T 2.90 Weaknesses in the connections with an outsourcing service provider

When carrying out an outsourcing project, it is usually necessary that the service provider can access the customer's internal resources. This is often realised by mutual connection to parts of the respective IT infrastructure. For the accelerated exchange of information between the customer and contractor, special information channels (e.g. dedicated permanent lines, VPN connection, access routes for remote maintenance) might be installed.

If this connection is not protected or if vulnerabilities occur during protection, this inevitably results in a number of threats:

• The confidentiality of the communication can be endangered.
• The integrity of the records transmitted is no longer guaranteed.
• The receipt of the information and messages transmitted might be denied.
• External third parties are given an insight into the customer's internal information that is too comprehensive for the actual requirements of the service provider.
• There are additional access possibilities to the Intranet of the organisation and thus sources of risk.
• Open or poorly protected IT access routes result in possibilities of manipulation.
• Confidential information and intellectual property might be passed on to outsiders.
• Under certain circumstances, external system access is controlled inadequately.

The IT connection between the organisation to be outsourced and the outsourcing service provider can also fail completely. In this case, data whose transmission has not yet been completed before the failure might be destroyed or become inconsistent. Depending on the period of time and type of the failure, the consequences might also threaten the existence of the organisation. This risk is intensified if there is no contingency planning concept (see T 2.93 Inadequate contingency planning concept when outsourcing).