is a business issue”. This trusting attitude might be a risk and also set the wrong “tone at the top” for users (see Bayuk, 2009). Prior studies have discovered that managers and users may be reluctant to take responsibility for Isec (Albrechtsen and Hovden, 2009; Puhakainen,

2006), although the interviewed managers were responsible for Isec and BCM in their organizations. However, other organizations have their own interests, which might not be aligned with their clients’ interests, and therefore neglecting to take responsibility is risky for the client. The only explanation suggested is that because another party was responsible, the managers chose to rely on that party and concentrate on other areas. Further research is therefore needed to explore this issue. Thirdly, more research on the role of audits and the selective usage of standards and governance frameworks is required. Audits and standards do have an impact on interorganizational IT relationships, but research on them is limited and the literature is not unified (Siponen and Willison, 2009; von Solms, 1999). Therefore, studies that explore power, trust and control dimensions in interorganizational IT relationships would benefit both academics and practitioners. The final contribution of this paper is summarized in Table 3 as a list of activities as well as ISec and BC management approaches, and can be used by practitioners willing to benchmark or systematically develop their interorganizational IT relationships. Table 3. Information security and business continuity management in interorganizational IT relationships – from the perspective of IT and ISec managers. Organizational level – outsourcing Activities

Method

ISec and BC management approach

Selection of an outsourcing supplier

Contracts

ISec attachment (incl. BCM) in system development bids; the compliance part of ranking vendors

Drafting outsourcing contracts (external or corporate IT supplier)

Contracts

Even critical and strategic systems outsourced, following the ISec policy of the client

Standards or Negotiated SLA with BCM and ISec requirements governance (BCP, DRP, communication plan, crisis team, frameworks contact persons) Audits

-

based on “cherry-picked” suitable parts of ITIL, COBIT, or standards

Testing and auditing vendor DRPs ISec not a concern when corporate IT supplier used Conflict management

Audits

After audits: If violations – threat of ending the contract, monetary sanction (whether damage was caused or not) + damage costs

System level – IOS & SaaS Connecting from company to external extranet or IOS Customers connecting to a company’s extranet or IOS

Not a concern of the interviewees

Technical methods

Not in an internal company network - DMZ area - port in firewall for a single IP address

Extranets critical systems, prioritized in BCM Selection of a SaaS supplier

Contracts

With confidential data SaaS is not possible Fixed requirement sets (both ISec and BCM) -

what data – access requirements where should the data be stored

Data handling after ending a contract (or operations) – exit Drafting SaaS contracts

Contracts Audits

Minor systems, fixed contracts and requirements for BCM and ISec, (3rd party) auditing

Individual level External individuals (outsourcing supplier employees) who are permitted to access another company’s network

Technical methods

NDA, VPN, individual account for restricted system access

Training

Treated as company employees, IT training, signed ISec policy, security clearance

External employees who are permitted to access another company’s extranet/IOS

Technical methods

User account management in external company

Communication with customers, confidential customer information

Technical methods

Secure communication channel/system, encrypted e-mail messages

There are some limitations to this study. Firstly, we only studied specific companies, large (personnel over 250) that operated in Finland, though many of them were multinational companies. Thus the generalizability of the results is merely on the theoretical level. Furthermore, a more thorough picture of the situation could have been drawn if we had interviewed more experts, business managers and employees in those companies. This study, however, did focus on exploring the current situation and further studies can expand the results of this paper.

7 References Albrechtsen, E. and Hovden, J. (2009), “The information security digital divide between information security managers and users,” Computers & Security, Vol. 28 No. 6, pp. 476–490. Ali, M., Kurnia, S., and Johnston, R. B. (2008), “A Dyadic Model of Interorganizational Systems (IOS) Adoption Maturity,” in Proceedings of the 41st Annual Hawaii International Conference on System Sciences, IEEE, Waikoloa, HI, USA , pp.8–8. Bayuk, J. (2009), Enterprise Security for the Executive: Setting the Tone from the Top, Praeger Publishers, Santa Barbara, USA.

