S 2.176 Selection of a suitable Internet service provider

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT

Internet service providers (ISP) offer different services, content, or technical services supporting the use of the internet or the operation of your own internet offers. Organisations should select providers carefully. The provider used by an organisation to connect to the internet not only disposes of information on incoming and outgoing emails of the organisation, but also on every website the users open. In addition, all data transmitted between the users' computers and a server in the internet passes through the IT systems of the provider.

When selecting an internet service provider, it should be considered:

• whether there are people available around the clock to contact in case of technical problems, and if so, how competent these people are,
• how well the provider is prepared for the failure of one or more of its IT systems (contingency planning, data backup policy),
• what level of availability (maximum downtime) the provider can guarantee,
• whether the provider regularly checks if the connections to customers are still stable and takes the corresponding action when they are unstable,
• which data about the use of the internet of the customers is collected with the provider and how the provider protects it against unauthorised access,
• what the provider does to secure its IT systems and the systems of its customers.

When selecting a provider, the organisation should require the provider to document that they operate their IT systems securely, i.e. the provider should provide verification that the requirements described in S 2.174 Secure operation of a web server are fulfilled. All safeguards relating to networked systems and to data transmission equipment should be implemented. Of course, every provider should have a security concept and security policies. It should be possible for outsiders to view the security policies of the provider. The employees of the provider should be aware of security issues, be under obligation to follow the rules in the security policy, and receive regular training (and not only in issues relating to security).

Providers store data relating to the user for accounting and billing purposes (name, address, user ID, and bank account data) as well as connection data. The content transmitted is also stored for a length of time that differs from provider to provider.

Users should ask their provider which data is stored and for how long before deletion. When selecting a provider in Germany, it should be taken into account that German providers are required to follow the relevant data privacy laws applying to the processing of this data.

The exact terms of the cooperation with the service provider must be stipulated in a contract and suitable service level agreements (SLAs) must be concluded, e.g. contact persons, response times, IT connection, control of the services, design of the security precautions, handling of confidential information (see S 2.253 Contractual arrangements with the outsourcing service provider).

Review questions:

• Is information on security-relevant, data protection law related, and service-relevant properties of the service providers obtained?