An investigation to determine incremental risks to software as a service from a user’s perspective

Ipland, Frederick Ferdinand (Stellenbosch : Stellenbosch University, 2011-12)

Thesis (MComm)--Stellenbosch University, 2011.

Thesis

ENGLISH ABSTRACT: Software as a Service (SaaS) – which is a deployment model of cloud computing – is a developing trend in technology that brings with it new potential opportunities and consequently potential risk to enterprise. These incremental risks need to be identified in order to assist in risk management and therefore information technology (IT) governance. IT governance is a cornerstone of enterprise-wide corporate governance. For many entities corporate governance has become a statutory requirement, due to the implementation of legislation such as Sarbanes-Oxley Act of the United States of America. The research aims to assist in the IT governance of SaaS, by identifying risks and possible controls. By means of an in-depth literature review, the study identified 30 key risks relating to the use and implementation of SaaS from the user’s perspective. Different governance and risk frameworks were considered, including CobiT and The Risk IT Framework. In the extensive literature review, it was found that CobiT would be the most appropriate framework to use in this study. Mapping the risks and technologies from the user's perspective to one or more of the processes of the CobiT framework, the research found that not all processes where applicable. Merely 18 of 34 CobiT processes where applicable. The study endeavoured to identify possible controls and safeguards for the risks identified. By using the technologies and risks that were mapped to the CobiT processes, a control framework was developed which included 11 key controls to possibly reduce, mitigate or accept the risks identified. Controls are merely incidental if it is not linked to a framework.

AFRIKAANSE OPSOMMING: Software as a Service (SaaS) – ‘n ontplooiingsmodel van cloud computing – is ‘n ontwikkelende tegnologiese tendens wat verskeie moontlikhede, maar daarby ook verskeie risiko’s vir ondernemings inhou. Hierdie addisionele risiko’s moet geïdentifiseer word om te help met die bestuur van risiko’s en daarom ook die beheer van Informasie Tegnologie (IT). IT beheer is ‘n belangrike deel van die grondslag van ondernemingswye korporatiewe beheer. As gevolg van die implimentering van wetgewing soos die Sarbanes-Oxley wetsontwerp van die Verenigde State van Amerika, het korporatiewe beheer ‘n statutêre vereiste geword vir verskeie ondernemings. Hierdie studie poog om die IT beheer van SaaS by te staan, deur risiko’s en moontlike beheermaatreëls te identifiseer. Deur middel van ‘n indiepte literatuur ondersoek het die studie 30 sleutelrisiko’s geïdentifiseer wat verband hou met die gebruik en implimentering van SaaS vanuit ‘n gebruikersoogpunt. Verskeie korporatiewe- en risiko raamwerke, insluitende CobiT en The Risk IT Framework, was oorweeg. Die literatuur ondersoek het egter bevind dat CobiT die mees toepaslikste raamwerk vir dié studie sal wees. Deur die risiko’s en tegnologieë vanuit ‘n gebruikers perspektief te laat pas met een of meer CobiT prosesse, het die navorsing bevind dat nie alle prosesse in CobiT van toepassing is nie. Slegs 18 van die 34 prosesse was van toepassing. Die studie het ook gepoog om moontlike beheer- en voorsorgmaatreëls vir die risiko’s te identifiseer. Deur die tegnologieë en risiko’s te gebruik wat gepas is teen die CobiT prosesse, is ‘n beheer raamwerk ontwikkel wat 11 sleutel beheermaatreëls insluit, wat die geïdentifiseerde risiko’s kan verminder, temper of aanvaar. Beheermaatreëls is slegs bykomstig as dit nie direk aan ‘n raamwerk gekoppel is nie.

Please refer to this item in SUNScholar by using the following persistent URL: http://hdl.handle.net/10019.1/18086
This item appears in the following collections: