S 2.254 Creating a security concept for the outsourcing project

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator, Head of IT

For every outsourcing project a security concept must exist. This can be created on the basis of the IT-Grundschutz catalogues, for example. Outsourcing projects are characterised by the fact that many technical and organisational details are only revealed in the course of planning and during migration of the system. Therefore, the security concept which is developed after a service provider has been commissioned will rarely be complete and final from the beginning on and must be continuously developed and substantiated by all parties involved during the migration phase. For this reason, the migration phase is decisive for the success of the overall project and is explained in detail in safeguard S 2.255 Secure migration in outsourcing projects.

In general, security concepts for outsourcing projects are not much different from security concepts for internally operated IT systems. However, there are the following particularities which must be taken into account:

• From a technical point of view, three parties are usually involved in the outsourcing project:
  
  • the outsourcing customer
  • the outsourcing service provider
  • the network provider
  
  The network provider provides the connection between the outsourcing partners. The responsibility for the network connection usually lies with the outsourcing service provider.
• Every party involved must establish and implement their own security concept which also covers the specific outsourcing project. The following security concepts are required:
  
  • for the sphere of influence of the outsourcing service provider
  • for the sphere of influence of the customer and
  • for the interfaces and communications between these spheres.
• In addition to the individual concepts, a security concept for the overall system must be established which considers the security in the context of the interaction of the individual systems.
• The various sub-concepts must be co-ordinated between the client and the service provider. The client is not directly involved in the security concept of the outsourcing service provider, but should check within the context of an audit that it exists and is sufficient. The client may use external contractors for the audit.

The security requirements specified in S 2.251 Specification of the security requirements for outsourcing projects and S 2.253 Contractual arrangements with the outsourcing service provider form the basis for the security concept. The basic requirements described here must be used as a basis for the detailed design of the security concept. This may, for example, include the detailed description of the safeguards and the identification of the contact persons by name.

Experience has shown that the migration of tasks and IT systems from the client to the outsourcing service provider is a project phase with an increased risk of security incidents. For this reason, regulations and safeguards regarding migration must be covered by the security concept. These are covered in more detail by S 2.255 Secure migration in outsourcing projects.

In the following, some aspects and topics are listed which should be described in detail in the security concept. As the details of a security concept directly depend on the outsourcing project, the list is only intended as an initial starting point and is by no means complete. In addition to an overview of the threat scenario, which serves for motivation of the security safeguards, and the organisational, infrastructural, and personnel security safeguards, it may also be useful to implement safeguards for the following areas:

Organisation

• handling of data and of resources requiring protection such as printer paper and storage media, and especially rules regarding the creation of copies and the deletion/destruction
• specification of actions to which the "two-person rule" must be applied

Hardware/software

• use of hardened operating systems in order to make attacks more difficult
• use of intrusion detection systems (IDS) to enable early detection of attacks
• use of file integrity check systems for detection of changes, e.g. after successful attacks
• use of syslog and time servers to allow for most comprehensive logging
• use of cascaded firewall systems in order to increase perimeter protection on the part of the service provider
• careful allocation of user IDs, prohibition of group IDs for personnel of the service provider

Communication

• securing communications (e.g. using encryption or electronic signatures) between the service provider and the client in order to protect sensitive data
• authentication mechanisms
• detailed regulations for additional network connections (see S 5.87 Agreement regarding connection to third party networks)
• detailed regulations for exchange of data (see S 5.88 Agreement regarding the exchange of data with third parties)

Controls and QA

• detailed regulations (e.g. unannounced inspections on site, time intervals, responsibilities, level of detail) for controls and measuring security, service quality, procedures, and organisational rules

Contingency Planning

• The contingency planning concept is described in S 6.83 Contingency planning for outsourcing.

Review questions:

• Does an information security concept based on the associated security requirements exist for every outsourcing project?
• Does every party involved in the outsourcing project have a security concept for their area of influence and is there a co-ordinated security concept for the overall system, in addition?
• Is the security concept of the service provider and its implementation checked by the client or independent third parties?