Shifting a function to outsourcing can be beneficial to the university because of cost saving and flexibility. Nevertheless, management has the primary responsibility to oversee the outsourcing activities and ensure the risks associated with outsourcing are managed in order to maximize the benefit of outsourcing.
From the information security perspective, management is responsible for assessing the risks associated with the outsourcing activities, overseeing the vendor selection process, designating function owners for the outsourced functions, and ensuring that information security policies and procedures are followed.
Management should designate function owners for each outsourced function to manage the operational risks of the outsourcing activity.
Prior to the establishment of outsourcing relationship, management should decide whether the university will benefit from the outsourcing based on the risk assessment performed by the function owners.
In the risk assessment, business operation and information security aspects should be taken into account. If the risks involved are assessed as high while the commercial benefits are marginal, management should not outsource the function.
Aligning the University's outsourcing objectives with the outsourcer's business models is a key success factors in IT outsourcing. Managing outsourcer is completely different from managing an in-house team. The outsourcers have their own agenda and objectives.
When selecting an outsourcer, the following criteria should be taken into account:
- Company's reputation and history;
- Quality of services provided to other customers, particularly the education sector;
- Number and competence of staff and managers;
- Financial stability of the company and commercial record;
- Retention rates of the company's employees; and
- Professional standards followed regarding quality assurance and security management.