Outsourcing involves transferring responsibility for carrying out an activity (usually, previously carried on internally) to an outsourcer for an agreed charge. The outsourcer provides services to the customer based on a mutually agreed service level, normally defined in a formal contract. Many commercial benefits have been ascribed to outsourcing, the main benefits being the decrease of the organization’s costs, being able to find personnel willing to work during weekends, access to world-class skills and resources.
Despite the potential benefits, information security incidents such as inappropriate access to or disclosure of sensitive information, loss of intellectual property protection or the inability of the outsourcer to live up to agreed service levels, would reduce the benefits and could jeopardize the security posture of the organization.
The policy should address the following controls found in the ISO/IEC 27002:2005 and ISO/IEC 27001 standards, identification of risks related to external parties, addressing security when dealing with customers and addressing security in third party agreements.
Choosing an outsourcer
Criteria for selecting an outsourcer shall be defined and documented, taking into account the company’s reputation and history, quality of services provided to other customers, number and competence of staff and managers, financial stability of the company and commercial record, retention rates of the company’s employees, and quality assurance and security management standards currently followed by the company (e.g. certified compliance with ISO 9000 and ISO/IEC 27001).
Drafting an Outsourcing Agreement
A formal contract between the Company and the outsourcer should exist to protect both parties. The contract should clearly define the types of information exchanged and the purpose for so doing. If the information being exchanged is sensitive, a binding confidentiality agreement should be in place between the Company and the outsourcer, whether as part of the outsource contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated).
Any information received by the Company from the outsourcer which is bound by the contract or confidentiality agreement should be protected by appropriate classification and labeling. Upon termination of the contract, the confidentiality arrangements should be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract.
All contracts should be reveiwed by a Legal Professional to ensure accurate content, language and presentation.
The contract should clearly define each party’s responsibilities toward the other by defining the parties to the contract, effective date, functions or services being provided (e.g. defined service levels), liabilities, limitations on use of sub-contractors and other commercial/legal matters normal to any contract. Depending on the results of the risk assessment, various additional controls should be embedded or referenced within the contract, such as legal, regulatory and other third-party obligations such as data protection/privacy laws, money laundering etc.
Information security obligations and controls such as:
- Information security policies, procedures, standards and guidelines, normally within the context of an Information Security Management System such as that defined in ISO/IEC 27001 and Data protection Regulation 2016/679;
- Background checks on dedicated employees or third parties working on the contract;
- Access controls to restrict unauthorized disclosure, modification or destruction of information, including physical and logical access controls, procedures for granting, reviewing, updating and revoking access to systems, data and facilities etc.;
- Information security incident management procedures including mandatory incident reporting;
- Return or destruction of all information assets by the outsourcer after the completion of the outsourced activity or whenever the asset is no longer required to support the outsourced activity;
- Copyright, patents and similar protection for any intellectual property shared with the outsourcer or developed in the course of the contract;
- Specification, design, development, testing, implementation, configuration, management, maintenance, support and use of security controls within or associated with IT systems, plus source code escrow;
- Anti-malware, anti-spam and similar controls;
- IT change and configuration management, including vulnerability management, patching and verification of system security controls prior to their connection to production networks;
- The right of the Company to monitor all access to and use of the Company’s facilities, networks, systems etc., and to audit the outsourcer’s compliance with the contract, or to employ a mutually agreed independent third party auditor for this purpose;
- Business continuity arrangements including crisis and incident management, resilience, backups and IT Disaster Recovery.
Although outsourcers that are certified compliant with ISO/IEC 27001 can be presumed to have an effective Information Security Management System in place, it may still be necessary for the Company to verify security controls that are essential to address the Company’s specific security requirements, typically by auditing them.