¶ … business organizations incorporate risk management practices of risk IT framework to overcome the security and privacy issues of cloud computing?" The survey questions highlighted the way that managers within these organizations approached this problem from the perspective of philosophy and function. At a fundamental level, most managers understood the need for security, which is the basic starting point. In practice, however, the managers of the different departments noted that not all best practices are adhered to. The solutions that there determined to be the best most common were that security practices are kept in-house, that there are data logs and that there are procedures in place for implementing a hierarchy of access for sensitive data. All companies employ certified, qualified dedicated systems analysts in security, another important consideration. These are the best practices that organizations have to incorporate risk management practices of risk IT framework to overcome the security and privacy issues of cloud computing. There were also three secondary research questions. The first of these was "How important are the organization's and people's data when deploying cloud computing systems?" The findings indicate that data is considered to be quite important. There are qualified security people in place to ensure a high level of security, and the organization typically maintains its own in-house security protocols. Furthermore, having a hierarchy for access to data is an important element of cloud computing security. That these practices are widespread shows support for the idea that data is an important consideration that it taken into account when deploying cloud computing systems.

The next secondary research question was "To what extent do collaborations exist between business and cloud computing vendors?" The responses indicated that there was some concern with the vendors. This could be because the vendors are out of control of the in-house IT managers, for example. But vendors were frequently subjected to security checks prior to signing contracts, and very few managers expressed support for outsourcing security with respect to the cloud. This desired to keep security issues close, and to avoid leaving security entirely as a vendor role, indicates that most IT managers are uncertain about the security practices of the vendors.

The final secondary research question is "How can risk IT framework be incorporated to the operations domains of cloud computing?" There is a gap in some instances between the best practices of these companies and best practices. Some of these gaps are with fairly simple things, such as passwords. Where these gaps exist there are opportunities to use the risk IT framework in order to improve the risk management practices of these organizations.

Implications

The study provides insight into the risk management practices within a couple of different organizations. These insights show that there are many different areas where risk management practices can be improved. In these organizations, the managers appear to get some of the big things right, like having certified and qualified staff, but they are still getting little things like passwords wrong. These are exactly the sorts of risks that expose many organizations unnecessarily. Effective risk management is not...

This study shows that there is still some work to do, within these organizations, in terms of improving risk management practices. Using risk IT framework, some of these issues can be overcome, as they relate to cloud computing.
Limitations

The study is limited in a couple of ways. First, the survey was conducted among managers of two organizations, so it cannot be extrapolated beyond that. The samples were done on the basis of convenience sampling and no attempt was made at randomization, so this should be viewed more as a case study than anything that can be extrapolated to a broader population. The other major limitation of this study is that the response rate was quite low. Of the original 60 surveys that were sent out, only 22 were returned, which gives a return rate of 36.7%. This is a fairly low return rate. Furthermore, the people who returned the survey were self-selecting. This may create a bias, for example that only managers who felt their IT security performance with cloud computing was strong enough would return. Others might avoid answering the survey for fear of revealing that their security practices are actually rather poor. So the self-selection bias could potential skew the results towards showing better security practices among the population than may actually exist. This cannot be tested for, but it is important to realize that this limitation exists.

Delimitation

The choice of the population was done on the basis of convenience. This delimitation has ruled out extrapolating the results beyond the population studied. Other organizations, and other industries, may have dramatically different practices than the ones studied here. Given more time and resources, this delimitation could have been eliminated.

The research also specifically omitted asking questions that directly references IT risk framework. The main reason for this was that it would be left to the researcher to examine how well these practices fit the framework, rather than asking the survey respondents to familiarize themselves with this framework and make their own assessments. The differences that might exist in understanding the framework or how it applies to their businesses would introduce too much variability in interpretation to the results for them to be valuable. Thus, this particular line of questioning was not introduced, but rather the paper was structured for this framework to be implemented by the researcher. Importantly, that includes outlining how the organizations in question can introduce the framework going forward to improve their IT security processes with respect to cloud computing.

Significance of the Research to Leadership

The research has some bearing on leadership of IT because leadership is on all elements. First, there is the philosophical element, wherein the leader needs to set the cultural tone for the organization. It is important at that stage that the leader instills a baseline ethic with respect to IT security practices. The research also relates to best practices, which come from leadership. Not only does leadership set out such practices, but leadership is also responsible for ensuring that best practices are adhered to. So there are some rather pragmatic significance to…