Decision makers can initiate risk assessment on their environment and trigger the introduction of suitable measures to face unacceptable risks. This is the precondition for the management of information security. In performing this, a variety of approaches may be followed concerning the staffing of such an effort (also known as a “make-or-buy” decision). We differentiate between three approaches:
In-sourcing of risk & security services: the risk & security assessment and the identification of necessary measures are performed by internal staff. The assessment is based on a risk & security assessment approach that has been selected by the organisation (e.g. a good practice, a known standard, etc.). This will help the organisation to master the assessment approach for recurring executions.
Full outsourcing of risk & security services: according to this approach, the entire risk & security assessment is performed by an external contractor. The assessment is based on a risk & security assessment approach that is chosen by the external contractor. The contractor can also undertake recurring future assessments. No know-how transfer to internal personnel is foreseen for the entire life cycle of the risk & security assessment/management of the SME.
Partial outsourcing of risk & security services: this approach assumes that the initial risk & security assessment is performed by an external company. The assessment will be based on a risk & security assessment approach that is known to the SME. Hence, further risk & security assessments can be performed by internal personnel. The initial assessment performed by the outsourcer serves as know-how transfer to the SME’s internal personnel.
Our next installment – IT Risk & Security : Decision-Making Questionnaire (In-sourcing)