Information Assurance Perspective on Cloud ERP Solution Implementation for Lesley Stowe Fine Foods (LSFF) - Term Paper Example

Information Assurance perspective on cloud ERP solution implementation for Lesley Stowe Fine Foods (LSFF) Lecturer: Introduction Information Assurance (IA) essentially deals with complex social as well as ethical issues like integrity, confidentiality, and availability. The core element in IA involves considerations that normally focus on protecting integrity, availability, and confidentiality of systems from external and internal attacks, accidental damage and environmental threats (Birchall, Ezingeard, McFadzean, Howlin, & Yoxall, 2004). In LSFF, it is clear that the management is carefully considering monitoring mechanisms appropriate to the enterprise’s prevailing conditions. Implementation of cloud ERP solution is a viable option for the enterprise; however, its implementation needs to meet information assurance objectives. Many variables like risks and values exist within any cloud program or opportunity that influences the perspective of the adopted cloud application be it from a business or risk perspective (Information Systems Audit and Control Association, 2011). Nevertheless, the enterprise needs to weigh the variables in order to decide if cloud ERP is the appropriate solution. Clearly, for LSFF to support future business development, the enterprise needs to enhance its IS and IT infrastructure while ensuring it does not incur huge expenses on expensive software and hardware licenses (Compeau& Scott, 2013). Many of these values and risks that affect information assurance in cloud computing vary and include the form of cloud service model, robustness of the existing enterprise IT operations, the prevailing level of business risk acceptance in the enterprise and the risk from the cloud service provider (Information Systems Audit and Control Association, 2011). Through the cloud ERP solution, LSFF incorporates the value-adding solution to the enterprise by changing its perspective through IA in order to enhance competitive advantage for the business. The paper evaluates the comprehensive concept of IA offered by the cloud ERP solution to ensure that IS serves LSFF’s transactional needs like operational capability and transformational needs like rapid adaptation, innovation and knowledge management. Problem Overview Over the past 10 years, LSFF witnessed phenomenal growth, which in return had implications on the information systems and IT. Although during this period, rainforest Crisps, which was the enterprise’s core product, was available in more than 4,000 outlets across North America, LSFF’s distribution of the product in US was limited. In addition, even though the enterprise in 2010 moved to a large-scale manufacturing location outside Vancouver through prudent investment that significantly improved LSFF’s production capability without major overhead increases, Growth into the US remained a challenge. Given the remarkable domestic growth and success of LSFF and strong preliminary results in US, it appeared that LSFF was poised for exponential growth as it ventured into the US market. However, LSFF’s software as a service (SaaS) platform for the ERP system lacked the fundamental functionality required to fulfill the needs of each business unit. For instance, simple tasks of business reporting took up to 10 hours to accomplish and strained LSFF’s management resources. During the early years of the enterprise, LSFF’s operations were small and its operations were extremely simple; however, as the enterprise grew issues that were evident in certain business units tended to affect the whole enterprise. Although a cross-functional approach in the enterprise allowed LSFF crew to be, remarkably nimble during the high growth of the enterprise, in 2012 the sustained growth began to strain the management ability in LSFF (Compeau& Scott, 2013). For instance, “communication between managers became increasingly difficult as each business segment came to be larger and more complex” (Compeau & Scott, 2013, p.3). In addition, the lack of low-level staff often compelled managers to accomplish time-consuming tasks that would usually be beyond their scope of responsibility (Compeau& Scott, 2013). As the enterprise initiated dedicated production of crisps, its combination of small volume and focus on local distribution meant that the enterprise required a basic IS (Information System). The IS allowed manual data collection through handwritten notes and Excel spreadsheets that enabled manual tracking and compilation of information. However, as the company grew rapidly, the IS became increasingly intricate as LSFF increased volume and its geographic distribution while incorporating new flavors. In 2006, LSFF management was unable to efficiently process and record data informally, which necessitated the enterprise to adopt software as a service (SaaS) ERP platform via boutique software firm. Although the ERP system was implemented to support two essential activities that include supporting data collection and reporting in certain business functions and consolidating the recorded data in separate functions to support enterprise-level management, the inception of the ERP framework frustrated the management through various problems. For instance “for some business