OPS.3.2 Providing Outsourcing
In outsourcing, institutions (outsourcing users) outsource business processes or activities wholly or partly to one or more external service companies (outsourcing providers). These outsourcing providers operate the business processes or activities within the framework of the agreed outsourcing relationship according to defined criteria.
Description
Introduction
In outsourcing, institutions (outsourcing users) outsource business processes or activities wholly or partly to one or more external service companies (outsourcing providers). These so-called outsourcing providers operate the business processes or activities within the framework of the agreed outsourcing relationship according to defined criteria. However, the responsibility from the perspective of information security always remains with the outsourcing institution.
Outsourcing can relate to the use and operation of hardware and software, whereby the service can be provided in the premises of the contracting party or in an external operating facility of the outsourcing providers. Typical examples of classical “IT outsourcing,” to which this building block refers, are the operation of a data center, an application, or a website. Outsourcing is an umbrella term that is often further specified by additional terms such as hosting, housing, or colocation.
An outsourcing relationship concerns, in addition to the original outsourcing users and providers, in many cases additional sub-service providers downstream of the outsourcing providers. If parts of business processes or activities are further transferred from outsourcing providers to sub-service providers, the business processes or activities outsourced by users are further fragmented. This affects the complexity of the outsourcing chain, resulting in diminishing transparency for the outsourcing users. The proof that the requirements placed on the outsourcing providers are met extends here both to the outsourcing providers and to the sub-service providers.
For better clarity, the term “process” is used in this building block as a representative for business process, activity, or component that is outsourced.
Objective
The objective of this building block is to ensure the fundamental values of information security — confidentiality, integrity, and availability — throughout the entire lifecycle of outsourcing by the outsourcing providers. The building block is intended to help ensure that the outsourcing providers guarantee fundamental information security vis-à-vis the outsourcing users. Outsourcing here means classical “IT outsourcing.”
The requirements of building block OPS.3.2 Providing Outsourcing are intended to help ensure that potential threats arising from the service of the outsourcing providers do not endanger the outsourcing users. Accordingly, these risks are to be reduced and prevented.
Scope and Modeling
The building block OPS.3.2 Providing Outsourcing is to be applied once from the perspective of the providers for each user who receives services from the provider.
The building block relates to the perspective of the outsourcing providers in the outsourcing relationship. The requirements of the building block ensure that fundamental security standards are maintained vis-à-vis the outsourcing users and contribute to ensuring that the information security requirements of the outsourcing users can be maintained throughout the entire outsourcing process.
The case of a further transfer is only conditionally considered in building block OPS.3.2 Providing Outsourcing, as this represents a further outsourcing relationship and thus the outsourcing providers must model building block OPS.2.3 Use of Outsourcing for these sub-service providers.
Scenarios deviating from classical “IT outsourcing” (such as the operation of hardware and software, hosting, housing, etc.) may not always be completely represented by building block OPS.3.2 Providing Outsourcing and may require a separate risk analysis.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.3.2 Providing Outsourcing.
Insufficient Information Security Management at Outsourcing Providers
Inadequate information security management can lead to the protection objectives of information security being only insufficiently maintained by the outsourcing providers. Through an outsourcing contract, the outsourcing providers are responsible for maintaining the required level of information security for the outsourcing process. If the outsourcing providers fail to fulfill their responsibility, this can pose a threat to all institutions involved in the outsourcing process.
Insufficient Emergency Management of Outsourcing Providers
When disruptions or emergencies occur at outsourcing providers, this can lead to an operational disruption that can also affect the outsourced processes of the outsourcing users and impact their proper business operations. In particular, emergency preparedness is of decisive importance prior to emergency and crisis situations. In the event of inadequate emergency preparedness, effective emergency management cannot be ensured for the institution. Disruptions, emergency situations, and crises may thus be uncontrollable for the individual institutions. A cascade effect occurs that affects not only the outsourcing providers but also all upstream and downstream service providers as well as customers.
Inadequate Contractual Arrangements with Outsourcing Users
Inadequacies in contract design can lead to the information security of the outsourced processes of the outsourcing users being inadequately secured. Contractual arrangements define the entire outsourcing process and represent the legal basis for claims of the outsourcing providers against the outsourcing users. Thus, the inadequacies from contract design transfer to the entire outsourcing lifecycle. This is associated with a multitude of possible threat scenarios with financial and social impacts for both outsourcing users and providers.
