S 1.11 Outsourcing
Description
For outsourcing, work or business processes of an organisation are outsourced completely or partially to external service providers. Outsourcing can relate to both the use and operation of hardware and software and also services. Here, it is irrelevant whether the services are rendered on the premises of the customer or on external business premises of the outsourcing service provider. Typical examples are the operation of a computer centre, an application, a web site or the security service. Outsourcing is a generic term that is often supplemented by other terms: Offshoring refers to the outsourcing of business and production processes in locations in another country. Task sourcing refers to the outsourcing of individual tasks. If services regarding information security are outsourced, this is referred to as Security Outsourcing or Managed Security Services. Examples are the outsourcing of the firewall operations, the monitoring of the network, virus protection or the operation of a Virtual Private Network (VPN). An Application Service Provider (ASP) is a service provider operating individual applications or software on their own systems for their clients (e-mail, SAP applications, archiving, web shops, procurement). In this case, the customer and service provider are connected with each other via the Internet or a VPN. For Application Hosting, the operation of applications is also outsourced to a service provider; the applications, however, in contrast to the ASP model, still belong to the respective client. Since the lines between classic outsourcing and mere ASP is becoming more and more blurred in practice, only the generic term "outsourcing" is used below.
The outsourcing and restructuring of business and production processes is an established part of modern organisational strategies. It seems that the trend towards outsourcing will continue in the foreseeable future. However, there have also been published examples for failed outsourcing projects, in which the customer has terminated the outsourcing contract and operates the outsourced business processes autonomously again (insourcing).
There are various reasons for outsourcing: The focus of an organisation on its core competencies, the possibility of saving costs (e.g. no purchasing or operating costs for IT systems), the access to specialised knowledge and resources, release of internal resources for other tasks, the streamlining of the internal administration, the enhanced scalability of the business and production processes, the increase of the flexibility as well as competitiveness of an organisation are only a few examples.
When outsourcing IT-supported business processes, the IT systems and networks of the outsourcing organisation and its outsourcing service provider are usually closely connected with each other so that parts of internal business processes are run under the management and control of an external service provider. There is also intensive contact at the personnel level.
Due to the close connection to the service provider and the resulting dependency on the service quality, there are risks for the customer, which might even vitally endanger the business foundation of the company or government agency in the worst case. (For example, sensitive internal information might be disclosed intentionally or accidentally to external parties.) The consideration of security aspects and the contractual arrangements between the customer and the outsourcing service provider thus play a central role within the framework of an outsourcing project.
Therefore, this module focuses on safeguards dealing with aspects of information security for outsourcing. This also includes suitable safeguards to check the contractually agreed targets and services as well as the security safeguards.
Threat scenario
The threat scenario of an outsourcing project is extremely complex. The decision on the outsourcing of a special activity has a sustainable impact on the strategic orientation of the organisation, the definition of its core competencies and the design of the value-added chain, and relates to many other essential aspects of an organisational management. Therefore, all efforts should be made to detect and prevent undesirable developments of the company or government agency at an early stage.
The threats can exist in parallel at the physical, technical and also personnel level and are listed below in the individual threat catalogues. In order to be able to assess the respective risks quantitatively, first the organisation's own values and information must be evaluated and classified according to its strategic importance for the organisation.
Force Majeure
| T 1.10 | Failure of a wide area network |
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.7 | Unauthorised use of rights |
| T 2.26 | Lack of, or inadequate, test and release procedures |
| T 2.47 | Insecure transport of files and data media |
| T 2.66 | Inadequate security management |
| T 2.67 | Incorrect administration of site and data access rights |
| T 2.83 | Flawed outsourcing strategy |
| T 2.84 | Unsatisfactory contractual arrangements with an external service provider |
| T 2.85 | Inadequate provisions for termination of the outsourcing project |
| T 2.86 | Dependency on an outsourcing service provider |
| T 2.88 | Negative impact of an outsourcing project on the organisational climate |
| T 2.89 | Insufficient information security in the outsourcing introduction phase |
| T 2.90 | Weaknesses in the connections with an outsourcing service provider |
| T 2.93 | Inadequate contingency planning concept with outsourcing |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.105 | Unapproved use of external services |
Technical Failure
| T 4.33 | Poor-quality or missing authentication |
| T 4.34 | Failure of a cryptomodule |
| T 4.48 | Failure of an outsourcing service provider's systems |
Deliberate Acts
| T 5.10 | Abuse of remote maintenance ports |
| T 5.20 | Misuse of administrator rights |
| T 5.42 | Social Engineering |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.85 | Loss of integrity of information that should be protected |
| T 5.107 | Disclosure of data to third parties by the outsourcing service provider |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
An outsourced business process or information system can consist both of components that are only located in the outsourcing service provider's area of influence and of components located on the customer's premises. In this case, there are usually interfaces to connect the systems. IT-Grundschutz must be ensured for each subsystem and for the interface functions.