segments, such as production and inventory management, the system’s limited functionality necessitated continued use of manual information recording and processing” (Compeau& Scott, 2013, p.3). In other business segments like shipping, the ERP system offered no functionality promoting the time consuming manual processes for data collection performed by managers. In addition, the issues were compounded by poor ongoing services offered by the vendor who the enterprise believed provided inadequate response to basic problems. As well, the lack of dedicated IT staff accompanied by the poor support for the ERP system compelled managers to use manual processes once technical issues came up. Given that the prevailing ERP system offered almost nothing of the guaranteed functionality associated with data integration in various business segments, LSFF required a cloud ERP solution that addressed the lack of efficient applications in the information system. Data integration in the enterprise is essential in supporting decision-making at the business level because the prevailing system has poor support for information assurance owing to the fact that collection of information in every business unit incorporates manual compilation. To help establish information assurance of cloud ERP solution in the enterprise, the term paper establishes objectives of cloud ERP system and evaluates the various information assurance offerings provided by the implementation of cloud ERP solution to LSFF’s business. Information assurance objectives Although technology provides disaster in various forms and size, cloud computing solution helps in maintaining information assurance as well as business continuity through the various prevention practices against the increased malware that often overwhelm on-premise IT professionals (Winkler, 2011). Information assurance is among the newly advanced processes for protecting information that developed from information system security and computer security (Qian, 2008). Therefore, information assurance according to US government as cited by Boyce & Jennings (2002) incorporates information operations useful in protecting and defending information as well as information systems by guaranteeing their integrity, availability, non-repudiation, authentication, and confidentiality. Information is undeniably critical to the enterprise because it functions as an output in the organization as well as a resource for producing the output. Hence, protection of the enterprise’s information is vital in guaranteeing its survival, growth and coexistence just like the enterprise’s cash flow establishes its financial bearing and its productive abilities determine the organization’s operations posture. Various conditions are capable of threatening the IA posture of the organization; hence, the security of its information. Besides, information assurance offers a way of defending and protecting information systems as well as organizational information. Since information is integral to management and even operation of an enterprise (Qian, 2008), protection of the information equates to protecting LSFF’s right to grow, coexist and survive. The fundamental level of IA involves protecting the right of an organization and people. In accomplishing this, IA involves two perspectives. First, IA’s capabilities of offering the organization with the capacity to protect its own rights like entities for survival, coexistence, and development because information is core to operations and management (Qian, 2008). Second, IA’s capabilities to offer the organization the ability to secure the rights of other parties that sustain and interrelate with the enterprise (Qian, 2008). These parties in this case include the 4,000 stores that LSFF needs to interact interrelate with, potential consumers, suppliers as well as other allied organizations. As implied so far, IA encompasses both dependability and security aspects. In guaranteeing IA, computer or information security mainly focuses on issues associated with confidentiality, integrity, and availability or the (CIA) of information (Qian, 2008). Confidentiality ensures that highly sensitive information is never revealed to some user while integrity refers to legitimacy of information or even its sources. Availability points out that computer or information resources are available on a timely manner to authorized users. Other security aspects in information assurance include accountability, which ensures that the actions of an entity are uniquely traceable to the entity; non-repudiation that ensures that an entity is unable to deny its actions; and security assurance that points out the confidence in an IS to accomplish security requirements. Policy models and architectural solutions are investigated extensively to address issues associated with specification and implementation of security requirements in networked information systems (Tipton, 2012). Apart from proactive and preventive measures, reactive measures, which involve detection accompanied by response as well as recovery, are continually developed to ensure they address protection issues. Moreover, cryptography techniques are extensively utilized as ways of attaining the aforementioned security objectives for guaranteeing IA (Qian, 2008). On the other hand, the dependability aspect primarily focuses