Governance and Internal Partnerships [chapter]

Malcolm Harkins
2013 Managing Risk and Information Security  
If we are together nothing is impossible. If we are divided all will fail. -Winston Churchill To reduce cost, the company's human resources group wants to outsource payroll processing. At first glance, this might seem a low-risk decision. There's a clear business case, and outsourcing payroll doesn't create risks to corporate information assets such as intellectual property. Most businesses regard payroll as a commodity application, so they might tend to select the supplier who can process the
more » ... ayroll at the lowest cost. But there's more to consider. Employees' personal information will be transferred to the outsourcer, creating new privacy concerns. And imagine the impact if thousands of our employees don't get paid because the supplier experiences system problems on payday and lacks adequate disaster recovery capabilities. Clearly, the HR group owns the business process. However, outsourcing payroll can introduce risks for the entire business, not just for HR. Payroll processes involve systems that can create information risk. Outsourcing also involves procurement. The business needs a clear overview of all the factors, including the risks, in order to make the best decision. To provide this view, the HR, procurement, and information risk and security groups need to work together. A typical organization makes many decisions that require this kind of internal partnership to manage the risk. A product group wants to outsource development work to bring a product to market more quickly. A marketing team wants to engage a developer for a new social media initiative. Similar considerations also apply to internal technology transitions such as OS and application upgrades. Each new technology introduces new capabilities and risks. Often, the technology also includes features or options designed to reduce risk. By carefully analyzing the risk and security implications, including privacy and e-discovery considerations, we can help manage the risk of the transition, and we can often capitalize on the new features to improve the risk picture overall.
doi:10.1007/978-1-4302-5114-9_3 fatcat:nujv5idnibbera3sgfdrm2hqem