Evaluation of Outsourcing of IT Operations

CERTIFICATE

Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted at
Nasik Branch of WIRC from 11/01/2020 to 16/02/2020 and we have the required attendance. We
are submitting the Project titled Evaluation of Outsourcing of IT Operations.

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project. We
also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.

Sr. Membership Refrance

Name Signature
No. No. No.

Abhishek Kshatriya
1 188908 61769
(Head)

2 Rakesh Bothara 147053 61956

3 Nitin Aher 156220 61810

Place: Nashik

Date: ……….

DISA Batch, Nashik Branch, WIRC, ICAI Page 1

 Evaluation of Outsourcing of IT Operations

INDEX
CONTENT PAGE NO

A CASE STUDY/PROJECT ASSIGNMENT

1 Case Background
B PROJECT REPORT (SOLUTIONS)
1 Introduction
1.1 Auditee
1.2 Organizational Structure
1.3 Technology Infrastructure
1.4 Policies And Procedures
1.5 Audit Firm Details
1.6 Auditee Environment
2 Background
3 Scenario
4 Terms And Condition Of Assignment
5 Scope Of Assignment
6 Logistics Requirement
7 Methodology And Strategy Adopted And Executed During
Assignment
8 Documentation
References
Audit Report
Findings And Recommendations
Summary

DISA Batch, Nashik Branch, WIRC, ICAI Page 2

 Evaluation of Outsourcing of IT Operations

PROJECT REPORT

PROJECT REPORT
TITLE: EVALUATION OF OUTSOURCING OF IT OPERATIONS

A. DETAILS OF CASE STUDY / PROJECT (PROBLEM):

Tara Jewels Ltd has been facing economic pressures due to the downturn, which
has resulted in reduction in turnover and profits. To overcome this from scenario
the management has decided to cut the IT outlays and is exploring outsourcing of
IT operations by the use of cloud computing model. The management is concern
about selection of right vendor for such outsourcing considering the cost benefit
analysis. More or less the basic objective of the management is to ensure the
delivery of current and future services and to enhance productivity of the
employee. They are also concerned about the risk of outsourcing IT operations and
wants an independent assurance on the prospective IT outsourcing.

B. PROJECT REPORT (SOLUTION):-

1. Introduction:

1.1 Auditee:

Tara Jewels Limited is engaged in the automobile industry. It manufacturers two-

wheeler bikes including moped scooters. It has maintained rank one for several
years in terms of production and sales.

DISA Batch, Nashik Branch, WIRC, ICAI Page 3

 Evaluation of Outsourcing of IT Operations

1.2 Organizational structure:-

The organizational structure outlined below;

CEO

Chief
Chief Chief Chief IT Officer
Compliance
Financial Information (CTO) Officer (CCO)
Officer (CFO) Officer (CIO)

Income MCA
HR Marketing GST
Production Sales
Tax

1.3 Presently used IT infrastructure:-

Tara Jewels Limited uses a software as which is exclusively used for their company.
The hardware consists of laptops, servers with windows operating system, printers,
scanners and all the network connecting devices. All the systems of zones, regions
and outlay points are connected via Wide Area Network (WAN).

1.4 Brief policies and Procedures: -

Policies and procedures currently adopted by the company enlisted as follows;

a. For data processing and its storage, company itself has maintained servers.

DISA Batch, Nashik Branch, WIRC, ICAI Page 4

 Evaluation of Outsourcing of IT Operations

b. The company purchases laptops given to various staff members as per their

designation and need and all the maintenance carried out internally.
c. Backup taken once in a week and stored on separate backup servers at alternate
location.
d. CIO gives access to information according to designation with authorization of

CEO.
e. System administrator is responsible for system user logs.
f. All the Purchased software kept in the custody of CIO and access allowed only
on the approval of user department’s head.
g. Information and Technology policies framed for uses. They are advised to go
through it.

1.5 Audit Firm Details:-

ARN & Associates is a well-trained and highly qualified team of technical and
system auditors comprising of three partners namely;

1. Mr. ABHISHEK KSHATRIYA

2. Mr. RAKESH BOTHARA
3. Mr. NITIN AHER

We have vast experience of system audit including System Development, System

Auditing, information Security Implementation and Investigations. We are
members of Institute of Chartered Accountants of India (ICAI). We are qualified as
DISA (Diploma of Information System Audit) from ICAI. As a part of our internal
trainings, we keep ourselves updated with the latest developments and use of
current technology, which help us in providing the best services to our clients.