on the manner in which to express quantitatively the capability of a system in order to offer its required services in case of failures through measures of availability, reliability, per-formability, and safety (Qian, 2008). Reliability points out the probability of a system providing its services over the specified period. Availability being a core objective in security also specifically refers to the amount of time a system provides its projected services within a specified time (Qian, 2008). Safety points out the probability of a system not failing in a manner that can result in major damage. While per-formability quantitatively evaluates the performance intensity of a system when there are failures. At this point, it is worth noting the contrast between dependability aspect and security aspect since dependability uses quantitative measures that are scarce in the security aspect (Qian, 2008). Cloud Computing Security Considerations Since some essential information and applications are shared over public clouds, various security concerns have been raised and as the adoption increases, the risks will increase. Nevertheless, cloud computing has moved from being a buzzword into a business trend that significantly affects the way organizations operate (Winkler, 2011). Cloud computing as an emerging model for service provision is acknowledged for decreasing costs since it involves sharing of computing as well as storage resources accompanied by an on demand mechanism. These features not only affect directly IT budget but also the conventional trust, privacy and trust mechanisms (Pearson & Yee, 2013; Carstensen, 2012). Although cloud computing may gain more importance as cloud and cloud service provider markets increase, cloud vendors faces certain risks and challenges that are cloud-related. For instance, when considering risks associated with cloud computing, the core element that needs consideration is the way the cloud environment influences the trust frontier. Security as well as data privacy concerns form the critical barriers for adopting cloud service. Hence, security is the major hurdle between cloud computing and its full potential. Therefore, even though cloud-computing components offer compelling solutions to information technology issues, it is never completely secure or risk-free (Chang, Abu-Amara & Sanford, 2010). Hence, management has the responsibility of eliminating security risks in order to protect data and systems. Organizations need to recognize threats that their assets may suffer (Pearson & Yee, 2013). In the cloud-computing scenario, security threats arise from several sources like security flows by the CSP, loss of availability, attacks originating from outside parties and other clients in the same cloud among others (European Conference on Information Warfare and Security, In Kuusisto, In Kurkinen & Jyväskylän yliopisto, 2013). In this section, evaluation of various security considerations takes place in order to guarantee information assurance in an organization. Trust Although cloud users in mitigating identified risks can opt to configure Service Level Agreements (SLAs) or request the cloud service providers to meet specific control objectives, it all boils down to the core element of trust, an essential component in business model of cloud computing (Information Systems Audit and Control Association, 2014). There are no sufficient agreements and controls for mitigating all concerns if trust is never a factor in the relationship between the client and the supplier (Pfleeger & Pfleeger, 2012). Therefore, when considering cloud implementation, it is paramount to be acquainted with all the involved parties as well as their physical locality. The parties involved are not only the cloud service provider (CSP) and its employees but also the various vendors who may be in close contact with cloud service provider; hence, able to come into contact with the data from users. To establish trust, it is essential to ensure that the CSP is trustworthy by establishing that the supplier does not engage in fraudulent activities and that the supplier is economically solvent (Tipton, 2012). The rule of thumb in establishing trust involves selecting CSPs with considerable history in cloud services who can offer concrete business references (Information Systems Audit and Control Association, 2014). Security identification of threats Cloud computing customers are equally excited and nervous at the prospects offered by cloud computing (Alliance, 2010). The excitement results from the opportunity to decrease capital costs, divesting from infrastructure management to focus on essential competencies and most importantly the agility provided by on-demand computing provision as well as the capability to align IT with business needs and strategies. Nevertheless, customers are concerned with risks associated with cloud computing when the clouds are inappropriately secured resulting in loss of control of systems for which they are accountable. Although various issues result in significant risks to cloud-computing consumers, various issues are greatly increased by the core traits of cloud computing as well as its shared nature. According to Alliance (2010), these threats include: Abuse and despicable utilization of cloud computing Insecure API (Application Programming Interface) Malicious