An outsourcing project consists of several phases which are presented briefly in the following.
Phase 1: Strategic planning of the outsourcing project
When reaching a strategic decision as to if and in which form an outsourcing project is implemented, the security-related aspects must be worked out. In safeguard S 2.250 Determining an outsourcing strategy, the essential points to be taken into account are presented.
Phase 2: Definition of the most important security requirements
If the decision has been made in favour of outsourcing, the most important general security requirements for the outsourcing project must be specified. These security requirements are the basis for the tendering procedure (see S 2.251 Specification of the security requirements for outsourcing projects).
Phase 3: Choice of the outsourcing service provider
The choice of the outsourcing service provider is of particular importance (see S 2.252 Choice of a suitable outsourcing service provider).
Phase 4: Contractual arrangements
Based on the requirements specification, a contract stipulating the desired services including quality standards and periods in compliance with the applicable laws must now be negotiated with the outsourcing partner. These contracts are often referred to as Service Level Agreements (SLAs). In this contract, the specific modalities of the collaboration must also be clarified: contact persons, response times, IT connection, services checks, arrangements for the security precautions, handling confidential information, exploitation rights, disclosure of information to third parties etc. (see also S 2.253 Contractual arrangements with the outsourcing service provider).
Phase 5: Creation of a security concept for the outsourced information system
In close collaboration, the customer and the outsourcing service provider must create a detailed security concept (S 2.254 Creating a security concept for the outsourcing project), containing a contingency planning concept (S 6.83 Contingency planning for outsourcing).
It will usually only be possible to complete phase 5 after the migration phase has been completed, as new findings which need to be integrated into the security concept emerge again and again during the migration of the IT systems and applications.
Phase 6: Migration phase
Particularly critical to security is the migration or transition phase which therefore requires careful planning (see S 2.255 Secure migration in outsourcing projects).
Phase 7: Planning and maintaining ongoing operations
If the outsourcing service provider has taken over the systems and/or business processes, different safeguards such as regular checks and the maintenance of the system(s) are necessary to maintain information security during ongoing operations (see S 2.256 Planning and maintenance of IT security during ongoing outsourcing operations). These safeguards must be planned accordingly in advance. It is absolutely necessary to take into account emergency and escalation scenarios in the planning.
The bundle of security safeguards relating to the outsourcing are presented in the following.
Planning and design
| S 2.40 | (A) | Timely involvement of the staff/factory council |
| S 2.42 | (A) | Determination of potential communications partners |
| S 2.221 | (A) | Change management |
| S 2.226 | (A) | Procedures regarding the use of outside staff |
| S 2.250 | (A) | Determining an outsourcing strategy |
| S 2.251 | (A) | Specification of the security requirements for outsourcing projects |
| S 2.254 | (A) | Creating a security concept for the outsourcing project |
Purchasing
| S 2.252 | (A) | Choice of a suitable outsourcing service provider |
Implementation
| S 2.253 | (A) | Contractual arrangements with the outsourcing service provider |
| S 2.255 | (A) | Secure migration in outsourcing projects |
| S 2.460 | (C) | Regulated use of external services |
| S 3.33 | (Z) | Improper use of cryptomodules |
| S 5.87 | (C) | Agreement regarding connection to third party networks |
| S 5.88 | (C) | Agreement regarding the exchange of data with third parties |
Operation
| S 2.256 | (A) | Planning and maintenance of IT security during ongoing outsourcing operations |
Disposal
| S 2.307 | (A) | Well-ordered termination of an outsourcing service relationship |
Contingency Planning
| S 6.83 | (A) | Contingency planning for outsourcing |