DISA Batch, Nashik Branch, WIRC, ICAI Page 5

 Evaluation of Outsourcing of IT Operations

“Providing Value addition” is the moto of our firm.

1.6 Auditee Environment:-

Tara Jewels Limited, an India based multinational company (MNC) headquartered

at Mumbai, Maharashtra. India has a very huge market share in the production and
sale in the two-wheeler automobiles industry. They are having five zones in India
for the ease of doing business i.e. East Zone, West Zone, North Zone, South Zone
and Central Zone. In each zone there are three or four regions according the market
area.

BACKGROUND

Tara Jewels limited has been facing economic pressure due to the downturn; this
has laid to reduction in turnover & profit of the company. This has happened due to
Government decision to stop the production and sales of BS-III engine vehicles to
control air pollution. They have mandatorily to switch over to BS-IV vehicles
productions as the compliances and industry need, though their BS-III vehicles
were not so much air polluting.

The Tara Jewels limited has the wide network over the country through it zonal and
regional offices, the requirement of minimization of cost and optimization of
benefits as automobile company is ut must. The automobile sector company needs
to highly adhere on aggressive technology development and comply with the
changing and challenging global regulations in a timely and perfect manner. The

DISA Batch, Nashik Branch, WIRC, ICAI Page 6

 Evaluation of Outsourcing of IT Operations

cost and security requirements are most important drivers of automobile industry.
Company had best infrastructure of production of BS-III bikes and it is not utmost
feasible to start their production house of BS-IV bikes along with the IT services that
are required for compliances of their day-to-day operations. Considering all these
facts the management has decided to outsource to IT services.

SCENARIO
The senior decision making management of Tara Jewels Limited has decided to
outsource their IT operations using the cloud-computing model. Managing IT
infrastructure might not be a core competence of a company. This is a constant
challenge faced by Tara Jewels Limited.

The basic and prime objective of company behind this is to increase the
productivity of employee. They require an independent assurance on the proposed
IT outsourcing. In this, the management is concerned about the various aspects,
which are to be taken in to consideration while selecting and finalizing the vendors
for proposed outsourcing.

DISA Batch, Nashik Branch, WIRC, ICAI Page 7

 Evaluation of Outsourcing of IT Operations

TERMS AND CONDITIONS OF ASSIGNMENT

The primary objective of the IT outsourcing audit is to provide management with

an independent assurance of Controls relating the organization’s IT outsourcing
process such as Enterprise wide policies and procedures to govern the outsourcing
process, process to define the requirements, risk assessment and due diligence
process in selecting a service provider, risk evaluation, contract negotiation process
and on- going monitoring.

SCOPE OF ASSIGNMENT

The scope of the audit addresses the adequacy of controls designed to manage
internal and external risks related to outsourcing of the IT services to the
organization and the service provider environment in a steady state.

The scope of assignment includes:

 Requirement and feasibility IT in the business.

 Service provider’s internal environment.
 Assessment of risk of adopting cloud services as compared to existing
organizational structure to mitigate the risk in the cloud computing.
 Context and motto of outsourcing
 Guidelines and standards of outsourcing
 General practices in use.
 Potential agencies that is most active in outsourcing.

DISA Batch, Nashik Branch, WIRC, ICAI Page 8

 Evaluation of Outsourcing of IT Operations

 Activities that are subject to most active in outsourcing.

 Evaluation of procedures and policies.
 Reporting of Procedures and performance indicators of outsourcing.
 Perceptions and vision of selected vendor towards success and failure of process
and outcomes.
 Issues and hurdles in the implementing the cloud computing model.
 SWOT Analysis of outsourcing.

LOGISTIC REQUIREMENT

Assignment of one internal officer with us (CTO Preferably) as a coordinator who

will be part of discussion is the basic requirement.

During the assignment, following amenities are required.

 Two laptops with windows 10 and Microsoft office 2017.
 Access to laser printer for printing reports as required.
 Adequate seating and storage space for audit team.
 Facilities for discussions amongst our team and your designated staff.
 Arrangement for transportation for team members upon arrival and departure
between the hotel and Companies Administration Office.
 Access to records and information about the company that were not available
electronically (e.g., papers, theses, portfolios, and dissertations).

