You have been hired as the CSO (Chief Security Officer) for an organization. Your job is to develop a very brief computer and internet security policy for the organization that covers the following areas:

  • Computer and email acceptable use policy
  • Internet acceptable use policy

Make sure you are sufficiently specific in addressing each area. There are plenty of security policy and guideline templates available online for you to use as a reference or for guidance. Your plan should reflect the business model and corporate culture of a specific organization that you select. 

 Include at least 3 scholarly references in addition to the course textbook.  The UC Library is a good place to find these references. At least two of the references cited need to be peer-reviewed scholarly journal articles from the library.

Your paper should meet the following requirements:

• Be approximately 2-4 pages in length, not including the required cover page and reference page.

• Follow APA6 guidelines. Your paper should include an introduction, a body with fully developed content, and a conclusion.

• Support your answers with the readings from the course and at least three scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. The UC Library is a great place to find resources.

• Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing.

Managing and Using Information Systems:
A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders,
and Dennis Galletta

© Copyright 2016
John Wiley & Sons, Inc.


Chapter 10
Information Systems Sourcing

© 2016 John Wiley & Sons, Inc.


Kellwood Opening Case
Why did Kellwood outsource?
Why did Kellwood decide to backsource after 13 years?
What was the result?
© 2016 John Wiley & Sons, Inc.

They wanted to integrate 12 acquisitions with different systems
Kellwood was purchased by Sun Capital Partners. COO wanted to consolidate to reduce costs and standardize
Result was savings of $3.6 million per year, or 17% of total IS expenses

Sourcing Decision Framework

© 2016 John Wiley & Sons, Inc.

Sourcing Options
Insourcing Outsourcing
Domestic Domestic in-house production
Company produces its
products domestically without any outside contracts Domestic outsourcing
Company uses services supplied by another domestic-based company
Offshore Offshore in-house sourcing
Company uses services supplied by its own foreign-based affiliate (subsidiary) Offshore outsourcing
Company uses services supplied by an unaffiliated foreign-based company

Figure 10.3. Different Forms of Sourcing.
(Source: servlet/reweb2.ReWEB?rwsite=DBR_INTERNET_EN-PROD)
© 2016 John Wiley & Sons, Inc.


A firm provides IS services or develops IS in its own in-house IS organization
© 2016 John Wiley & Sons, Inc.


IT Outsourcing
With IT, there is equipment and personnel involved
Equipment and facilities are sold to outside vendors
Personnel might be hired by outside vendors
Services are hired from the vendors
Common length of agreement: 10 years
© 2016 John Wiley & Sons, Inc.


Insourcing Drivers Insourcing Challenges
Core competencies related to systems
Confidentiality or sensitive system components or services
Time available in-house to develop software
Expertise for software development in-house Inadequate support from top management to acquire needed resources
Temptation from finding a reliable, competent outsourcing provider

Insourcing drivers and challenges
© 2016 John Wiley & Sons, Inc.


Economics of Outsourcing
Sell equipment, buildings (large cash inflow)
Downsized payroll – outsourcer hires employees
Services provided for a fee
Fixed costs usually over 10-year term
© 2016 John Wiley & Sons, Inc.


Drivers Disadvantages
Offer cost savings
Offer service quality
Ease transition to new technologies
Offer better strategic focus
Provide better mgmt of IS staff
Handle peaks
Consolidate data centers
Infusion of cash Abdication of control
High switching costs
Lack of technological innovation
Loss of strategic advantage
Reliance on outsourcer
Problems with security/confidentiality
Evaporation of cost savings

Drivers and disadvantages of outsourcing
© 2016 John Wiley & Sons, Inc.


Decisions about How to Outsource
Decisions about whether or not to outsource need care and deliberation.
Requires numerous other decisions about mitigating outsourcing risks.
Three major decision areas: selection, contracting, and scope.
Selection: find compatible providers
Try for flexible management terms
Try for shorter (3-5 year) contracts
Try for SLAs (service level agreements on performance)
Scope – Determine if full or partial outsourcing
© 2016 John Wiley & Sons, Inc.

Short for outsourcing offshore
When the MIS organization uses contractor services in a distant land. (Insourcing offshore would be your own dept offshore)
Substantial potential cost savings through reduced labor costs.
Some countries offer a very well educated labor force.
Implementation of quality standards:
Six Sigma
ISO 9001
© 2016 John Wiley & Sons, Inc.


Selecting an Offshoring Destination
About 100 countries are now exporting software services and products.
What makes countries attractive for offshoring?
High English language proficiency.
Countries that are peaceful/politically stable.
Countries with lower crime rates.
Countries with friendly relationships.
Security and/or trade restrictions.
Protects intellectual property
Level of technical infrastructure available.
Good, efficient labor force
Once a country is selected, the particular city in that country needs to be assessed as well.
© 2016 John Wiley & Sons, Inc.


Selecting an Offshoring Destination
Countries like India make an entire industry of offshoring.
Software Engineering Institute’s Capability Maturity Model (CMM).
Level 1: the software development processes are immature, bordering on chaotic.
Level 5: processes are quite mature, sophisticated, systematic, reliable
Indian firms are well known for their CMM Level 5 software development processes, making them desirable
© 2016 John Wiley & Sons, Inc.


