T 2.89 Insufficient information security in the outsourcing introduction phase

An outsourcing project is usually implemented in several steps. In most cases, the introduction phase involves drastic internal changes on the part of the customer. In addition to this, an outsourcing project is accompanied by stringent scheduling and financial general conditions. There is often no time for regular security inspections and audits. To comply with deadlines and budgets during the introduction phase, the quality of the work is often affected adversely and security concepts are neglected. This, however, has a significant impact on information security. Other potential threats to information security include among other things:

• Temporary solutions are operated with low security standards. In this respect, it is often argued as follows: "The main thing is that it is running!" However, the operation of such temporary solutions is often continued for years to come for different reasons.
• Due to the lack of time and resources, "old systems" are neglected whilst the new systems are being worked on.

Triggered by the high workload and time pressure, the problems are intensified due to deliberate or accidental negligence or errors. Possible reasons include the following:

• During the introduction phase, the systems affected by the outsourcing must be operated in parallel.
• The connection to the outsourcing service provider results in many new organisational and technical interfaces.
• Employees must become acquainted with new tasks, which draws on additional resources.
• An outsourcing project involves the use of new software and hardware. In this respect, dangers result from improper tests or lack of any tests, from inexperience with new security mechanisms, from installation and administration errors or software errors.

Security deficiencies, however, might also arise from organisational vulnerabilities during the introduction phase. Possible reasons include the following, for example:

• The collaboration between the employees of the customer and those of the outsourcing service provider or external consultants does not function properly. This might be caused, for example, by communication problems of a technical or personal nature. Since the contact persons of the other party are still unknown in the beginning, attacks via "Social Engineering" might also succeed particularly easily in this phase.
• Decision hierarchies do not work yet or contact persons and responsibilities have not been clarified yet or change frequently. As a result of this, decisions are not taken at all or only very hesitantly. Under certain circumstances, this results in security regulations being not complied with, bypassed or not controlled.

This overall problem also led to problems, for example, for a renowned financial institution: Whilst the configuration of a new web server was being worked on, the "old system" was no longer maintained adequately and was the target of an attack in which customer data was compromised. The event was made known by the media to an audience of millions.