DISA Batch, Nashik Branch, WIRC, ICAI Page 9

 Evaluation of Outsourcing of IT Operations

METHODOLOGY AND STRATEGY ADOPTED AND EXECUTED

DURING ASSIGNMENT

While performing assignment, we have followed the auditing standards and

guidelines published by ICAI, International Standards (IS). Also followed
provisions of Information Technology Act, 2000(As Amended 2008), ISO 27000
family standards and other best practices such as COBIT, ITAF 1201 and ITAF 1202
issued by ISACA.

Our study primarily followed a mixed-methods approach using techniques such as

first-hand observations, interviews, case studies, and peer-reviewed published
literature, augmented by surveys.

Audit Strategy:

To understand the business processes and review how those are mapped in
information systems by tracing the modules with top down approach.

a. Identify the processes/services that need to be outsourced.

b. Risks involved in outsourcing.

c. Measures to mitigate the risk of Outsourcing.

d. Review the controls established over the continuity of service.

e. Identify cloud services and model as appropriate for Tara Jewels Ltd.
f. Identify cloud service providers who provide required solution.
g. Identify appropriate vendors based on cost and quality of service.

h. Cost benefit analysis for each vendor

i. Migration strategy for outsourcing

j. Presentation of Final report to management with cost benefits analysis and risk
mitigation strategy.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 10

 Evaluation of Outsourcing of IT Operations

DOCUMENTATION

During the assignment, we have reviewed the following documents;

1. Organization chart explaining the hierarchy of the company,

2. IT Security Policies and procedures,

3. Compliance requirement chart and reports of various laws,

4. Service Level Agreements with outside vendors,

5. Non-disclosure agreements

6. Quotations from service providers,

7. Employee non-competing agreement with other companies

8. Access to sensitive information policy

REFERENCES

1. Standards on Auditing Issued by ICAI

2. Information Systems Audit and Control Association Standards and Guidelines

3. Information System Audit Module 1 Chapter No. 3, Part 1.2 Cloud Computing.

4. http://www.cloud-standards.org

5. Practical Guide to Cloud Service Level Agreements

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 11

 Evaluation of Outsourcing of IT Operations

AUDIT REPORT

Our audit report includes the recommendations based on the best judgment for
outsourcing. It also includes the risk assessment of outsourcing the IT services and
that of prospective vendors of cloud computing.

It also includes controls to be assigned to mitigate the risk of outsourcing. Over and
above, it contains the cost benefit analysis and risk mitigation strategy.

Format of audit Report/Findings and Recommendations:- Cloud

Computing:-
In the early of 19th century, the computers were of large sizes, one computes
occupies the space as equal to the bedroom to one normal house. It had called
mainframe computers and data is stored on tapes, which were required to insert in
it. From mainframe computers we shifted to Personal computers and tapes are
replaces by the floppies that store the data. Nowadays days due to lack of space and
wide range of data & information we need to shift to one level up. Cloud
computing is the best solution for this problem.

Cloud computing is a model for enabling, on demand networked access to a shared

pool of computing resources - network/ bandwidth, servers, storage, applications,
services etc. Cloud computing refers to computing power in all its totality or
specified components (infrastructure, platform or service) being offered in the cloud
as a utility to users, to be paid by the meter on consumption basis. As Internet
connection’s speeds increase and wireless Internet access broadens, more

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 12

 Evaluation of Outsourcing of IT Operations

computing activities, which are being delivered over the Internet.

The term “Cloud” is used to denote a representation of the internet and

communication system as well as an abstraction of the underlying infrastructure
involved.

In the Cloud Architecture, the front end includes the client's computer (or computer
network) and the Client application required to access the cloud computing system.
This could be a Web browser or unique applications that provide network access to
clients.

On the back end of the system are the various computers, servers and data storage
systems that create the "cloud" of computing services. In theory, a cloud computing
system could include practically any computer program we can imagine, from data
processing to video games. Usually, each application will have its own dedicated
server. Any mid-sized business like cooperative banks, Regional Rural Banks or any
Marketing company would be benefited by cloud services as their needs could be
met by services offered by the Cloud Service providers.

