The Cost of Information Security Management in Offshore SMB ICT Companies

8/12/2019 The Cost of Information Security Management in Offshore SMB ICT Companies

1/9

organizer

35 international conventionMay 20-24, 2013, Opatija - Adriatic Coast, Croatia

mipro proceedings

th

mipro - path to knowledge and innovation

ISS

N1

847-3938

Lampadem tradere

36th


2/9

MIPRO 2013

3 6 t h I n t e r n a t i o n a l C o n v e n t i o n

May 20 - 24, 2013

Opatija, Croatia

P r o c e e d i n g s

Conferences:

Microelectronics, Electronics and Electronic Technology /MEET

Distributed Computing and Visualization /DC VIS

Telecommunications & Information /CTI

Computers in Education /CE

Computers in Technical Systems /CTS

Intelligent Systems /CIS

Information Systems Security /ISS

Business Intelligence Systems /miproBIS

Digital Economy - 10th

ALADIN /DE

Government, Local Government, Public Services /GLGPS

MIPRO Junior - Student Papers /SP

Edited by:Petar Biljanovi


3/9

All papers are published in their original form

For Publisher:

Petar Biljanovi

Publisher:

Croatian Society for Information and Communication Technology,

Electronics and Microelectronics - MIPRO

Office: Kruna 8/II, P. O. Box 303, HR-51001 Rijeka, Croatia

Phone/Fax: (+385) 51 423 984

Printed by:

GRAFIK, Rijeka

ISBN 978-953-233-074-8

Copyright 2013 by MIPRO

All rights reserved. No part of this book may be reproduced in any form, nor may be stored ina retrieval system or transmitted in any form, without written permission from the publisher.


4/9

XXII

PAPERS .............................................................................................................................. 1425

Analysis of World Bank Indicators for Countries with Banking Crises by Subgroup Discovery

Induction ...........................................................................................................................................1427D. Gamberger, D. Luanin, T. muc

Transformation of OWL Ontology Sources into Data Warehouse .............................................1432M. Guli

Using Big Data and Sentiment Analysis in Product Evaluation ..................................................1438L. Bani, A. Mihanovi, M. Brakus

Model of the Business Intelligence System for Credit Risk Analysis...........................................1444T. Gazdi, Lj. Kaelan

The Integral OLAP-Model of the Emergency Risk Estimation in the Case of Krasnoyarsk

Region................................................................................................................................................1450A. Korobko, T. Penkova, V. Nicheporchuk, A. Mihalev

Automatizacija generiranja prezentacijskog sloja skladita ........................................................1456S. Pavlek, M. Sori

Upravljanje matinim podacima u suradnji sa skladitem podataka .........................................1462A. Mati, M. Sekula, D. Udier

Suvremena rjeenja poslovne inteligencije zasnovana na konceptu raunarstva u oblaku ......1468I. Sekula, M. Frani

Konar MIS - snaan alat za mudra poduzea..............................................................................1474

A. Frani, D. Ferenak, D. Cmuk

DIGITAL ECONOMY 10th

Alpe Adria Danube UniversitiesInitiative (ALADIN)

PAPERS ...............................................................................................................................1481

Business Valuation in Oil & Gas Industry: New Challenges........................................................1483 S. BrleiVali, B. Crnkovi-Stumpf, J. Katunar

Komparativna analiza hrvatskih online novina koje se plaaju ..................................................1489O. Prli, A. Lackovi, F. Lonar

ePrivacy Rules and Data Processing in Users' Terminal Equipment: a Croatian Experience .1495N. Gumzej, S. Grgi

The Cost of Information Security Management in Offshore SMB ICT Companies..................1502S. Aksentijevi, E. Tijan, D. ii

ICT Contribution to the Economic Development of Some SEE Countries in Transition .........1507M. Vidas-Bubanja

Optimizacija ICT kapaciteta po filozofiji modela JIT(UNV).......................................................1513Z. Buljubai, I. KapetanoviSerdarevi, N. Buljubai