insiders Vulnerabilities of shared technology Data leakage/loss Service, account and traffic hijacking Unidentified risk profile Choosing the suitable security control and optimally deploying rare security resources necessitate correct evaluation of the threat. For instance, extending Insecure API is considered a huge threat since a customer’s project that requires deploying custom line-of-business application through PaaS dictates considerable attention to application security domain like robust (SDLC) software development lifecycle practices. In the same breadth, extending shared technology vulnerability is a big threat; hence, customers need to be concerned with best practices for virtualization domain to protect resources commingled within the shared environment (Alliance, 2010). The threat of abuse and despicable utilization of cloud computing enable criminals to leverage continuously fresh technologies in order to enhance their reach, improve effectiveness and avoid detection. CSPs are continuous targets owing to their comparatively weak registration system that facilitates anonymity accompanied by the limited capability of the CSPs to detect fraud. To mitigate these threats there is need for strict initial registration as well as validation process, improved fraud management and coordination in credit card, widespread introspection of the customer’s network traffic and scrutinizing public blacklists to use in individual network blocks (Alliance, 2010). Although many CSPs strive for proper integration of security in their models, it is essential for customers to understand the threat of insecure interface and APIs and implications related to their usage. Relying on weak interfaces and APIs exposes an organization to various security issues associated with availability, accountability, integrity and confidentiality. The availability and security of the cloud services relies on these basic APIs. To mitigate threats associated with insecure interfaces and APIs, the enterprise has to evaluate the security model in the interfaces provided by the cloud provider, ensure concrete access control and authentications are implemented together with encrypted transmission, and even understanding the dependency sequence related with the API (Alliance, 2010). Threat of malicious insiders is acknowledged by many organizations. However, the threat is augmented for users of cloud service because of the convergence of information technology services and clients into a single domain of management coupled by the lack of transparency regarding the provider’s procedure and process (Josyula, Orr & Page, 2012). The effect of malicious insider is considerable because of their level of access and capability to infiltrate assets and organizations. Brand damage, productivity losses, and financial impact are some of the ways malicious insiders affect operations. When an organization adopts cloud computing, the human component takes on more profound significance (Kandias, Virvilis & Gritzalis, 2013). Therefore, it is essential for consumers of cloud computing to comprehend the operations CSP perform to detect and prevent malicious insider threats. To guarantee information assurance, there needs to be stringent supply chain control and comprehensive supplier assessment, specifications for the requirements of human resource as legal contract, determining the notification process for security breach and transparency in overall management practices and information security and even compliance reporting (Alliance, 2010). Data loss or even leakage is a threat that has devastating effect on business. Apart from damaging a brand’s reputation, data loss can significantly affect partner, employee as well as customer trust and morale. Moreover, the loss of essential intellectual property can have financial and competitive consequences. Worse still, depending on the leaked or lost data, there may be legal ramifications and compliance violations. However, to guarantee IA, implementation of concrete access control in API is necessary, encryption, and protection of data in transmission. Moreover, there is need for evaluation of data protection during design as well as run time, contractually identify provider backup as well as retention strategies, implementation of tough key generation, management, storage and even destruction practices (Alliance, 2010). The threat of account or service hijacking normally involves stolen credentials making it a huge threat. Using the stolen credentials, attackers often access core areas of implemented cloud services, which in return compromise integrity, confidentiality, and availability of the services. Therefore, an organization needs to be aware of such techniques and regular defense with regard to depth protection approaches to contain such damage as well potential litigation because of the breach. To offer IA and protect against this threat, an organization needs to ensure that there is no sharing of account details between services and users and leveraging tough two-factor verification techniques where appropriate. As well, the organization needs to incorporate proactive monitoring in order to establish unauthorized activity and understand the CSP’s security policies as well as SLAs (Alliance, 2010). Confidentiality and privacy Cloud computing environment presents