There is no specific definition that defines that cloud which was used in the IT
although it has been described as a service rather than a product.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 13

 Evaluation of Outsourcing of IT Operations

Characteristics of Cloud Computing:

1. On-demand self-service: Automatic provisioning of computing capabilities as

needed.
2. Network Access: Network should be accessible anywhere by any device -

PC/laptop, PDA, smart phone.

3. Resource Pooling: Serving multiple clients using multi-tenant model with

different physical and virtual resources

4. Rapid Elasticity: Capabilities to meet clients' increasing requirements at any

time.
5. Measured Services: Capability to monitor resource usage for each process and

client.

Features of Cloud Computing:

1 High Scalability: Enables servicing of business requirements for larger
audiences.

2 Agility: Works in ‘distributed mode’ environment. Shares resources among

users and tasks, while improving efficiency and responsiveness.

3 High Availability and Reliability: Chances of infrastructure failure are

minimal.

4 Multi-sharing: Multiple users and applications can work more efficiently with
cost reductions by sharing common infrastructure.

5 Virtualisation: Allows servers and storage devices to increasingly share and

utilize applications.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 14

 Evaluation of Outsourcing of IT Operations

Types of Cloud Computing:

1. Public Cloud: Refers to service providers that offer their cloud based services
to the public.
2. Private Cloud: Refers to use of cloud computing concepts use within the
confines of a private network. Some businesses like private cloud computing
because it provides more control over infrastructure and security than public cloud
computing.
3. Hybrid Cloud: Businesses may decide to combine public cloud and private
cloud services to create a hybrid cloud.
4. Community Cloud: Several businesses share cloud-computing resources.

Models of Cloud Computing:

There are three dominant cloud computing models:

1. Infrastructure as a Service (IaaS)

2. Software as a Service (SaaS)

3. Platform as a Service (PaaS)

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 15

 Evaluation of Outsourcing of IT Operations

1. Infrastructure as a Service (IaaS): This has the capability to provision

processing, storage, networks and other fundamental computing resources that offer
the customer the ability to deploy and run arbitrary software, which can include
operating systems and applications. Users are not required to manage the
infrastructure as they do not possess the ownership of the underlying Cloud
infrastructure.

2. Software as a Service (SaaS): This provides the capability to use the provider’s
applications that run on the cloud infrastructure. The applications are accessible
from various client devices. Users are free from the possession and maintenance
issues of software and hardware.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 16

 Evaluation of Outsourcing of IT Operations

3. Platform as a Service (PaaS): This provides the user organisation’s application

developers access the hardware and operating system platform allowing them to
simply code and deploy applications on the platform without directly interacting
with the underlying infrastructure.

Benefits of Cloud Computing:

1. Achieve economies of scale: Increase volume output or productivity with fewer

people. Your cost per unit, project or product plummets.

2. Reduce spending on technology infrastructure: Maintain easy access to your

information with minimal upfront spending.

3. Globalize your workforce on the cheap: People worldwide can access the
cloud, provided they have an Internet connection.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 17

 Evaluation of Outsourcing of IT Operations

4. Streamline processes: Get more work done in less time with less people.

5. Reduce capital costs: There is no need to spend big money on hardware,

software or licensing fees.

6. Improve accessibility: You have access anytime, anywhere, making your life so
much easier.

7. Monitor projects more effectively: Stay within budget and ahead of completion
cycle times.

8. Less personnel, training needed: It takes fewer people to do more work on a

cloud, with a minimal learning curve on hardware and software issues.

9. Minimize licensing new software: Stretch and grow without the need to buy
expensive software licenses or programs.

10. Improve flexibility: You can change direction without serious “people” or
“financial” issues at stake.

Risks of Cloud Computing:

1. Environmental security — the concentration of computing resources andusers

in a cloud computing environment also represents a concentration of security

threats. Because of their size and significance, cloud environments are often
targeted by virtual machines and bot malware, brute force attacks, and other
attacks.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 18

 Evaluation of Outsourcing of IT Operations

2. Data privacy and security — Hosting confidential data with cloud

serviceproviders involves the transfer of a considerable amount of an organization's
control over data security to the provider.

3. Data availability and business continuity — a major risk to businesscontinuity

in the cloud computing environment is loss of internet connectivity.

4. Record retention requirements — if your business is subject to recordretention

requirements, make sure your cloud provider understands what they are and so
they can meet them.