5/9

The Cost of Information Security Management in Offshore SMB ICT Companies

Saa Aksentijevi1, Edvard Tijan2, Dragan ii31 Saipem SpA Croatian BranchAlda Colonnella 2, Rijeka, Croatia

Tel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: [email protected], 3University of Rijeka, Faculty of Maritime Studies

Studentska 2, 51000 Rijeka, Croatia

Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: [email protected], [email protected]

Abstract -Companies belonging to offshore SMB ICT

segment are subjected to various costs arising from

several sources like legal compliance, alignment with

best practice guidelines and standards, employee

education, basic computer and network infrastructure

security and cost of SaaS/cloud solutions. Furthermore,

such companies usually have very limited financial

resources, yet they are often involved in large projectsworking for major offshore installation contractors. In

this paper the authors will outline basic costs of

information security management systems in offshore

SMB companies and propose a simple model to

continuously monitor and control them.

I. INTRODUCTIONTerm offshore is nowadays usually used for oil and

gas drilling operations that are conducted in the ocean [1].However, they can also relate to such operations conductedin any large open or closed waters or lakes (for example,Mediterranean Sea or Caspian Lake). Offshoreconstruction projects in oil and energy sector are usuallyexecuted by large companies called engineering andconstruction companies. In their form, they are usuallycorporations, or joint ventures/consortiums of suchcompanies. Usual services that may be provided by suchcompanies are engineering, fabrication, transport,installation, procurement, research, manufacturing,environmental systems and project management [2].

All these companies use very complex ICT systems inorder to facilitate their core operations. Complexity ofthose systems is further compounded by the fact thatoperations are usually executed in difficult areas that are

geographically remote, do not provide opportunity foradequate user support, aboard vessels, where it is difficultto obtain good quality hardware, data links and skilledpersonnel. Offshore ICT systems also include equipmentthat is seldom encountered in onshore or conventional ICToperations, like safety radio location beacon equipment incase of emergency situations or marine satellite equipmentwith self-pointing/auto-acquiring antennas [3].

For reasons that will be discussed in details, offshoreconstruction companies usually subcontract local ICTcompanies belonging to SMB market segment to providesome of the ICT services required for successfulcompletion of projects. Large offshore construction

companies usually have well developed formalInformation Security Management Systems (ISMS) [4], soit is a real challenge for smaller ICT companies workingfor them to keep up the pace with their clients

informations security cost. This causes significant rise ininformation security costs for such companies and inherentneed for proper management of that particular type ofcosts.

II. CHARACTERISTICS OF OFFSHOREPROJECTS

There are some characteristics of offshore projects in oiland energy sector, separating them from other largeprojects in other sectors, for example, civil engineering,road construction or dam construction. Thesecharacteristics are very important in order to understandthe specific requirements of offshore ICT security thatneeds to be maintained and delivered by relatively smallerICT companies belonging to SMB sector.

Some usual characteristics of offshore projects are as

follows:

1. Offshore projects are typically very complexprojects requiring mobilization of large capitalbase, human resources and usually, application ofthe most modern available technology,

2. They can be very diverse according to theirlength, from very short-term to long-term. Veryoften, large mega-projects are divided into smallerprojects with different subcontractors,

3. Typically, there are several subcontractorsworking on a single installation project and theircohesion and cooperation is critical for successfulexecution of the project. These subcontractors usedifferent methods, technologies, have diverselevel of development of human capital andoperate in different technical areas,

4. Offshore projects are projects connected withlarge risks that have to be properly quantified inorder to be managed,

5. Environmental, health and safety andsustainability issues are some of the mainconsiderations all companies operating offshorehave to take into account. These issues are usuallyin the way of successful project execution,

6.