Vulnerabilities in the Connection of Outsourcing Users
The technical connection of outsourcing users to the networks of outsourcing providers can lead to technical and organizational vulnerabilities at the interfaces. The technical vulnerabilities in the connection can lead to disruptions, data loss, and serve as a starting point for IT-supported attacks. Organizational vulnerabilities in the form of unstaffed interfaces can lead to communication problems between the outsourcing providers and users. These can pose a threat to the efficiency of risk mitigation measures in emergency and crisis situations.
Dependency on Sub-Service Providers
If activities of outsourcing providers are further transferred to sub-service providers, there is a risk that the sub-service providers exploit their position to enforce demands and disregard the provisions of the agreement. A dependency on third parties to deliver the customer service arises. Should the outsourcing providers be unable to compensate for a disruption or failure of the sub-service providers, there is a compulsory dependency. This puts the sub-service providers in an advantageous position vis-à-vis the outsourcing providers. The sub-service providers may refrain from maintaining the contractually regulated quality and the specified level of information security. This adversely affects the outsourcing relationship with the outsourcing users and entails legal and financial consequences and reputational loss for the outsourcing providers.
Inappropriate Configuration and Management of Access, Admission, and Access Rights
Either inappropriate or insufficient configuration of a central directory service can lead to users receiving rights that potentially enable them to access sensitive or personal data of the outsourcing providers or other customers of the outsourcing providers. Under certain circumstances, outsourcing projects may require outsourcing users to access the information domain of the outsourcing providers. This is associated with corresponding rights for admission, access, and access control, which represent a risk for IT systems, information, and buildings. A consequence is that the integrity and confidentiality of these data are endangered. Ultimately, this can lead to contractual penalties being enforced by outsourcing users against outsourcing providers, as well as reputational loss for the outsourcing providers and their customers.
Insufficient Multi-Tenancy at Outsourcing Providers
Outsourcing providers generally have different customers who access the same resources such as IT systems, networks, or personnel. If the IT systems and data of the outsourcing users are insufficiently separated and secured from each other, there is a danger that users can access the areas of other users and gain unauthorized access to data. This constitutes a direct violation of the confidentiality of the respective data of the users. This is particularly problematic for outsourcing users who are in competition with each other. The consequences would be reputational loss for the outsourcing providers and legal consequences from the injured outsourcing users.
Loss of Control and Management in Further Transfers to Sub-Service Providers
Outsourced processes may be fully or partially transferred from outsourcing providers to sub-service providers as part of a further transfer. Insufficient control of the sub-service providers leads to the agreed aspects of information security being inadequately maintained by the sub-service providers. This subsequently has consequences for the outsourcing relationship with the outsourcing users, as well as immediate financial consequences and reputational loss for the outsourcing providers.
Inadequate Regulations for a Planned or Unplanned Termination of an Outsourcing Relationship
Inadequate regulations for the end of an outsourcing relationship can lead to hardware and data ultimately not being properly returned or transmitted to the outsourcing users. In addition, existing customer data is not properly deleted after the storage period pursuant to the relevant laws and regulations. An outsourcing relationship can be terminated by ordinary notice or for extraordinary reasons. One example of this is the insolvency of outsourcing providers. After the contract is dissolved, the outsourcing providers may not adequately protect the existing data of the outsourcing users in accordance with the protection needs of the respective owner. The data can fall into the hands of third parties and, if published, lead to reputational loss.
Requirements
The following are the specific requirements of building block OPS.3.2 Providing Outsourcing. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Institution, Data Protection Officers, Emergency Officers |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
OPS.3.2.A1 Compliance with the Protection Objectives of Information Security Through Information Security Management (B)
The protection needs for confidentiality, integrity, and availability of outsourcing users MUST be taken into account in the outsourcing process. In doing so, it MUST be ensured that the minimum level of information security required by the outsourcing users is maintained. In addition, the applicable regulatory and legal aspects MUST be taken into account.
OPS.3.2.A2 Basic Requirements for Contracts with Outsourcing Users (B)
Uniform basic requirements for outsourcing contracts MUST be developed. These SHOULD be uniformly implemented in contracts. These basic requirements MUST include aspects of information security and security requirements of the outsourcing users. In addition, they MUST contain how further transfers by the providers are to be handled. The basic requirements MUST include the right of users to perform examinations, revisions, and audits to ensure that the contractually regulated information security requirements are being complied with. A confidentiality agreement to protect sensitive data, agreements on information exchange, and service level agreements SHOULD be agreed with the outsourcing users. The basic requirements MUST be uniformly implemented in agreements and contracts. On the basis of the basic requirements, a uniform contract template SHOULD be created and used for all outsourcing projects.
