S 2.255 Secure migration in outsourcing projects

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: IT Security Officer, Head of IT, Administrator

After having commissioned the outsourcing service provider, a preliminary security policy must initially be drawn up also addressing the test and introduction phases as a sub-aspect of the outsourcing project. On the one hand, numerous outsiders are involved in this phase, and on the other hand, procedures must be established, tasks must be commissioned, and systems must be configured newly and/or adapted. Therefore, careful test operations are extremely important. "Flexible" and "uncomplicated" solutions which rarely provide sufficient security are selected particularly for test purposes and in phases of high workloads. Thus, it must be ensured that productive data is not used as test data without specific protection, for example. This must be ruled out by the security policy.

Before drawing up a migration concept as part of the security policy for an outsourcing project, a security management team must have been set up by the customer specifically for the migration phase. During the migration phase, this team must be mindful of security matters and ensure that secure IT operations are guaranteed during migration by means of suitable safeguards taken prior to migration. Here, the extent of the security management team depends on the type and extent of the outsourcing project; as a minimum requirement, it may comprise one security expert.

The security management team has the following tasks, from which regulations and specifications are derived, which must be included in the migration concept:

• A mixed team consisting of employees of the customer and of the outsourcing service provider must be established. This team may also be supported by external experts in order to make specific know-how available .
• A security concept must be drawn up for the migration phase.
• The responsibilities and hierarchies for the migration phase must be defined. In doing so, it is important to establish clear management structures and to define unambiguous contact persons on both sides. Additionally, it must be ensured that responsibilities are also defined at high levels on both sides. This is the only way to ensure that actions can be suitably enforced in cases of doubt.
• The required tests must be scheduled and performed, acceptance procedures must be developed, and the transfer to production must be scheduled.
• Suitable internal employees must be selected for the test and introduction phases and later operations. Contractually, a customer may of course also request a say in the outsourcing service provider's selection of personnel.
• The employees of the customer must be trained in terms of their behaviour during and after the migration phase. Normally, the employees are faced with new and unknown contact persons. This entails the risk of social engineering (e.g. telephone call of an alleged employee of the service provider's security team).
• The service provider must and receive instructions on and become familiar with the relevant procedures, applications, and IT systems of the customer.
• Trouble-free operations must be ensured by detailed resource planning and testing. The productive systems must not be neglected in so doing. Additionally, it must be checked in advance whether the designated employees are available. Furthermore, failures must be taken into consideration through required tests.
• Applications and IT systems the service provider is to take over must be documented sufficiently. In doing so, the documentation must be checked for completeness and the existing documentation must be adapted to the changed general conditions caused by the outsourcing project. At the same time, it must also be ensured that new systems or subsystems are also documented.
• During migration, it must be checked consistently whether the SLAs or the designated security safeguards require adaptations.

During the introduction phase of the outsourcing project and the first operation period, particular attention should be paid to the contingency concept. Until all persons involved have adopted the required routine, for example in handling malfunctions and security-relevant incidents, employees must be obligated to on-call duty to a greater extent.

Upon completion of the migration, it must be ensured that the security policy is updated, since experience has shown that the migration phase always entails changes. In particular, this has the following consequences:

• All security safeguards must be substantiated.
• Contact persons and responsibilities are documented with names and required contact information (phone, availability hours, possibly required assignment information such as customer IDs).
• The system configurations must be documented, including the documentation of the set security-relevant parameters.

• The personnel must be prepared for regular operations by means of training measures.

As a final task, the outsourcing project must be transferred to regular operations upon completion of the migration phase (see S 2.256 Planning and maintenance of IT security during ongoing outsourcing operations). In doing so, it must be ensured that all exceptions required during the migration phase are reversed at the end of the migration phase, e.g. extended access rights.

Review questions:

• Was a security policy drawn up for the migration phase, which also takes into consideration the testing and introduction phases?
• Is it ensured that productive data is not used as test data in an unprotected manner during the migration phase?
• Are the employees of the customer and those of the outsourcing service provider prepared for migration?
• Are all changes incorporated into the security policy upon completion of the migration phase?
• Is it ensured that all exceptions are reversed at the end of the migration phase?