Contracts for various phases of offshore contractsare typically stipulated very close to the momentwhen the project should start. This puts additionalpressure to the management of projects,

1508 MIPRO 2013/DE


6/9

7. Offshore projects are usually executed in verydifficult areas, by one or several of the followingcriteria:

Harsh environment: extreme cold or warmth,deep sea, Arctic conditions

Politically unstable countries, sometimeseven in war-stricken areas

Technically challenging environment:extreme depth, very shallow water, ice, mud,etc.

Logistics problems: remote areas that aretypically away from main traffic routes,posing potential logistics problems

8. Political and sociological content of offshoreprojects is very high. Teams working on offshoreprojects are usually multinational andmulticultural, which is an additional challenge tobe tackled during long and exhaustive projectplanning and execution phases.

Due to all outlined characteristics of offshore projects,it is clear that they carry a large risk with them. This riskhas to be properly managed. The goals of offshoreproject risk management process are the following [5]:

1. Setting realistic but reasonable cost and schedulecontingencies,

2. Understanding the probability of cost overrunsand delays of anticipated schedule,

3. Knowing the probability that the contracted costand schedule will be achieved,

4. Understanding the accuracy of a cost estimate orproject schedule, and5. Ensuring that project teams identify and properly

communicate risks and implement a riskmitigation plan.

III. SPECIFIC REQUIREMENTS OFOFFSHORE ICT SECURITY

SMB ICT companies are subject to quite specificrequirements when it comes to ICT security. First and

foremost, as already explained, they are operating on verycomplex projects in difficult areas that are geographicallyremote. In order to better understand what the specificrequirements of offshore ICT security are, some specificswill be outlined:

1. Legal framework under which offshore projects areexecuted is very complex. It usually transcends asingle nation, and refers to several countries. Also,considering that offshore projects are usually relatedto work conducted at the sea, maritime law is alsoapplicable.

2. Existing legal requirements imposed in front of ICTsecurity are very strict for business areas likefinancial sector or technical aspects of ISMSmanagement. However, they are not easilyapplicable to ICT offshore operations of SMB

companies due to different business context andavailable financial means.

3. Very often, investments in ICT security of SMBs isbased on professional evaluation of cumulative riskor subjective evaluation of the owner or ICT projectmanager about justification of the investmentcompared to such risk. Best practice ISMS systemsand frameworks do not evaluate influence ofinvestments in SMS to companys or project'sfinancial results.

4. One of very important restrictions for SMS ICTcompanies working on offshore projects in oil andgas sector is lack of internal human resources andfinancial strength that could adequately follow upgrowing requirements for ICT security solutions.Neglecting such requests usually results inincreased levels of impact of security incidents andcost of remediation and opportunity cost.

5. ISMS management in offshore ICT operations isusually viewed as a technical discipline or as aminimum cost endeavor with unclear relationtowards project cost or profit margin. Overall, aclear model does not exist that would put offshoreICT ISMS management in relation with businessresult of the offshore project.

6. One of the most common strategies usedinstinctively by small and medium businessesproviding ICT services in offshore projects isaccepting unreasonably high levels of risk andavoiding investments in offshore ICT securitysolutions. Investments in such ISMS solutions areusually perceived by those businesses asunnecessary or sunk cost.

7. Business financing sector, and especially banks,following the work of offshore ICT companies donot recognize the importance of ICT security forsuccessful business models of such companies. Nospecial analysis or economic impact of adopted ICTmeasures is required even though they are crucialfor successful completion of offshore ICT projectsand consequentially, both for the clients and ICTsubcontractors success. This way both the banksand SMB offshore ICT companies are facingunsorted, implicitly accepted risks.

From the outlined above, it is clear that the usage ofeconomic criteria in decision making about investments in

ISMS solutions for offshore ICT SMB companies is a veryimportant factor. Successful ISMS systems of suchcompanies have to include legal requirements, cost-benefitanalysis of possible ICT security solutions, and risk basedanalysis. Such an approach has to be distant from usuallyadopted approach that includes only autonomous technicalmeasures and haphazard risk assessment.