5. Disaster recovery — Hosting your computing resources and data at acloud

provider makes the cloud provider’s disaster recovery capabilities vitally important
to your company’s disaster recovery plans

Cloud Environment to Automobile Sector

The Automobiles industry is evolving while grappling with several socio- economic
and technological challenges along with the need to drive down IT costs. A solution
to this problem could sought by moving to the Cloud.

Cloud computing is one of the most disruptive forces facing the industry.
According to the Bain & Company research report “The Changing Faces of the

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 19

 Evaluation of Outsourcing of IT Operations

Cloud,” globally, the cloud IT market revenue is projected to increase in a huge

amount, translating into a compound annual growth rate (CAGR). The scale of
change is overwhelming. As buyers intensify and increase IaaS activity, they will be
getting more for their investment: ongoing enhancement of performance, more
memory, more storage for the same money (which will drive increases in
consumptions) and increased automation in traditional IT outsourcing (ITO)
delivery.

The change is not cosmetic but radical in all aspects and could be truly
transformational as it will power and define business processes and supply chains.
These are companies genuinely trying to change everything: from the way their
structure is managed to the products they sell.

Automotive companies are leveraging modern Cloud-computing platforms for

creating Cloud native Applications, Operating System, the Internet of Things (IoT),
devising a comprehensive software development methodology—all of which have
the potential to literally transform it into a global powerhouse. As the company
strives to explore new markets, it is overhauling everything that defines the core of
its business and moving towards being a software services company, away from its
hallmark of being a leading automaker. The bold move will perhaps lay the
blueprint of how automobile enterprises of the future will keep reinventing
themselves.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 20

 Evaluation of Outsourcing of IT Operations

Key Benefits of Cloud to Automobile Industry

1. Data Exchange – Share vehicle and diagnostics data with other systems.

Additional services can be added to allow for the development of modular and
reusable services for integration.

2. Mobility Services – Applications for ride sharing and mobility services require

geo-location services to monitor vehicles and fleets in real time. There may be
additional components necessary to communicate with consumers, emergency
vehicles, and intelligent highway terminals in the future. The automotive cloud can
also track maintenance requirements, user interactions, and delivery status.

3. Automotive Cyber security – Safety is a major concern, and issues of vehicle

location, data privacy and security often arise along with those concerning
reliability. It’s worth noting that mobility services will also be used by people who
are not experts in vehicle or cloud computing technologies and there may be
requirements to further secure information between the automotive cloud,
connected vehicles, and applications.

4. Deep Learning – Designing for predictability requires modeling techniques,

machine learning algorithms, and design strategies able to support understandable

and manageable self-governing systems. These systems must allow for the isolation

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 21

 Evaluation of Outsourcing of IT Operations

of system components and analysis of interactions that take place within the
automotive cloud network.

5. Telematics-based commerce – The automated purchasing of replacement parts

requires querying multiple vendors for the best price and availability. With
Automotive Cloud Technology, the vehicles themselves will communicate the parts
that must be replaced, thus requiring these parts to be machine coded – i.e. parts-
specific codes suited for the vehicle.

6. Security: ISO 27001, the reluctance to adopt technology is starting being tobe

addressed and adoption is getting traction. Let’s bear in mind also that many of the
security features required for data protection are addressed by the service
providers, therefore relieving the healthcare organizations from tedious and
complex security frameworks.

7. Saving On Data Storage: Big data has become an overwhelmingchallenge for

many health organizations, and the cloud allows providers to save money by
minimizing in-house storage needs. The information also becomes more accessible
from various locations, and even if something happens on-site, the data is still
preserved.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 22

 Evaluation of Outsourcing of IT Operations

Cloud Adoption
Automobile industry in very much fragile stage of industrial life to adopt the cloud
computing. A clear challenge in formulating cloud policy is dealing with these
conflicts inherent in the features of cloud computing and achieving a balance
between the enabling and constraining functions of governance. The other set of
challenges involve striking balance among conflicting interests of different
stakeholders such as cloud service providers, copyright owners, clients, end users,
and government.

Current trends indicate that the Private Cloud is a preferred model for the
industry. Automobiles Companies who are used to using third --party software
would be most comfortable with SaaS applications andIaaS.

