1 Introduction

Outsourcing involves transferring responsibility for carrying out an activity (previously carried on internally) to an outsourcer for an agreed charge. The outsourcer provides services to the customer based on a mutually agreed service level, normally defined in a formal contract.

Many commercial benefits have been ascribed to outsourcing, the most common amongst these being:

- Reducing the organization’s costs

- Greater focus on core business by outsourcing non-core functions

- Access to world-class skills and resources

Despite the potential benefits, information security incidents such as inappropriate access to or disclosure of sensitive information, loss of intellectual property protection or the inability of the outsourcer to live up to agreed service levels, would reduce the benefits and could jeopardize the security posture of the organization.

2 Objective

This policy specifies controls to reduce the information security risks associated with outsourcing.

3 Scope

The policy applies throughout Webpac.

Outsourcing providers (also known as outsourcers) include:

- hardware and software support and maintenance staff

- external consultants and contractors

- IT or business process outsourcing firms

- temporary staff

The policy addresses the following controls found in the ISO/IEC 27002:2005 and ISO/IEC 27001 standards:

- Identification of risks related to external parties

- Addressing security when dealing with customers

- Addressing security in third party agreements

4 Policy axioms

The commercial benefits of outsourcing non-core business functions must be balanced against the commercial and information security risks.

The risks associated with outsourcing must be managed through the imposition of suitable controls, comprising a combination of legal, physical, logical, procedural and managerial controls.

5 Policy statements

Choosing an outsourcer

Criteria for selecting an outsourcer shall be defined and documented, taking into account the:

- company’s reputation and history;

- quality of services provided to other customers;

- number and competence of staff and managers;

- financial stability of the company and commercial record;

- retention rates of the company’s employees;

- quality assurance and security management standards currently followed by the company (e.g. certified compliance with ISO 9000 and ISO/IEC 27001).

Further information security criteria may be defined as the result of the risk assessment (see next section).

Assessing outsourcing risks

Management shall nominate a suitable Webpac owner for each business function/process outsourced. The owner, with help from the local Information Risk Management Team, shall assess the risks before the function/process is outsourced, using Webpac’s standard risk assessment processes.

In relation to outsourcing, specifically, the risk assessment shall take due account of the:

a) nature of logical and physical access to Webpac information assets and facilities required by the outsourcer to fulfill the contract;

b) sensitivity, volume and value of any information assets involved;

c) commercial risks such as the possibility of the outsourcer’s business failing completely, or of them failing to meet agreed service levels or providing services to Webpac’s competitors where this might create conflicts of interest; and

d) security and commercial controls known to be currently employed by Webpac and/or by the outsourcer.

The result of the risk assessment shall be presented to management for approval prior to signing the outsourcing contract. Management shall decide if Webpac will benefit overall by outsourcing the function to the outsourcer, taking into account both the commercial and information security aspects. If the risks involved are high and the commercial benefits are marginal (e.g. if the controls necessary to manage the risks are too costly), the function shall not be outsourced.

Contracts and confidentiality agreements

A formal contract between Webpac and the outsourcer shall exist to protect both parties. The contract shall clearly define the types of information exchanged and the purpose for so doing.

If the information being exchanged is sensitive, a binding confidentiality agreement shall be in place between Webpac and the outsourcer, whether as part of the outsource contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated).

Information shall be classified and controlled in according with Webpac policy.

Any information received by Webpac from the outsourcer which is bound by the contract or confidentiality agreement shall be protected by appropriate classification and labeling.

Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract.

All contracts shall be submitted to the Legal for accurate content, language and presentation.

The contract shall clearly define each party’s responsibilities toward the other by defining the parties to the contract, effective date, functions or services being provided (e.g. defined service levels), liabilities, limitations on use of sub-contractors and other commercial/legal matters normal to any contract. Depending on the results of the risk assessment, various additional controls should be embedded or referenced within the contract, such as:

- Legal, regulatory and other third party obligations such as data protection/privacy laws, money laundering etc.*;

- Information security obligations and controls such as:

- Information security policies, procedures, standards and guidelines, normally within the context of an Information Security Management System such as that defined in ISO/IEC 27001;

- Background checks on employees or third parties working on the contract (see section 5.4);

- Access controls to restrict unauthorized disclosure, modification or destruction of information, including physical and logical access controls, procedures for granting, reviewing, updating and revoking access to systems, data and facilities etc.(see section 5.5);

- Information security incident management procedures including mandatory incident reporting;

- Return or destruction of all information assets by the outsourcer after the completion of the outsourced activity or whenever the asset is no longer required to support the outsourced activity;

- Copyright, patents and similar protection for any intellectual property shared with the outsourcer or developed in the course of the contract;

- Specification, design, development, testing, implementation, configuration, management, maintenance, support and use of security controls within or associated with IT systems, plus source code escrow;

- Anti-malware, anti-spam and similar controls;

- IT change and configuration management, including vulnerability management, patching and verification of system security controls prior to their connection to production networks;

- The right of Webpac to monitor all access to and use of Webpac facilities, networks, systems etc., and to audit the outsourcer’s compliance with the contract, or to employ a mutually agreed independent third party auditor for this purpose;

- Business continuity arrangements including crisis and incident management, resilience, backups and IT Disaster Recovery.

