S 2.253 Contractual arrangements with the outsourcing service provider

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT, Top Management

After having selected the outsourcing service provider, all aspects of the outsourcing project must be defined contractually and stipulated in so-called Service Level Agreements (SLAs). The aspects described in the following are intended as an aid and as a checklist when drafting the agreements. Type, extent, and level of detail of the stipulations always depend on the specific outsourcing project. The higher the protection requirements of the outsourced IT systems and applications, the more carefully and more detailed the agreement between customer and service provider must be negotiated. The service provider should be committed to observing the IT-Grundschutz and the security requirements specified by the customer (see S 2.251 Specification of the security requirements for outsourcing projects). This, of course, also includes that the outsourcing service provider undertakes to draw up a security concept, including a contingency concept, and to document security safeguards, as well as systems and applications.

However, in addition to the general contract specification, it is always recommendable to stipulate an exact quantitative contract specification, e.g. regarding availability requirements, response times, computing power, available memory space, number of employees, support times.

In general, a general commitment regarding the observation of IT-Grundschutz is satisfactory, but it is always recommendable to stipulate all agreed services as exactly and unambiguously as possible in the agreement. This way, subsequent disputes between the parties can be avoided. Subsequent substantiations and amendments to the agreement necessary due to differing interpretations of the described services are often connected to significant increases in costs for the customer. The process of drawing up the security concept should also be part of the agreement. In particular, the agreement must clarify who is responsible for the technical contents and which duties to cooperate exist for the customer.

A list of aspects that should be addressed from a security point of view can be found below. Further information about details can be found in the respective safeguards of the IT-Grundschutz Catalogues:

Infrastructure

• Protection of the service provider's infrastructure (e.g. site access control, fire control, ...)

Organisational rules/processes

• Specification of lines of communication and contact persons
• Specification of processes, workflows, and areas of responsibility
  • Procedures for resolving problems, nomination of points of contact who have the necessary authorisations
  • Regular co-ordination meetings
• Archiving and deletion of databases (particularly when an agreement is terminated)
• Access capabilities to IT resources of the client for the service provider: Who can access which system how? Which responsibilities and rights were implemented?
• Site and data access authorisations for employees of the service provider to the customer's premises and IT systems
• Site and data access authorisations for employees of the customer to the service provider's premises and IT systems

Personnel

• Design of the workplaces for external employees (compliance with computer workstation guidelines)
• Specification and coordination of employee substitution arrangements
• Commitment to advanced training measures

Contingency Planning

• Categories for classifying errors and incidents according to type, severity, and urgency
• Actions necessary when an incident occurs
• Response times and escalation levels
• Duty to cooperate of the customer when handling emergencies
• Type and chronology of regular and adequate emergency drills
• Type and extent of data backup
• Agreement as to whether and/or which systems must be designed redundantly
• Regulations for cases of Force Majeure may be especially important. For example, the agreement must clarify how the availability of data and systems can be ensured if the personnel of the service provider go on strike. The customer may be caught completely off guard by such events particularly when service provider and customer belong to different industries or are headquartered in different countries.

