T 2.84 Unsatisfactory contractual arrangements with an external service provider

If situations arise which are not clearly specified within the contract, this could result in disadvantages for the client (e.g. in the framework of an outsourcing project).

For example, an outsourcing client could be held responsible for security deficiencies which fall within the responsibility of the outsourcing service provider, but are not clearly specified within a contract.

A major reason for problems between the parties to a contract are overly optimistic estimates of costs. If it is revealed that the outsourcing service provider is not able to provide the service at the costs calculated and offered or in case of disagreement on what is "understood" this can directly lead to security problems. Experience shows that compromises are made on information security when a cost pressure arises in other areas which can be counteracted in such way without any consequences becoming immediately obvious. Therefore, the contractual arrangements between client and contractor are of critical importance. Only what has been specified in the contract from the beginning on is sure to be put into practice later on.

Additional examples for consequences of unsatisfactory contractual arrangements with external service providers include:

• The client is not able to fulfil his/her obligation to provide information to regulatory authorities or external auditors if the service provider does not grant access to his/her premises or the necessary documents.

• The client must take the responsibility for violation of any applicable laws if the service provider was not bound to comply with these laws.

• The description of tasks, performance parameters, and efforts is insufficient or ambiguous which results in failure to implement security safeguards due to ignorance or lack of resources.

• The client is not able to meet new requirements (e.g. technical, legal regulations, availability, technical development) if change management and system adjustments are not sufficiently specified within the contract.

• In the case of outsourcing projects, the top management of the client may be fully responsible for the outsourced business areas but may not be able to fulfil this responsibility due to lack of control capabilities.

• Outsourced data or systems are inadequately protected if their protection requirement is not known to the outsourcing service provider.

• The service quality is bad and there are no possibilities for intervention since no sanctions were stipulated in the contract.

• The service provider removes qualified personnel or representatives of the permanent staff are not sufficiently prepared which may result in security problems.

Specific problems often occur then when service agreements are terminated (see T 2.85 Inadequate provisions for termination of the outsourcing project) and this situation is insufficiently regulated within the contract.