Infrastructure as a Service (IaaS):

Salient features of IaaS are enlisted as follows;

Hardware investment cost saving: The underlying physical hardware

thatsupports an IaaS service is set up and maintained by the cloud provider, saving
the time and cost of doing so on the client side.

Physical security of data center locations: services available through apublic

cloud, or private clouds hosted externally with the cloud provider, benefit from the
physical security afforded to the servers, which hosted within a data center.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 23

 Evaluation of Outsourcing of IT Operations

Utility style costing: the service can be accessed on demand and theclient only
pays for the resource that they actually use.

No single point of failure: if one server or network switch, forexample, were to

fail, the broader service would be unaffected due to the remaining multitude of
hardware resources and redundancy configurations. For many services if one entire
data center were to go offline, never mind one server, the IaaS service could still run
successfully.

Easily accessible: The service can usually be accessed from any location as long
as there is an internet connection and the security protocol of the cloud allows it.

Considering the need of the organization and above benefits, we are of the opinion
that the best model suited to the company would be Infrastructure as a Service
(Iaas).
Iaas provides basic computing resources which can be used by Tara Jewels Ltd. to
run software (both operating systems and applications) and to store data. IaaS
allows the customer to transfer an existing workload to the cloud with minimal, if
any, change needed.
The company need not manage or control the underlying cloud infrastructure, but
remains responsible for managing the OS and applications. IaaS removes the need to
buy, house and maintain the physical servers. It can provide the ability for an
organization to respond quickly to ever changing demands. We have identified the
following Service providers –
ANNEXURE 1

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 24

 Evaluation of Outsourcing of IT Operations

Risk and Vulnerability Assessment:

Though cloud computing is beneficial, but it carries risk as well. Before, shifting to
cloud, it is important for Company to consider the risks of Cloud Computing. The
most important classes of cloud-specific risks are enumerated below:

1. Loss of governance: in using cloud infrastructures, the client necessarilycedes

control to the Cloud Provider (CP) on a number of issues that may affect
security. At the same time, SLAs may not offer a commitment to provide such
services on the part of the cloud provider, thus leaving a gap in security
defences.

2. Isolation failure: multi-tenancy and shared resources are definingcharacteristics

of cloud computing. This risk category covers the failure of mechanisms
separating storage, memory, routing and reputation between different tenants
(e.g., so-called guest-hopping attacks). However it should be considered that
attacks on resource isolation mechanisms (e.g., against hypervisors) are still less
numerous and much more difficult for an attacker to put in practice compared to
attacks on traditional Operating Systems.

3. Data protection: cloud computing poses several data protection risks for cloud
customers and providers. In some cases, it may be difficult for the cloud
customer (in its role as data controller) to effectively check the data handling
practices of the cloud provider and thus to be sure that the data is handled in a
lawful way. This problem is exacerbated in cases of multiple transfers of data,
e.g., between federated clouds. On the other hand, some cloud providers do

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 25

 Evaluation of Outsourcing of IT Operations

provide information on their data handling practices. Some also offer

certification summaries on their data processing and data security activities and
the data controls they have in place.

4. Insecure or incomplete data deletion: when a request to delete a cloudresource

is made, as with most operating systems, this may not result in true wiping of
the data. Adequate or timely data deletion may also be impossible (or
undesirable from a customer perspective), either because extra copies of data are
stored but are not available, or because the disk to be destroyed also stores data
from other clients. In the case of multiple tenancies and the reuse of hardware
resources, this represents a higher risk to the customer than with dedicated
hardware.

5. Availability Chain: reliance on Internet Connectivity at Customer’s endcreates a

Single point of failure in many cases.

Criteria for Selection of Right Vendor:

The potential benefits of managed services can only be achieved by selecting the
right provider. While selection of right vendor, consider the following criteria to
help you make an informed decision.

1. Depth of skills and experience: Any managed services provider should,as a

baseline, have skills that go beyond basic operating system maintenance and
availability management. While selecting, consider skill levels related to managing
change, virtualization, high availability, middleware and databases, multiple

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 26

 Evaluation of Outsourcing of IT Operations

network technologies, cross-platform integration, mobility, security and, of course,

cloud technologies.

