S 2.256 Planning and maintenance of IT security during ongoing outsourcing operations

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Head of IT, IT Security Officer

After an outsourcing project has been implemented, information security must also be ensured during ongoing operations. For this purpose, an operational concept in which the security aspects are also taken into account must be planned for the outsourcing project. In this respect, the IT-related individual tasks do not usually differ from those tasks to be planned and implemented if there is no outsourcing (see S 2.199 Maintaining information security).

However, particularities result from the fact that the tasks are distributed to several parties and thus additional tasks (e.g. coordination talks and checks) arise. These tasks include, among other things:

• Documentation and policies must be updated at regular intervals.

• The applicable security concepts of all parties involved must be checked as to whether they are still coordinated and ensure the desired level of security. In particular, the outsourcing service provider should inform the customer on important changes in their area of influence.

• Regular checks must be performed on the following aspects:
  • performance of agreed audits
  • implementation status of the agreed security safeguards
  • maintenance status of systems and applications
  • assignment of rights by the service provider (misuse of rights)
  • use of employees who have not been reported to the customer, e.g. in cases of substitution
  • performance, availability, quality level
  • data backup

• Regular coordination talks must be held on the following points:
  • Information must be exchanged between the partners (e.g. personnel news, organisational regulations, statutory changes, planned projects, planned tests and system changes that could impair the quality of the service).
  • Problems must be identified and analysed.
  • Mutual feedback and the identification of potential improvements are very important.
  • To motivate employees, details can be presented to them of particularly positive examples of successful cooperation.
  • Change management: change requests (hardware, software, extension of the service portfolio, increased resource requirements etc.) should be discussed promptly.

• Regular exercises and tests must be carried out on the following topics:
  • response to system failures (partial failure, total failure)
  • restoring of data backups
  • dealing effectively with security incidents

Review questions:

• Is there an operational concept for the outsourcing project which also takes the security aspects into account?
• Are the security concepts of the outsourcing partners checked for currency and consistency at regular intervals?
• Is the status of the security safeguards agreed upon checked at regular intervals?
• Are there regular communications including coordination regarding changes and improvements between the outsourcing partners?
• Do the outsourcing partners perform regular joint exercises and tests to maintain the level of security?