S 6.83 Contingency planning for outsourcing

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator, IT Security Officer

In general, the same requirements apply to contingency planning for outsourcing, as to those of non-outsourced operations of IT systems. The particularities for outsourcing operations result from the fact that contingency planning, too, is distributed different parties and that there are additional components to be taken into account due to the distribution of the IT components.

In general, contingency planning concepts for the customer's and the outsourcing service provider's systems as well as for the interfaces between the customer and the service provider (e.g. network connection, router, telecommunications provider) must be available. S 2.253 Contractual arrangements with the outsourcing service provider provides some information on which aspects should already be regulated in the Service Level Agreement. In the contingency planning concept, these specifications must be defined precisely and described in detail:

• Responsibilities, contact persons and procedures must be defined clearly and documented completely.
• Detailed regulations for data backups must be created (e.g. separate backup media for each client, availability, substitution arrangements, escalation strategies, virus protection).
• Detailed work instructions with concrete directives for certain error situations must be created.
• A concept for emergency drills that must be performed at regular intervals must be drawn up.

In emergency situations, information security depends heavily on the quality of the work instructions for the personnel of the outsourcing service provider. The systems of the customer are often operated by personnel of the service provider, who do not have detailed knowledge of the applications that are operated on the IT systems. The responsibility for the application still lies solely with the customer. If an error occurs in the application, the outsourcing service provider must, under certain circumstances, perform the troubleshooting without having comprehensive knowledge of the system. By means of the contingency planning concept, the outsourcing service provider must therefore be provided with precise instructions on how to proceed in such a situation. In this respect, it might also make sense to define actions that are explicitly prohibited (e.g. reboot of a machine).

Errors of an application can be caused by technical problems (e.g. data medium full, network problems) or application-specific (e.g. processing of wrong record, programming errors, incorrect parameter setting).

For technical errors without impacts on other applications, the outsourcing service provider will be able to eliminate the error themselves. In most cases, however, cooperation with the customer is still necessary to prevent undesired side effects at the application level.

If there are application-specific problems, the outsourcing service provider needs detailed and comprehensive instructions as well as lists with contact persons on the part of the customer to be able to react properly. For problems with complicated applications or for comprehensive batch processes in particular, knowledge that is only available to the customer is often required.

In this case, it is also important to provide the service provider with information regarding the protection requirements of the affected data and systems to ensure they are handled with adequate caution.

Review questions:

• Is there a contingency planning concept for outsourcing comprising the components at the customer and at the service provider as well as the associated interfaces?
• Does the contingency planning concept for outsourcing regulate the responsibilities, contact persons and procedures between the customer and the service provider?
• Are joint emergency drills carried out by the customer and the outsourcing service provider at regular intervals?