2. Proactive, technology-based approach to IT services management: Find out if the

services provider has a “break/fix” mentality or a proactive approach that

emphasizes problem prevention and continuous improvement. Look for a provider
that goes beyond simple monitoring and device management. For example,
employing sophisticated technologies like advanced analytics can drive incident
prevention through analysis of failure patterns across platforms and processes,
affording visibility into areas for client and service provider improvement.

3. Alignment with industry best practices and ITIL standards: A key toachieving a

reliable, highly available IT infrastructure is to optimize IT management. A services

provider should employ industry best practices in managing your IT resources—in
particular, aligning with the ITIL approach to IT service management. ITIL best
practices encompass problem, incident, event, change, configuration, inventory,
capacity and performance management as well as reporting. Best practices for
transitioning from in-house to the provider’s management system are also a critical
area to explore.

4. Consistent processes, knowledge management and consolidated service visibility:

Consistent service delivery is built on consistent processes thatare clearly scripted

and employ a repeatable methodology. Your services provider should be willing to
share examples of policy and process documentation and explain how they are

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 27

 Evaluation of Outsourcing of IT Operations

replicated across multiple delivery centres. Also important is the means by which
the services provider gives you visibility into the health of your infrastructure and
the performance of your managed services.

5. Performance-based service level agreements: A significant advantage of managed

services is that responsibility for performance rests with the services provider. Your
focus should be on what the services provider delivers rather than how the service
performed— which enables the provider to innovate, improve service delivery and
reduce costs for mutual benefit. In turn, the services provider should be willing to
commit contractually to meeting your service level requirements—and back up
those commitments with financial penalties or other recompense if those service
level agreements are not met.

Risk and vulnerability assessment of Tara Jewels ltd.:

We have, as a part of our assignment, carried out the risk and vulnerability
assessment of the above selected vendors. The risk and vulnerability assessment is
carried out taking into consideration the points system, where the score are allotted
taking into consideration the Risk associated along-with the likelihood of the event
occurring and its impact on the business operation.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 28

 Evaluation of Outsourcing of IT Operations

Amazon Google Windo Rack

Go
Web App w’s Spac
Risk Area Risk Description Force Grid
Services Engine Azure e
.com

Storage of Sensitive Information being

Enterprises Data exposed to be targeted by virtual
machine boot malware, brute 7 9 8 9 8 8
force attacks,

and other attacks.

Loss of Governance Loss of Confidentiality and
4 5 6 7 6 7
Integrity of Data
/Security and
Controls

Vendors Data Loss of Data

3 3 4 4 5 5
Retention Policy

Network Policy & Timely Remote Access to the

2 2 3 3 4 3
Access Services Data/ Information

Ownership of Data Dispute relating to Ownership of 3 3 4 4 5 3

Data

Data storage and its Information not being

concurrency with the available in the required
format
commonly accepted
standardized format 6 5 6 6 7 4

Data loss and its Loss of Confidential Information

Mitigation Strategy resulting. Business not being
implemented by the carried out for a substantial period 3 2 4 6 5 4
Vendor (Disaster of

Recovery Strategy) time.

Financial Stability of the Vendor not being able to provide

1 1 3 4 7 8
required services due
Vendor
to financial instability.

Support Structure The vendor not being able to

provided by the provide the required level of
Vendor services, thus, benefit Realization
from cloud computing is not done 3 4 3 5 3 2
at its

optimum.

Total Scored Obtained 32 34 41 48 50 44

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 29

 Evaluation of Outsourcing of IT Operations

Basis Risk and Vulnerability assessment

Score Risk of the event occurring

0 No Risk

1-3 Low Risk

4-6 Medium Risk

7-10 High Risk

From the above RISK AND VULNERABILITY ASSESSMENT OF TARA JEWELS

LTD, it is clear that Amazon Web Services bear low risk as compare to other vendors.
Hence Company should outsource its IT Operations to Amazon Web Services.

IT Services to be outsourced:

As mentioned earlier, Tara Jewels Ltd must opt for Infrastructure as service
model. In this view Tara Jewels Ltd can outsource following services-

1. Tara Jewels Ltd can opt for operating systems & applications provided by

Amazon Web Services.

