S 2.251 Specification of the security requirements for outsourcing projects

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT, Administrator

If an outsourcing strategy was specified the security requirements must be defined in enough detail so that they can be used as a basis for choosing a suitable service provider. For this purpose, security requirements must be placed on the outsourcing service provider, the technology used (including communication lines and services) but also on the client organisation itself. The creation of a detailed security concept, which is based on the requirements formulated here and developed after choosing the service provider, is described in S 2.254 Creating a security concept for the outsourcing project.

It must be considered that the definition of security requirements is an iterative process:

• Initially, the desired security requirements are specified by the client.
• During the the offer phase, it is then checked how and if the desired security requirements can be provided by the offering service provider (see also S 2.252 Choice of a suitable outsourcing service provider).
• Once a service provider has been chosen, the security requirements must be developed in further detail together with the service provider (e.g. based on the operating systems or security mechanisms used). In the final phase of this coordination process, the security requirements for the specific implementation also need to be defined.

In general, the following minimum security requirements apply to outsourcing scenarios:

• Implementation of the IT-Grundschutz is a minimum requirement for both outsourcing parties. In addition, both the outsourcing service provider and the client must have their own security concept which must have been implemented.
• It is important to exactly specify the relevant IT systems (e.g. according to specialised task, business process, IT systems) so that all interfaces can be identified. It is then possible to place corresponding technical security requirements upon the interfaces.
• A current structure analysis of IT systems and applications must be performed (see also S 2.250 Determining an outsourcing strategy).
• The protection requirements (e.g. of applications, systems, communication links, rooms) regarding confidentiality, integrity, and availability must be defined (see also S 2.250 Determining an outsourcing strategy).

Relevant laws and regulations must, of course, be observed additionally. Particularly in cases where clients or service providers operate on an international or global level, this may involve a lot of effort.

As part of the security requirements, it must be specified which rights (e.g. site access rights, access rights to files and systems) the outsourcing service provider is granted by the client.

The requirements regarding infrastructure, organisation, personnel and technology must be described. In many cases the obligation to meet a security level corresponding to IT-Grundschutz is sufficient. If any requirements exceeding this exist, these must be described in detail. This depends primarily on the security strategy and the existing systems and applications. For example, the following points could be specified in detail depending on the outsourcing project:

Organisational rules and processes

• Requirements regarding processes critical to security (e.g. time restrictions for the alarm plan) may be specified.
• Special requirements regarding certain roles may be defined. It may be requested, for example, that an IT security officer with special knowledge (e.g. host knowledge) must be appointed at the outsourcing service provider.

Hardware/software

• The use of certified products (e.g. according to common criteria or ITSEC) at the outsourcing service provider may be requested.
• Requirements regarding the availability of services and IT systems may be specified. In this context, the level and the method of load balancing (e.g. for web servers with client access in case of a large number of clients) may be specified, for example.
• Specifications regarding the multi-client capability and the associated separation of hardware and software may be formulated. It may be specified, for example, that IT systems of the client must not be sited in rooms where systems of other clients of the service provider are already installed.

Communication

• Special methods for securing the communication between service provider and client such as use of encryption and signature methods (see also modules S 4.4 VPN and S 1.7 Crypto-concept) can be prescribed.

Controls and QA

• General requirements regarding control and measuring of security, quality or even procedures and organisational rules may be specified, e.g. time intervals, responsibilities.
• Desired methods or measurements for control and monitoring such as unannounced inspections on site, audits (under some circumstances by independent third parties) may be specified.
• Requirements for the logging and evaluation of log files may be specified.

The specified IT security requirements generally form the basis for choosing a suitable outsourcing service provider. However, it may be necessary to adapt special IT security requirements to the IT security level that can be implemented by the service provider.

Review questions:

• Have all security requirements for the outsourcing project been specified on the basis of the outsourcing strategy?
• Were both outsourcing parties obliged by contract to IT-Grundschutz or a similar level of protection?
• Have all interfaces between outsourcing client and provider been identified so that corresponding security requirements can be placed upon them?
• Are the rights (site, system, and data access rights) to be granted to the client by the outsourcing service provider specified in the security requirements?