S 2.356 Contractual arrangements with SAN service providers

Initiation responsibility: IT Security Officer, Head of IT, Top Management

Implementation responsibility: Head of IT, Top Management, IT Security Officer

Few organisations are able or willing to provide technical support for the SAN components during normal operations and in the event of an emergency by themselves. For this reason, they must then reach out to suitable manufacturers and suppliers, who are referred to in the following as service providers.

The aspects described in the following are intended as an aid and as a checklist when drafting the contractual arrangements. The type, scale, and degree of detail of the contractual regulations depend on the availability requirements of the customer and on the complexity of the specific SANs.

In general, the service providers are to be required to follow all relevant laws and regulations, especially those applying to data protection according to the German Federal Data Protection Act (BDSG), and to implement organisational and technical safeguards for information security. These measures should at least match the level of IT-Grundschutz protection, and if necessary, the service providers must be required to fulfil additional security requirements specified by the customer.

In addition to these general obligations, it is also recommended to specify all services agreed to in writing in the contract together with measurements and verification procedures. For example, it may be appropriate to specify that a qualified employee of the service provider must be on site within 4 hours for certain types of problems. Such specific statements based on the requirements of the organisation may make more sense than a flat-rate offer (i.e. "Gold-Support"), which may contain unfavourable exceptions (telephone support only on Sundays) to the required quality.

The creation of the contingency planning concept for the SAN should also be an integral part of the contract. In particular, the agreement must clarify who is responsible for the technical contents and which duties to cooperate exist for the customer.

It is urgently recommended to the customer to prepare sufficiently in advance before collecting the requirements. Details and additions to the contract that are added later and are necessary due to differing interpretations of imprecisely described services often come in conjunction with a significant increase in costs for the customer.

In the following you will find a list of objectives that can be used when producing or examining a contract draft:

Organisational rules and processes

• Specification of lines of communication and contact persons
• Specification of times (e.g. day-time operation, night-time operation, which days count as weekends, holidays)
• Specification of processes, workflows, and areas of responsibility
• Procedure when problems and crises arise, naming of contact persons with the required authorisations
• Access capabilities to customer's IT resources for the service provider:
• Site and data access authorisations for employees of the service provider to the customer's premises and IT systems
• Transfer of databases at the end of the contractual relationship, deletion of data when storage media are returned to the contractor

Personnel

• If necessary, the design of the workplaces used by external employees
• Specification and coordination of employee substitution arrangements
• Planning for training courses

Contingency planning

• Actions necessary when an incident occurs
• Response times and escalation levels
• Duty to cooperate of the customer when handling emergencies
• Agreements relating to the provision of replacement or backup systems
• Regulations for cases of Force Majeure may be especially important. For example, the contract must clarify how additional external personnel can be made available if the personnel of the service provider go on strike, for example.

Liability, general legal requirements

• The contract must regulate the responsibility of each individual employee of the contractor in terms of the responsibility to follow applicable standards and laws as well as any security measures agreed to. If necessary, special confidentiality agreements are to be specified contractually.
• The integration of third parties and subcontractors of the service provider must be regulated. In general, it is not recommended to exclude them, but to specify reasonable rules instead.
• The ownership of and copyrights to systems, software, and interfaces must be specified. The contract must clarify whether or not the service provider will take over existing contracts with third parties (hardware configuration, service contracts, software licenses, etc.).
• The continued use of the tools, procedures, scripts and batch programs by the service provider must be regulated in case the service relationship is terminated.
• Regulations for the end of the contractual relationship, e.g. when switching service providers or when a service provider goes bankrupt, should be specified.
• Make sure the cancellation right is sufficiently flexible.
• The contractor is to be required to return all stored data and all hardware and software purchased by the customer as well as to delete all information stored in the context of the contractual relationship after the job is finished.
• Questions of liability in the event of damage must be clarified. Sanctions or compensation for damage when the required level of service quality is not met should not be overestimated from the customer's point of view.
• • First of all, you must always ask how the damage can be verified and/or if the party causing the damage can be determined.
  • For example, how will damage to your image be quantified?
  • How will you evaluate serious contract violations that only by chance did not lead to larger-scale damage?
  • The right to damage compensation payments is worthless when they are higher than the solvency of the service provider and the provider goes bankrupt.

Change management and test procedures

• Regulations must be specified providing the customer with the ability to always adapt to new requirements. It must be specified how changes to requirements by the customer will be handled.
• Test procedures for new hardware and software must be agreed upon. The following items must be taken into account in this context:

Controlling the contractor

• The quality of the services provided must be checked regularly. The customer must possess the necessary rights to information as well as the necessary site access and inspection rights. If independent third parties are to conduct audits or benchmark tests, this must be stipulated in the agreement.

Review questions:

• Are SAN service providers contractually required to follow all relevant laws, especially those applying to data protection?
• Are SAN service providers required to implement and use technical and organisational safeguards according to the customer's security requirements (at least at the level of IT -Grundschutz)?
• Are all services agreed to specified in writing together with measurements and verification procedures in the contract with the SAN service provider?