significant implications to confidentiality and privacy in business. The main privacy concerns in cloud computing relate to compliance, access, retention, storage, privacy breaches, and destruction of data. However, to increase IA, there has to be a way of protecting confidentiality of data through encryption. Nevertheless, this alone does not guarantee integrity of personal information. Issues in confidentiality and privacy vary with the terms established by the cloud provider. Therefore, to help address the confidentiality and privacy issues, the users of the cloud service must request the provider to incorporate in the contract a privacy and confidentiality clause that identifies liability of parties (Spagnoletti, 2013). Integrity Besides confidentiality of data, the customer of cloud computing service also has to consider integrity of the data. Although encryption is useful in ensuring confidentiality of data, the customer may have a way of validating the integrity of such data. Therefore, to deal with these issues, the CSP should frequently check for integrity by tracking data checksums and repairing data in case corruption is detected through redundant data. Therefore, data in transmission needs checksum validation in order to discover any corruption. This is great of guaranteeing IA in an organization (Vacca, 2013). Availability Supposing the client’s data maintains its integrity and confidentiality, the customer should be concerned about its availability. The client concerns arise from three major threats: the CSPs own availability; backups or redundancy; and network-based attacks. Availability is normally stated within the SLA and clients pay for different levels of availability depending o their level of risk tolerance. In dealing with issue of cloud computing, the CSP may offer redundant storage (systemic and geographic), versioning and large-band width connectivity in order to eliminate issues resulting from availability problems (Vacca, 2013). LSFF security assessment This security analysis for LSFF will involve qualitative security assessment to estimate threats, and vulnerabilities to the enterprise. The assessment’s objectives include gathering information about the current system and identifying the system’s boundaries. Security assessment methodology As privacy and security regulations increase in the modern world, LSFF’s current business environment faces an overwhelming task of proactively managing risks and the best way of ensuring the business is constantly in touch with potential security issues involves performing regular security assessments. The assessment methodology chosen identifies, analyses, prioritizes security risks capable of compromising integrity, availability and confidentiality of data. Moreover, the methodology also identifies inadequate controls and even those that are missing completely. The methodology involves the processes of establishing the organization’s assets, categorizing them with regard to their sensitivity, establishing threats that affect the assets and even security controls for mitigating the threats. Step 1: List of information assets LSFF’s current information assets include MonkeyMedia for use in sales order fulfillment, production, inventory management, and accounting. Moreover, LSFF utilizes spreadsheets in production and SalesForce.com for optional marketing or relationship management as well as Ceridian, which is out of scope to manage the payroll (Compeau & Scott, 2013). The enterprise lacks essential internal IT staff. Step 2: Classifying information assets The objective involves categorizing the identified information assets depending on the way they address confidentiality, availability, and integrity. Table 1 below shows the comparison of the assets depending on how they meet confidentiality, integrity, and availability issues. The level the assets support these IA aspects depends on the range between 1 and 5 with five being the best possible support while one being the worst. Table 1 Step 3: Threat analysis The main objective in this phase is to establish the existing threats that affect information assets in the enterprise. LSFF pointed out that it does not have its own internal IT staff, which is essential in coordinating the other information assets in the organization and checking any potential threats to the existing assets (Compeau & Scott, 2013). This is a huge threat to the enterprise not only in terms of securing the confidentiality and integrity of data in the organization but also availability because managers point out that when there are technical difficulties they end up performing their tasks manually. MonkeyMedia, which is one of the information assets in the enterprise, is useful in various operations in the business (Compeau & Scott, 2013); however, it does not support confidentiality and integrity aspects in IA. For instance, in some instances like in production and inventory management apart from using MonkeyMedia, manual processes are also incorporated (Compeau & Scott, 2013). This lack of a smooth way for using MonkeyMedia in the enterprise threatens confidentiality, availability, and integrity of data in the business. Moreover, spreadsheet use is evident in production at the enterprise and functions together with manual processes and MonkeyMedia in accomplishing this task (Compeau & Scott, 