Although outsourcers that are certified compliant with ISO/IEC 27001 can be presumed to have an effective Information Security Management System in place, it may still be necessary for Webpac to verify security controls that are essential to address Webpac’s specific security requirements, typically by auditing them (see section 5.6).

Hiring and training of employees

Outsource employees, contractors and consultants working on behalf of Webpac shall be subjected to background checks equivalent to those performed on Webpac employees. Such screening shall take into consideration the level of trust and responsibility associated with the position and (where permitted by local laws):

- Proof of the person’s identity (e.g. passport);

- Proof of their academic qualifications (e.g. certificates);

- Proof of their work experience (e.g. résumé/CV and references);

Companies providing contractors/consultants directly to Webpac or to outsourcers used by Webpac shall perform at least the same standard of background checks as those indicated above.

Suitable information security awareness, training and education shall be provided to all employees and third parties working on the contract, clarifying their responsibilities relating to Webpac information security policies, standards, procedures and guidelines (e.g. privacy policy, acceptable use policy, procedure for reporting information security incidents etc.) and all relevant obligations defined in the contract.

Access controls

In order to prevent unauthorized access to Webpac’s information assets by the outsourcer or sub-contractors, suitable security controls are required as outlined in this section. The details depend on the nature of the information assets and the associated risks, implying the need to assess the risks and design a suitable controls architecture.

Technical access controls shall include:

- User identification and authentication;

- Authorization of access, generally through the assignment of users to defined user rôles having appropriate logical access rights and controls;

- Data encryption in accordance with Webpac’s encryption policies and standards defining algorithms, key lengths, key management and escrow etc.

- Accounting/audit logging of access checks, plus alarms/alerts for attempted access violations where applicable.

Procedural components of access controls shall be documented within procedures, guidelines and related documents and incorporated into awareness, training and educational activities. This includes:

- Choice of strong passwords;

- Determining and configuring appropriate logical access rights;

- Reviewing and if necessary revising access controls to maintain compliance with requirements;

Physical access controls shall include:

- Layered controls covering perimeter and internal barriers;

- Strongly-constructed facilities;

- Suitable locks with key management procedures;

- Access logging though the use of automated key cards, visitor registers etc;

- Intruder alarms/alerts and response procedures;

If parts of Webpac’s IT infrastructure are to be hosted at a third party data centre, the data centre operator shall ensure that Webpac’s assets are both physically and logically isolated from other systems.

Webpac shall ensure that all information assets handed over to the outsourcer during the course of the contract (plus any copies made thereafter, including backups and archives) are duly retrieved or destroyed at the appropriate point on or before termination of the contract. In the case of highly classified information assets, this normally requires the use of a schedule or register and a process whereby the outsourcer formally accepts accountability for the assets at the point of hand-over.

Security audits

If Webpac has outsourced a business function to an outsourcer based at a different location, it shall audit the outsourcer’s physical premises periodically for compliance to Webpac’s security policies, ensuring that it meets the requirements defined in the contract.

The audit shall also take into consideration the service levels agreed in the contract, determining whether they have been met consistently and reviewing the controls necessary to correct any discrepancies.

The frequency of audit shall be determined by management on advice from functions such as Internal Audit, Information Security Management and Legal.

6 Responsibilities

Management

Management is responsible for designating suitable owners of business processes that are outsourced, overseeing the outsourcing activities and ensuring that this policy is followed.

Management is responsible for mandating commercial or security controls to manage the risks arising from outsourcing.

Outsourced business process owners

Designated owners of outsourced business processes are responsible for assessing and managing the commercial and security risks associated with outsourcing, working in conjunction with Information Security, Legal and other functions as necessary.

Information Security

Information Security, in conjunction with functions such as Legal, Compliance and Risk Management, is responsible for assisting outsourced business process owners to analyze the associated risks and develop appropriate process, technical, physical and legal controls.

Information Security is also responsible for maintaining this policy.

Internal Audit

Internal Audit is authorized by management to assess compliance with all corporate policies at any time.

Internal Audit may assist with audits of outsourcing contracts including security compliance audits, and advise management on the risks and controls relating to outsourcing.

7 Copyright

This work is copyright © 2008, ISO27k Implementers' Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Implementers’ Forum (www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.