University Information Security Services And Outsourcing Risk Management And Control

Information security is the guarantee of normal operation of information network of the institutions of higher education. With the universities and colleges more information-based, there is a growing dependence on and vulnerability of network and information systems, presenting a more serious issue of security in relation to the information systems of the universities and colleges. More and more universities and colleges are applying for the outsourcing of information security service in the hope that the state-of-the-art technology and management models with information security service providers can be used to enhance the managerial level of the organizational entity, to enjoy more professional service, and to find smart, flexible, well-conceived solutions to the known and unknown threats against security. While it brings benefit to the universities and colleges, the outsourcing of information security service holds in store a lot of risks. It becomes a problem of how to identify and avoid these risks, how to ensure the successful implementation of outsourcing projects, how to evaluate these risks and to apply the results of the evaluation as a countermeasure to use a risk management technology in order to skirt and transfer the risk for the purpose of outsourcing service.In this paper, basic theory on the risk management and information security service outsourcing were introduced. Then, in views of the present situation of and hidden risks in information security in the universities and colleges, author used the risk management theory in making an in-depth analysis of the motives for such outsourcing and the risks in its process. Author also summarized and come up with a framework of risk management and control in the outsourcing effort. What is special in the paper is that author analyzed and identified the risks in the information security service outsourcing, and established a set of indicators for risk evaluation of the outsourcing process, which is based on the result of the risk identification and literatures. Author took the outsourcing of information security service of an anonymous institution of higher education for example. In the process, author used fuzzy and comprehensive method of risk evaluation based on the entropy weight and Analytic Hierarchy Process (AHP) in evaluating the risks in the information security service outsourcing in the universities and colleges. In the light of the risk assessment result, author proposed relevant countermeasures and suggestions, which present themselves as the basis for a more rational policy-making process and offer some food for thought in developing and implementing the right risk management measures in the information security service outsourcing across the universities and colleges.