2013). However, manual processes and spreadsheets threaten availability of data in the business. In addition, spreadsheet use also threatens confidentiality and integrity of the data in the business. SalesForce.com is another information asset at LSFF enterprise; however, it serves an optional scope in marketing or relationship management. Since SalesForce.com serves optional scope, this threatens availability of up-to-date information regarding marketing or relationship management. Ceridian being the other information asset in the organization is useful in the management of the payroll (Compeau & Scott, 2013); however, this asset is out of scope in its operation threatening availability of data regarding payroll and confidentiality and integrity of the data. Step 4: Security control analysis This phase aims at identifying the prevailing security controls in every information asset and detecting any extra controls that need to be in place. LSFF does not have clear security controls in place; however, it is clear the various information assets can benefit from physical and administrative security measures provided by an internal IT staff. This would diminish every threat to the enterprise’s IA and provision of services. For instance, Blyth and Kovacich (2006), indicate that threat from natural disasters can adequately be minimized if an organization puts in place controls for recovery plan, backup and physical security. The aim of these control measures is to ensure that information assets like spreadsheets, SalesForce.com and Ceridian that are found to have high risk factors have adequate security controls. Gap analysis The objective is to establish security controls that are currently missing or those that are not working properly in the structure. Given the poor IS in LSFF, there is lack of clear security controls in the organization. The enterprise does not offer a detailed IT infrastructure in its manufacturing plant; however, indicators in the case study assist in deducing the prevailing environment. Both employees and managers utilize Excel spreadsheets, an indication that the enterprise uses desktop computers installed with Microsoft suite. Moreover, there are indications that the enterprise is connected to the internet through a local ISP; however, since it does not have an in-house support it possibly contracted the ISP to operate its local mail server (Compeau & Scott, 2013). The IT infrastructure in the case study does not provide information regarding backup and recovery administration, in-house software development, network devices and locally managed servers. This provides a good indication of the gap between the enterprise needs and the current system it uses in its operation. The enterprise’s backup and recovery as well as physical security of data and high availability of the data seem to be highly compromised in the current IS. This in return affects the integrity, confidentiality, and availability of data necessary in ensuring information assurance in the enterprise. To help deal with IA challenges, the business has to ensure it has high redundancy and availability components as well as backup and recovery capabilities. Results IA extends even to business assurance, capability assurance, mission assurance, or business functionality assurance (Willett, 2008). Aligning information assurance with business functionality safeguards or enables the functions of the business. The study of LSFF’s operations reveals IA issues that encompass the entire corporation. So far, it is clear that providing cost-effective and efficient use of security resources is difficult without considering security aspects in information and ISs. Although, according to Boyce and Jennings (2002) somewhere within an organization there is need for personnel responsible for information assurance, LSFF lacks internal IT staff. This way, the enterprise seems to have ignored their input because it fails to integrate their functions, concerns, requirements, and processes that in return ignores some of the essential assets in the enterprise, which need protection. Therefore, it is clear that LSFF needs a way of guaranteeing full compliance with IA policies in its operations and as indicated they could be automated or non-automated approaches with varying degrees. There are several perspectives to consider IA in an organization with different objectives. Internal control perspective that focuses on ensuring that management information is accessible and trustworthy while IS perspective, which aims at protecting an enterprise’s IS in order to maintain continuity as well as trust in customers and business partners. Moreover, asset management point of view that aims at protecting an organization’s assets that include proprietary information and knowledge. However, in the case study, various levels through which IA strategy can be developed in LSFF seem to lack considerable perspective causing the prevailing IA gaps in the business (Compeau & Scott, 2013). The lack of alignment of these perspectives to the enterprise strategy resulted in disjointed plan in IA areas in the enterprise. In addition, the gap between the perspectives resulted in replication of labor in specific parts of the organization. Asset management perspective indicates that LSFF needs to protect its information and physical assets