IV. PROPOSED MODEL OF OFFSHORE ICTCOST MANAGEMENT IN SMB SECTOR

In order to propose a viable model of offshore ICTcost management in SMB sector, it is necessary to thinkof all possible requirements related to adopted ICT

MIPRO 2013/DE 1509


7/9

security models. From what has already been outlined,they are divided into three sub-groups:

1.Legal requirements2.Best practice requirements3.Risk assessment requirements

As shown in fig 1., a typical SMB ICT offshorecompany is subject to various national legal requirements(for example, requirements related to minimum ofinformation security measures to be implemented, recordretention, disaster recovery and business continuity).Furthermore, those SMB ICT companies providingnetwork, radio or satellite communication hardware veryoften have to undergo a very strict process of localcertification (equipment conformity, radio frequencies, andencryption systems). All these compliance requirementsadd up on running costs of a typical offshore ICTcompany. Finally, there are also specific requirementsimposed by compliance with laws applicable to maritime

and offshore operations.

Fig 1. Legal requirements of SMB ICT offshorecompanies

Typically, there are three sets of requirements related to

best practice of execution of ICT projects. Primarily, theyare technical best practice frameworks that already includecertain levels of ICT security context. Their origins areusually best practice systems established by hardware orsoftware manufacturers and specialized associations. Bestpractice frameworks for ISMS adoption and management

are formalized and certifiable best practice standardsendorsed by international bodies and typically well spread

in the ICT business community. Last, but not least, bestpractices also relate to ICT project management, whoseinformation security practices might prove to be of utmostimportance for successful project completion.

Fig 2. Best practice requirements

One of the most widespread systems for ICT securityrisk management is the one that is risk based. Risk based

approach usually lists all information assets, theirvulnerabilities, matches them with applicable threats andend result is a matrix of assets, threats and vulnerabilitiesthat carry certain level of risk that has to be mitigated using

applicable list controls. This process should be endorsed bythe top management in order to demonstrate its willingness

for achievement of goals of excellence. In case of SMBcompanies, top management can be a single person, or incase of smaller companies, even an owner.

Fig 3. Risk assessment approach of SMB offshore ICTcompanies

Finally, inputs for baseline SMB offshore ICT securityare cumulative requirements for applicable legalrequirements, best practice requirements and risk

assessment approach requirements, applicable for baselineoperations, as shown in Fig 4.

Fig 4. Cumulative baseline SMB offshore ICT security

Cumulative baseline level of SMB offshore ICTsecurity presents a set of expenditures, either in form ofinvestments or costs that has to be maintainedcontinuously. A similar exercise can be done on a project

basis, where for a specific project, a matrix can be donewith all possible risks related to that project. In that case,SMB offshore ICT security includes also temporary ICTsecurity risks and measures that are existing only for theduration of the project, and after the project, therequirements for ICT security return to the baseline.

Successful ICT security management in offshoreoperations manages to retain all mitigation measures and

expenditures inside the baseline requirements and thereforeavoid multiplication of the same expenditure throughvarious ongoing projects, as show in Fig 5.

1510 MIPRO 2013/DE


8/9

Fig 5. Portfolio structure of information securityrequirements and solutions for SMB ICT companiesworking on offshore oil and energy projects

Clearly, a portfolio approach [6] would be advisable toall companies operating in this segment, with well-developed portfolio analysis on both project, and basic ICT

security foundations.

V. EXPECTED DEVELOPMENTS INOFFSHORE SMB ICT SECURITY SYSTEMS

IN NEAR FUTURE

There are several trends that can already be wellidentified and that have already started having impact on

ICT security requirements of SMB companies providingservices to offshore engineering and constructioncompanies, and especially to their cost efficiency. Thesetrends are the following:

1. Shift towards cloud based solutions as a costenhancing solution is not always or easilyapplicable to offshore area. Data links that areusually satellite based do not allow for usage ofpublic cloud based solutions as a viable option[7].