Offshore Destination-
Development Tiers
Carmel and Tjia suggest that there are three tiers of software exporting nations:
Tier 1: Mature.
United Kingdom, United States, Japan, Germany, France, Canada, the Netherlands, Sweden, Finland, India, Ireland, Israel, China, and Russia.
Tier 2: Emerging.
Brazil, Costa Rica, South Korea, and many Eastern European countries.
Tier 3: Infant.
Cuba, Vietnam, Jordan, and 15 to 25 others.
Tiers: based on industrial maturity, the extent of clustering of some critical mass of software enterprises, and export revenues.
The higher tiered countries have higher levels of skills and higher costs.
© 2016 John Wiley & Sons, Inc.


Definition: sourcing service work to a foreign, lower-wage country that is relatively far away in distance or time zone.
Client company hopes to benefit from one or more ways:
Big cost savings due to exchange rates, labor costs, government subsidies, etc.
For the US and UK, India and China are popular
Oddly, India and China also offshore to other locations
© 2016 John Wiley & Sons, Inc.


Definition: sourcing service work to a foreign, lower-wage country that is relatively close in distance or time zone.
Client company hopes to benefit from one or more ways of being close:
geographically, temporally, culturally, linguistically, economically, politically or from historical linkages.
Distance and language matter.
There are three major global nearshore clusters:
20 nations around the U.S., and Canada
27 countries around Western Europe
smaller cluster of three countries in East Asia
© 2016 John Wiley & Sons, Inc.


Captive Centers
An overseas subsidiary that is set up to serve the parent company.
Alternative to offshoring or nearshoring.
Four major stategies that are being employed:
Hybrid Captive – performs core business processes for parent company but outsources noncore work to offshore provider
Shared Captive – performs work for both parent company and external customers.
Divested captive – have a large enough scale and scope that it could be sold for a profit by the parent company.
Terminated Captive – has been shut down, usually because its inferior service was hurting the parent company’s reputation.
© 2016 John Wiley & Sons, Inc.


When a company takes back in-house, previously outsourced, IS assets, activities, and skills.
Partial or complete reversal
Many companies have backsourced such as Continental Airlines, Cable and Wireless, and Halifax Bank of Scotland.
70% of outsourcing clients have had negative experiences and 25% have backsourced.
4% of 70 North American companies would not consider backsourcing.
© 2016 John Wiley & Sons, Inc.


Backsourcing Reasons
Mirror reason for outsourcing (to reduce costs, increase quality of service, etc.)
Costs were higher than expected
Poor service
Change in management
Change in the way IS is perceived within the company
New situations (mergers, acquisitions, etc.)
© 2016 John Wiley & Sons, Inc.


Taking a task traditionally performed by an employee or contractor, and
Outsourcing it to an , generally large group of people,
In the form of an open call.
Used by companies to increase productivity, lower production costs, and fill skill gaps.
Can be used for a variety of tasks.
Companies do not have control over the people doing the work.
© 2016 John Wiley & Sons, Inc.


Partnering Arrangements
Strategic networks: arrangements made with other organizations to offer synergistic or complementary services
Example: The Mitsui Keiretsu contains over 30 firms spanning many industries. The members use each others’ services and don’t compete: Toshiba, Fujifilm, Sony are members
Business ecosystems (see chapter 9): Informal, emerging relationships
© 2016 John Wiley & Sons, Inc.

Deciding Where –
Onshore, Offshore, or in the Cloud?
New option: cloud computing
See chapter 6 for basic definitions; advantages; disadvantages.
Works when outsourcing or insourcing
© 2016 John Wiley & Sons, Inc.

Cloud Computing Options
Private clouds
Data—managed by the company or offsite by a third party.
Community clouds.
Cloud infrastructure is shared by several organizations
Supports the shared concerns of a specific community.
Public clouds.
Data is stored outside of the corporate data centers
In the cloud provider’s environment
Hybrid clouds
Combination of two or more other clouds.
© 2016 John Wiley & Sons, Inc.

Public Clouds – Versions
Infrastructure as a Service (IaaS).
Infrastructure through grids or clusters of virtualized servers, networks, storage, and systems software.
Designed to augment or replace the functions of an entire data center.
The customer may have full control of the actual server configuration.
More risk management control over the data and environment.
Platform as a Service (PaaS).
Virtualized servers
Clients can run existing applications or develop new ones
Provider manages the hardware, operating system, and capacity
Limits the enterprise risk management capabilities.

© 2016 John Wiley & Sons, Inc.

Public Clouds – Versions
Software as a Service (SaaS) or Application Service Provider (ASP).
Software application functionality through a web browser.
The platform and infrastructure are fully managed by the cloud provider.
If the operating system or underlying service isn’t configured correctly, the data at the higher application layer may be at risk.
The most widely known and used form of cloud computing.
Some managers shy away from cloud computing because they are concerned about:
security—specifically about external threats from remote hackers and security breaches as the data travels to and from the cloud.
data privacy.
© 2016 John Wiley & Sons, Inc.

To manage risk, an SLA needs to spell out these requirements.

Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta

© Copyright 2016
John Wiley & Sons, Inc.