Liability, general legal requirements

• A commitment to observing the applicable standards and laws, as well as the stipulated security safeguards and other general conditions must be agreed upon contractually. Non-disclosure agreements must also be stipulated.
• The integration of third parties and subcontractors of the service provider must be regulated. In general, it is not recommended to exclude them, but to specify reasonable rules instead.
• The ownership of and copyrights to systems, software, and interfaces must be specified. The agreement must also clarify whether or not the service provider will take over existing agreements with third parties (hardware configuration, service contracts, software licenses, etc.).
• The continued use of the tools, procedures, scripts, and batch programs used by the service provider must be regulated in case the service relationship is terminated.
• Regulations for the end of the outsourcing project, e.g. when switching service providers or when a service provider goes bankrupt, may be specified. Make sure the cancellation right is sufficiently flexible.
• The contractor must be obliged to return all hardware and software belonging to the customer, including the stored data, upon completion of the project. All existing data, including data backups, must also be returned or (depending on the agreement) destroyed.
• The distribution of risks between customer and service provider must be taken into consideration.
• Questions of liability in the event of damage must be clarified.
• Penalties or compensation in the event of non-compliance with the service quality must be defined. The importance of compensation payments and legal consequences should not be overestimated in so doing. The following items must be taken into consideration, amongst other things:
  • Quantifiability of the damage
  • • For example, how is damage to an organisation’s image measured?
    • How are damages to be assessed where serious derelictions of duty are discovered which only by chance have not resulted in greater damage?
  • Insolvency of the service provider
  • • The right to compensatory damage payments is worthless if these exceed the service provider’s ability to pay and the latter declares itself insolvent. At a very minimum, costs will be incurred as a result of the need to change to a new service provider.
  • Catastrophic damage
  • • A contractual penalty is too late if the extent of the damaging event is so great that the customer is robbed of the basis of its business or, in the worst case, becomes insolvent as a result of the damage.
  • Provability
  • • Can any damage be proven, can the party responsible be convicted (e.g. proof of espionage or tampering)?
  
  
  One should always be aware of the fact that compensation payments are only the very last means and must not result in other security safeguards being neglected for financial reasons. Security cannot be achieved by legal means.

Multi-client capability

• The required separation of IT systems and applications of different customers must be agreed upon.
  • Steps must be taken to ensure that problems with other customers do not impair the functional sequences and systems of the customer.
  • Steps must be taken to ensure that other customers of the outsourcing service provider do not under any circumstances gain access to the customer’s data.
• The outsourcing service provider must draw up a multi-client concept describing how IT systems and applications are operated in a multi-client enabled manner. The customer must review this concept as to whether the described measures are suitable in order to achieve sufficient separation of different clients for the respective protection requirements.
• If required, a physical separation (i.e. dedicated hardware) must be agreed upon.
• If required, it must be agreed upon that the employees deployed by the service provider are not deployed for other customers. It may also make sense to commit the employees to secrecy so that the employees deployed are not allowed to exchange any project-related information with other employees of the service provider.

Change management and test procedures

• Regulations must be specified providing the customer with the ability to always adapt to new requirements. This is particularly applicable if statutory provisions were amended. The reactions to system extensions, increased requirements, or resources becoming scarce must be specified.
• In this context, the support and further development of existing systems must also be regulated. Frequently, the service provider takes over self-developed systems or software from the customer who will lose the ability to further develop these as considered appropriate. Therefore, the evolution path of systems must be regulated.
• Continuous improvement of the service quality and the level of security must already be specified in the SLAs.
• The time frame for remedying errors must be defined.
• Test procedures for new hardware and software must be agreed upon. The following items must be taken into account in this context:
  • Provisions regarding updates and system modifications
  • Separation of test and production systems
  • Responsibilities regarding the creation of test concepts
  • Specification of test models to be used
  • Responsibilities of customer and service provider regarding the carrying out of tests (e.g. customer to co-operate or provide assistance, acceptance and release procedures)
  • Duty to inform and obtain customer agreement prior to major interventions in the system. (One example of how this can Procedures for obtaining approval for the carrying out of testsgo wrong is that the service provider loads a new operating system on the server, and as a result of unexpected errors, important applications are disrupted without the customer having been able to prepare for this.)
  • Procedures for obtaining approval for the carrying out of tests
  • Specification of acceptable losses of quality during the test phase (e.g. availability)

Monitoring

• Service quality and IT security must be monitored regularly. The customer must possess the necessary rights to supply the required information as well as the necessary site and system access and inspection rights. If independent third parties are to conduct audits or benchmark tests, this must be stipulated in the agreement.
• All organisations performing audits with the customer (e.g. supervisory agencies) must also be granted the corresponding monitoring capabilities with the service provider (for example the corresponding site access rights, rights to view the data).

Review questions:

• Are all aspects of the outsourcing project agreed upon in writing with the outsourcing service provider?
• Are the responsibilities and duties to cooperate regarding the development of the IT security concept agreed upon between outsourcing service provider and customer?