2. Tara Jewels Ltd can obtain a data storage facility provided by Amazon Web

Services

3. Tara Jewels Ltd. Can also obtain data processing facility & Network services.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 30

 Evaluation of Outsourcing of IT Operations

Recommendations to Mitigate Risk:

It is very important for Company to; take into account the Recommendations on
controls to be implemented to mitigate risk of Outsourcing. The control to be
implemented is described in below table:

Risk Description Controls for mitigation

1 Poor Selection of Vendor Consider a detailed Study about

vendors including current processes,
customer references etc., rather than
blindly believing the track record

2 Scope of the project Phased approach with milestones and

tradeoffs at various stages

3 Infrastructure breakdownbeyond Review and approve DRP of vendor.

vendor’s control Audit data of drills by vendor.

3 Process and quality standards Agreed upon standards and

incompatible with vendor processes must be part of
binding contract

Reduced Employee motivation as Establish proper employees role change

outsourcing is perceived as loss of job and retention procedures

4 Security breach including Require the vendor to meet security

confidentiality, IP and trade standards and monitor with effective
secrets
auditing

5 Dependence on single vendor Core processes, deliverables

designed to be loosely coupled with
vendor’s technologies, processes.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 31

 Evaluation of Outsourcing of IT Operations

Cost Benefit Analysis:

One of the main reasons for shifting to cloud is cost reduction. Below mentioned
points describes the benefits of cloud in terms of cost.

Strategic outsourcing can deliver savings and a reduced total cost of ownership
(TCO) for the organization in a number of ways.

Capital expenditures be reduced and costs can be lowered. Outsourcing providers

make cap ital investments in hardware and equipment and share those cost across
multiple customers. This translates into a lower cost based on significant
economies of scale and allows their clients to reallocate those dollars to core
business needs.

Outsourcing allows the costs associated with IT to shift from the capital
expenditure (CapEx) budget to the operational expense (OpEx) budget, financially
positioning IT as an essential cost of doing business alongside other core costs of
sales.

Outsourced partners offer a way to reduce daily operational costs. The best
providers allow companies to scale IT operations, so they can control how much
spent in high or low times.

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 32

 Evaluation of Outsourcing of IT Operations

Businesses can “pay as they go” with outsourcing providers. Such flexibility allows
companies to move from fixed to variable costs.

IN- HOUSE OUTSOURCING

UNEXPECTED EXPENSES PREDICTABLE COSTS

- Thousands of out-of-pocket expenses - Save thousands on development

- Unpredictable on-going costs of - On-going costs predefined, easy to

management and upgrades budget

- Cost savings from economies of scale

STAFF/TRAINING BUDGET NO IT STAFF/REFOCUS IT STAFF

- Costly new hiring and training of - Lower cost of management and

dedicated Personnel operations

HIGH MAINTENANCE - 24x7 service desk and support

- Additional features such as security,

capacity management, and device WORLD CLASS SERVICE
management are hard to deploy with lack of
technical expertise and budgets - Solutions available right away

- Competitive pricing

- Extensive breadth and depth of services

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 33

 Evaluation of Outsourcing of IT Operations

RETENTION & TRAINING EXPERTS ON HAND

- In-house staff may not have the - Technological Know-how

specialized training and experience
- Access to technical and IT engineering
- Experienced staff may have high turnover experts.
rates
- Experienced staff may have high turnover
rates

YOU OWN THE HARDWARE

& SOFTWARE YOU DO NOT OWN THE HARDWARE

- Huge Capital Investment - No Capital Expenses

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 34

 Evaluation of Outsourcing of IT Operations

SUMMARY/CONCLUSION:

As Tara Jewels limited is facing economic problems, it necessary for them to

focus on the cost-benefit analysis. If they choose to outsource the IT activities,
costs might be lowered. Also Tara Jewels Limited can increase productivity by
shifting they can utilized their manpower & resources of IT department for their
core areas.

According to us, if Tara Jewels Limited decides to explore the option of

Outsourcing there will be savings in the Cost. By taking into account the current
needs of the organization, we think that the Infrastructure as a Service (Iaas) is
best computing model for Company.

After performing, the risk and vulnerability assessment of vendors we are of the
opinion that Amazon web services is the best service provider as the risk
involved is lower compared to other vendors.

Tara Jewels Limited can start by first introducing cloud computing into routine
processes, with small amount of capital expenditures, and then increase usage as
necessary

DISA Batch, Nashik Branch, WIRC, ICAI P a g e 35

 Evaluation of Outsourcing of IT Operations

36 | P a g e