Butler, B. S. and Gray, P. H. (2006), “Reliability, mindfulness, and information systems,” MIS Quarterly, Vol. 30 No. 2, pp. 211. Cerullo, V. and Cerullo, M. J. (2004), “Business Continuity Planning: A Comprehensive Approach,” Information Systems Management, Vol. 21 No. 3, pp. 70–78. Dibbern, J., Goles, T., Hirschheim, R., and Jayatilaka, B. (2004), “Information systems outsourcing,” ACM SIGMIS Database, Vol. 35 No. 4, pp. 6–102. Doomun, M. R. (2008), “Multi-level information system security in outsourcing domain,” Business Process Management Journal, Vol. 14 No. 6, pp. 849–857. Eloff, J. H. P. and Eloff, M. (2003), “Information security management: a new paradigm,” in Proceedings of the 2003 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on Enablement through Technology, South African Institute for Computer Scientists and Information Technologists, Republic of South Africa , pp.130–136. Fang, F., Parameswaran, M., Zhao, X., and Whinston, A. (2012), “An economic mechanism to manage operational security risks for inter-organizational information systems,” Information Systems Frontiers, No. Online First, pp. 1–18. Fink, D. (1994), “A Security Framework for Information Systems Outsourcing,” Information Management & Computer Security, Vol. 2 No. 4, pp. 3–8. Gibb, F. and Buchanan, S. (2006), “A framework for business continuity management,” International journal of information management, Vol. 26 No. 2, pp. 128–141. Goo, J. and Huang, C. D. (2008), “Facilitating relational governance through service level agreements in IT outsourcing: An application of the commitment-trust theory,” Decision Support Systems, Vol. 46 No. 1, pp. 216–232. Hardy, C. A. and Williams, S. P. (2010), “Managing Information Risks and Protecting Information Assets in a Web 2.0 era,” in Proceedings of the 23rd Bled eConference eTrust: Implications for the Individual, Enterprises and Society June 20 - 23, 2010, Bled, Slovenia. Hart, P. and Saunders, C. (1997), “Power and trust: Critical factors in the adoption and use of electronic data interchange,” Organization Science, pp. 23–42. Heiskanen, A., Newman, M., and Eklin, M. (2008), “Control, trust, power, and the dynamics of information system outsourcing relationships: A process study of contractual software development,” The Journal of Strategic Information Systems, Vol. 17 No. 4, pp. 268–286. Herbane, B. (2010a), “The evolution of business continuity management: A historical review of practices and drivers,” Business History, Vol. 52 No. 6, pp. 978–1002. Herbane, B. (2010b), “Small business research: Time for a crisis-based view,” International Small Business Journal, Vol. 28 No. 1, pp. 43 –64. Herbane, B., Elliott, D., and Swartz, E. (2004), “Business Continuity Management: time for a strategic role?,” Long Range Planning, Vol. 37 No. 5, pp. 435–457. Hong, K.-S., Chi, Y.-P., Chao, L. R., and Tang, J.-H. (2003), “An integrated system theory of information security management,” Information Management & Computer Security, Vol. 11 No. 5, pp. 243–248.