while business perspective establishes the need to share information as essential. Below is a figure that illustrates the current misalignment between the 3 information assurance perspectives. Linkage to Group Solution Overview Information assurance represents a shift from a preventative to an enabling approach ensuring that IS embody a source of competitive advantage through structural integrity the same way as the information they deliver (Birchall, Ezingeard, McFadzean, Howlin & Yoxall, 2004). In offering a comprehensive IA concept in LSFF, the enterprise will need to embrace an information system that serves the organization’s transactional and transformational needs as well as knowledge management laid out in the group solution. In order to take such an advanced move toward IA, the provided solution requires the organization to enhance its IS and IT infrastructure. Through the cloud ERP solution, the enterprise can concentrate on its core business while the technical operations remain with the experts. Besides, in case the enterprise needs to implement an on-premise solution, LSFF will have to part with considerable amount of resources in setting up a dedicated IT department that incorporates the necessary IT infrastructure to meet IA goals. Conclusion The prevailing IT infrastructure and IS in LSFF is unable to accomplish tasks in the organization because of the increased demands from its outlets in USA and Canada. This necessitated the organization to request proposals for an ERP solution. Although, there are concerns arising from cloud computing, cloud-ERP solution is ideal for the business in providing the required services to LSFF’s outlets at a low cost. The concerns arising from cloud computing can be dealt with in order to offer IA to clients of cloud computing service. The prevailing SaaS in LSFF not only threatens IA but also affects business operations since managers opt for manual processes instead of using the current IS. Although, on-premise solution would be ideal for the enterprise, there are limitations that include lack of sufficient IT infrastructure, IT staff, and distinct outlets. The limitations for implementing an on-premise solution include the need for the enterprise to invest considerably in IT infrastructure, which can affect the operations of the business. Although, cloud ERP solution is recommended for the enterprise to save the business considerable costs, in future the business will need to evaluate if the recommended solution fully addresses IA goals and business needs as required. This evaluation will help in determining if the saved costs are worth it or if there is need to incur the cost in implementing an on-premise solution that satisfactorily deals with both business and IA goals. References Alliance, C. S. (2010). Top threats to cloud computing v1. 0. Cloud Security Alliance, USA. Birchall, D., Ezingeard, J. N., McFadzean, E., Howlin, N., & Yoxall, D. (2004). Information assurance: Strategic alignment and competitive advantage. Grist Ltd. Blyth, A., & Kovacich, G. L. (2006). Information assurance: Security in the information environment. London: Springer. Boyce, J. G., & Jennings, D. W. (2002). Information assurance: Managing organizational IT security risks. Amsterdam: Butterworth-Heinemann. Carstensen, J. (2012). Cloud computing. Ely: IT Governance. Chang, W. Y., Abu-Amara, H., & Sanford, J. F. (2010). Transforming enterprise cloud services. Berlin: Springer. Compeau J. & Scott D. (2013). Lesley Stowe Fine Food: The ERP decision. Richard Ivey School of Business Foundation. European Conference on Information Warfare and Security, In Kuusisto, R., In Kurkinen, E., & Jyväskylän yliopisto,. (2013). Proceedings of the 12th European conference on information warfare and security: University of Jyväskylä, Finland, 11-12 July 2013. Information Systems Audit and Control Association. (2011). IT control objectives for cloud computing: Controls and assurance in the cloud. Rolling Meadows, IL: ISACA. Information Systems Audit and Control Association. (2014). Vendor management using COBIT 5. Rolling Meadows, IL: ISACA. Josyula, V., Orr, M., & Page, G. (2012). Cloud computing: Automating the virtualized data center. Indianapolis, IN: Cisco Press. Kandias, M., Virvilis, N., & Gritzalis, D. (2013). The insider threat in Cloud computing. In Critical Information Infrastructure Security (pp. 93-103). Springer Berlin Heidelberg. Pearson, S., & Yee, G. (2013). Privacy and security for cloud computing. London: Springer. Pfleeger, C. P., & Pfleeger, S. L. (2012). Analyzing computer security: A threat/vulnerability/countermeasure approach. Upper Saddle River, NJ: Prentice Hall. Qian, Y. (2008). Information assurance: Dependability and security in networked systems. Amsterdam: Elsevier/Morgan Kaufmann. Spagnoletti, P. (2013). Organizational change and information systems: Working and living together in new ways. Berlin: Springer. Tipton, H. F. (2012). Information Security Management Handbook, Volume 6. Hoboken: CRC Press. Vacca, J. R. (2013). Computer and information security handbook. Amsterdam: Morgan Kaufmann Publishers is an imprint of Elsevier. Willett, K. D. (2008). Information assurance architecture. Boca Raton: CRC Press. Winkler, J. R. (2011). Securing the cloud: Cloud computer security techniques and tactics. Burlington, MA: Elsevier. Read More