2. Offshore companies and large contractorstypically prefer standard and well-provensolutions and measures to achieve goals of ICTsecurity.

3. Host countries are likely to continueimplementing more and more strict measures for

control of information flow as the operationscontinue to move to more difficult and dangerousareas in terms of political, social and economicrisk.

4. Local infrastructure in host countries that is oftenlacking in technology (hardware and software)used to achieve goals of ICT security and in

lifeware will probably in the future present evenbigger challenge for SMB ICT companiesproviding ICT project delivery offshore. Thismeans additional pressure on profit margins andtimely delivery as most solutions will have to beimported from other countries and not be obtained

in host countries.5. Cost of local certification of information security

solutions and their maintenance continues having

a big impact on the cost side of SMB companiesproviding ICT solutions to big contractors.

6. There is a number of hidden costs that have alarge impact on operations too. These costs aretypically constantly rising. Some of these costsare cost of equipment transport, import, storage,

expediting, installation, cost of visas for the

technicians, accomodation and personnel security,etc..

Therefore, there are a number of factors exerting

influence on increase of cost of operations of informationsecurity of SMB ICT companies operating on offshoreprojects. In the near future, it cannot be expected thatpercentage of these costs in total operation costs willdecrease. Also, major driver in enhancement ofcompetitiveness of such companies will be portfolioapproach to information security solutions that are

applicable on various projects and regional orientation tocertain areas that are more homogenous in requirementsimposed on SMB ICT companies providing solutions.

VI.CONCLUSIONOffshore projects in oil and energy sector are very

diverse, but are typically midterm to long term projects

executed in remote and difficult areas. Engineering andconstruction companies and their assets are contracted todevelop certain phases of the project, and they usuallycontract other companies for some phases of the project.Various companies belonging to SMB segment of themarket are often contracted to provide specific services

and installations of hardware, software and network

infrastructure.

These companies are faced with large legalrequirements, national and those in the territory whereoperations and installations are being executed, best

practice and technology requirements and those arisingfrom internal professional risk assessment. On the other

hand, these companies usually have limited resources,financial and human; they can dedicate to this additionalinformation security requirements. The number of suchrequirements is constantly rising.

The most appropriate approach to create and maintain

solid ICT security systems for SMB ICT companies is toanalyze its baseline requirements and create a portfoliosatisfying both baseline requirements and project portfoliospecific requirements. This will ensure that there is noduplication of costs and implementation of unnecessarysolutions correlated with cost increase.

Near future will bring even more requirements forcertifications, offshore ICT security solutions and locallyimposed restrictions on the ways ICT companies mayapproach those issues. Only close following of the fixedand operative costs of ICT security solutions will prove to

be a positive driver for cost optimization and improvement

of provided services.

MIPRO 2013/DE 1511


9/9

REFERENCES

[1] http://www.investopedia.com/terms/o/offshore.asp(15.12.2012.)[2]http://www.offshoreguides.com/cptron/contact_engineering_construction.htm (15.12.2012.)

[3] "SENTINEL Auto Acquire Antenna Mobile SatelliteInternet System", Owner's manual, General Dynamics,4096-745 Rev. F, September 21, 2009.[4] http://www.bsigroup.com/en-GB/iso-27001-information-security/ (15.12.2012.)[5] Westney, E. Richard, Managing the Cost & Schedule

Risk of Offshore Development Projects, Westney ProjectServices, Inc., Offshore Technology Conference, Houston,Texas, 30 April-3 May 2001.[6] "Risk Management in International ICT ProjectManagement",Global Sustainable Information andCommunication Technology Management, University of

East London, 2012., p. 12

[7] Armbrust, M; Fox, A., Griffith, R., Joseph, A., Katz,R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A.,Zaharia, "A view of cloud computing.".Communication of the ACM 53 (4), 2010., p. 50.58.

1512 MIPRO 2013/DE

Documents

The Cost of Information Security Management in Offshore SMB ICT Companies