Klein, H. K. and Myers, M. D. (1999), “A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems,” MIS Quarterly, Vol. 23 No. 1, pp. 67–93. Lacity, M. C., Khan, S., Yan, A., and Willcocks, L. P. (2010), “A review of the IT outsourcing empirical literature and future research directions,” Journal of Information Technology, Vol. 25 No. 4, pp. 395–433. Lawson-Body, A. and O’Keefe, T. P. (2006), “Interorganizational Relationships in the Context of SMEs’ B 2 B E-Commerce,” Journal of Electronic Commerce in Organizations, Vol. 4 No. 4, pp. 1–28. Luoma-aho, V. and Paloviita, A. (2010), “Actor-networking stakeholder theory for today’s corporate communications,” Corporate Communications: An International Journal, Vol. 15 No. 1, pp. 49–67. Luor, T. T., Lu, H.-P., Tao, Y.-H., Lin, T. M. Y., and Tung, C.-H. (2008), “Determinants of client intention of software outsourcing vendors: a model from Taiwan’s financial industry,” Journal of the Academy of Business & Economics, Vol. 8 No. 2, pp. 159– 166. Lyytinen, K. and Damsgaard, J. (2011), “Inter-organizational information systems adoption–a configuration analysis approach,” European Journal of Information Systems, Vol. 20 No. 5, pp. 496–509. Ma, Q., Johnston, A. C., and Pearson, J. M. (2008), “Information security management objectives and practices: a parsimonious framework,” Information Management & Computer Security, Vol. 16 No. 3, pp. 251–270. Ma, Q. and Pearson, J. M. (2005), “ISO 17799: ‘Best Practices’ in Information Security Management?,” Communications of the Association for Information Systems, Vol. 15 No. 1. Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., and Ghalsasi, A. (2011), “Cloud computing The business perspective,” Decision Support Systems, Vol. 51 No. 1, pp. 176–189. Moreira, E. dos S., Martimiano, L. A. F., Brandão, A. J. dos S., and Bernardes, M. C. (2008), “Ontologies for information security management and governance,” Information Management & Computer Security, Vol. 16 No. 2, pp. 150–165. Myers, M. D. and Newman, M. (2007), “The qualitative interview in IS research: Examining the craft,” Information and Organization, Vol. 17 No. 1, pp. 2–26. Official Statistics Finland (2010), Statistics Finland - Use of information technology in enterprises, available at: http://www.tilastokeskus.fi/til/icte/2010/icte_2010_201011-25_tie_001_en.html (accessed 12 September 2011). Official Statistics of Finland (2010), Finnish enterprises 2009 (e-publication), Statistics Finland, Helsinki, available at: http://www.tilastokeskus.fi/til/syr/2009/syr_2009_2010-11-26_fi.pdf (accessed 9 June 2011). Pereira, J. V. (2009), “The new supply chain’s frontier: Information management,” International Journal of Information Management, Vol. 29 No. 5, pp. 372–379. Puhakainen, P. (2006), A design theory for information security awareness, University of Oulu. Ranta, N. (2011, January 25), “Tässä syy OP:n poikkeuksellisiin ongelmiin. (This is the reason for exceptional problems of OP Bank),” Kauppalehti.

Rao, S. and Perry, C. (2003), “Convergent interviewing to build a theory in under-researched areas: principles and an example investigation of Internet usage in inter-firm relationships,” Qualitative Market Research: An International Journal, Vol. 6 No. 4, pp. 236–247. Ratnasingam, P. P. (2001), “Interorganizational trust in business to business e-commerce,” Erasmus Research Institute of Management (ERIM), Rotterdam. Romano, N. C., Pick, J. B., and Roztocki, N. (2010), “A motivational model for technologysupported cross-organizational and cross-border collaboration,” European Journal of Information Systems, Vol. 19 No. 2, pp. 117–133. Sheffi, Y. and Rice, J. B. (2005), “A Supply Chain View of the Resilient Enterprise,” MIT Sloan Management Review, Vol. 47 No. 1, pp. 41–48. Siponen, M. and Willison, R. (2009), “Information security management standards: Problems and solutions,” Information & Management, Vol. 46 No. 5, pp. 267–270. von Solms, B. and von Solms, R. (2004), “The 10 deadly sins of information security management,” Computers & Security, Vol. 23 No. 5, pp. 371–376. von Solms, R. (1998), “Information security management (3): the Code of Practice for Information Security Management (BS 7799),” Information Management & Computer Security, Vol. 6, pp. 224–225. von Solms, R. (1999), “Information security management: why standards are important,” Information Management & Computer Security, Vol. 7 No. 1, pp. 50–58. Starr, R., Newfrock, J., and Delurey, M. (2003), “Enterprise resilience: managing risk in the networked economy,” Strategy and Business, Vol. 30 No. Spring, pp. 70–79. Steinfield, C. W., Markus, M. L., and Wigand, R. T. (2011), “Cooperative Advantage and Vertical Information System Standards: An Automotive Supply Chain Case Study,” in Proceedings of the 44st Annual Hawaii International Conference on System Sciences (HICSS), IEEE Computer Society, Kauai, HI, USA , pp.1–10. Straub, D. W. and Welke, R. J. (1998), “Coping with Systems Risk: Security Planning Models for Management Decision Making,” MIS Quarterly, Vol. 22 No. 4, pp. 441–469. Sultan, N. A. (2010), “Reaching for the ‘cloud’: How SMEs can manage,” International Journal of Information Management, Vol. 31 No. 3, pp. 272–278. US Census Bureau (2011), US Census Bureau E-Stats 2009, available at: http://www.census.gov/econ/estats/ (accessed 12 September 2011). Wagner, E. L., Scott, S. V., and Galliers, R. D. (2006), “The creation of ‘best practice’ software: Myth, reality and ethics,” Information and Organization, Vol. 16 No. 3, pp. 251–275. Walsham, G. (1995), “Interpretive case studies in IS research: nature and method,” European Journal of Information Systems, Vol. 4 No. 2, pp. 74–81. Wang, Y. S., Wu, S. C., Lin, H. H., and Wang, Y. Y. (2010), “The relationship of service failure severity, service recovery justice and perceived switching costs with customer loyalty in the context of e-tailing,” International Journal of Information Management, Vol. 31 No. 4, pp. 350–359. Wu, W. W., Lan, L. W., and Lee, Y. T. (2011), “Exploring decisive factors affecting an organization’s SaaS adoption: A case study,” International Journal of Information Management, Vol. 31 No. 6, pp. 556–563.

Appendix 1. Interview questions for ISec and BCM in interorganizational IT relationships.

Context: a)

Title of the interviewee

b)

Number of employees in the organization

c)

How would you define the difference between business continuity management and risk management?

I Human resources and responsibilities a)

Who is responsible for BCM and DRP?

b)

Who takes care of their implementation?

c)

Are there information security managers or an equivalent in all business units?

d)

a.

Do you have a team to manage disruptions?

b.

What kind of expertise do they have?

c.

What is the size of the BCM team or how many individuals are responsible for managing disaster recovery?

Do you have the IT infrastructure, the personnel, the knowledge and capabilities and other internal resources to manage disruption?

II Business continuity planning and processes a)

How does top management take part in the planning of DRP and BCP?

b)

How are critical business functions prioritized? What do you think is the most critical process/function in your organization in terms of risk tolerance?

c)

Have you outsourced any IT infrastructure, services, information security or such?

d)

e)

a.

How is continuity and information security managed?

b.

Do you use Software as a Service or such? How are continuity and information security managed?

How are suppliers and customers considered in BCM? How are they considered in information security? a.

When the company is connected to external companies, how is continuity and information security managed?

b.

When an external company has a connection to your information systems, how is continuity and information security managed?

Does your company have BCPs or DRPs and how is planning carried out? a.

Does your company comply with any BC or ISec standards or guidelines? Why? Do you simply follow BC standards or do they have a wider scope in the organization?

b.

Have you carried out a business impact analysis (BIA)?

c.

What kind of risks have you identified for your IT services? (Proprietary and outsourced)

d.

How have you prepared for those risks?

e.

What is the role of ISec in BCP and DRP?

III Communication and structures a)

How are business or IT interruptions communicated in the organization?

b)

How are BCM and DRP communicated in the organization? a.

Do the personnel in the different departments know about BCM and DRP?

c)

Is there a formal role for BCM in the organization whereby it is continually reported to senior management?

d)

How does your company handle disruptions? a.

What kinds of measures are taken to cope with a disruption?

b.

Do you have on-site (backup), off-site (hot/cold/warm) recovery capabilities? Specifically backup systems managed outside the company premises.

c.

How can you recover data if an interruption happens?

d.

Have you reserved a contracted supplier for a crisis situation?

e) How long would it take for the critical processes to resume normalcy after an interruption? a.

If an alternate process runs successfully during a sizable disruption, will it be adequate enough to replace the main business critical process for that time?

IV Attitudes and ownership a)

Are there any personal incentives to carry out BCM and DRP in the organization?

b)

Are the employees committed to BC policies and do they execute them?

c)

Do you see the implementation of BCM or DRP as a competitive or strategic advantage or just as a business enabler?

d)

Does the BCM improve the development of the organization?