OPS.3.2.A3 Transfer of the Contractually Regulated Provisions with Outsourcing Users to Sub-Service Providers (B)
If processes are further transferred from outsourcing providers to sub-service providers, the contractual provisions with the outsourcing users MUST be passed on to the sub-service providers. This MUST be appropriately specified and enforced in the contracts with the sub-service providers. On request from outsourcing users, these contracts MUST be presented.
OPS.3.2.A4 Creation of a Tenant Separation Concept (B)
A tenant separation concept MUST be created and implemented. The tenant separation concept MUST ensure that data and processing contexts of different outsourcing users are sufficiently securely separated. In doing so, a distinction MUST be made between tenant-dependent and tenant-independent data and objects. It MUST be set out with which mechanisms the outsourcing providers separate the tenants. The required mechanisms for tenant separation MUST be sufficiently implemented by the outsourcing providers. The tenant separation concept MUST be created by the outsourcing providers and made available to the outsourcing users. Furthermore, it MUST offer appropriate security for the protection needs of the data of the outsourcing users.
OPS.3.2.A5 Creation of a Security Concept for the Outsourcing Service (B)
The outsourcing providers MUST create a security concept for their services. For individual outsourcing projects, additional specific security concepts MUST be created that are based on the security requirements of the outsourcing users. The security concept for the respective outsourcing project SHOULD be presented to each outsourcing user. The security concept of the outsourcing providers and its implementation SHOULD be merged into a comprehensive security concept. Outsourcing providers and users MUST jointly develop security objectives and document them. A joint classification for all information requiring protection MUST also be created. Furthermore, the outsourcing providers MUST regularly check whether the security concept has been implemented.
OPS.3.2.A6 Regulations for a Planned and Unplanned Termination of an Outsourcing Relationship (B)
Regulations MUST be established for how to proceed when outsourcing relationships are terminated, whether planned or unplanned. It MUST be specified how all information, data, and hardware of the users are returned by the outsourcing providers. Subsequently, the remaining data stocks of the outsourcing users MUST be securely deleted after the expiry of the statutory data retention requirements. This MUST be documented by the outsourcing providers. Furthermore, it SHOULD be checked whether the access, admission, and access rights for the outsourcing users were revoked after the outsourcing relationship was terminated.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
OPS.3.2.A7 Provision of Outsourced Services Through Multiple Sub-Service Providers (S)
If processes are further transferred from outsourcing providers to sub-service providers, the outsourcing providers SHOULD have multiple qualified sub-service providers available in case sub-service providers fail or give notice. This SHOULD be documented jointly with the outsourcing users.
OPS.3.2.A8 Creation of a Policy for Outsourcing Services (S)
A policy for providing outsourcing services SHOULD be created and established in the institution. This SHOULD regulate the testing and approval procedure. The further transfer to sub-service providers SHOULD be taken into account. The policy SHOULD take into account measures to manage compliance risks at outsourcing providers and sub-service providers.
OPS.3.2.A9 Review of Agreements with Outsourcing Users (S)
Agreements with outsourcing users regarding the appropriateness of the specified security requirements and other security requirements SHOULD be reviewed at regular intervals and on an ad-hoc basis. Agreements with outsourcing users with insufficiently defined security requirements SHOULD be improved. When the threat situation or legal situation changes, the specified security requirements SHOULD be improved. All changes SHOULD be documented by the outsourcing providers.
OPS.3.2.A10 Establishing a Secure Communication Channel and Defining Communication Partners (S)
The outsourcing providers SHOULD set up a secure communication channel to the outsourcing users. It SHOULD be documented which information is transmitted to the outsourcing partner via this communication channel. In doing so, it SHOULD be ensured that responsible persons are named at each end of the communication channel. It SHOULD be regularly and on an ad-hoc basis checked whether these persons are still employed in their function as dedicated communication partners. Between outsourcing partners, it SHOULD be regulated according to which criteria which communication partner may receive which information.
OPS.3.2.A11 Establishing a Contingency Concept (S) [Emergency Officers]
A contingency concept SHOULD be established in the institution. In this contingency concept, outsourcing users as well as sub-service providers SHOULD be taken into account.
OPS.3.2.A12 Performing a Risk-Oriented Assessment of Processes, Applications, and IT Systems (S)
If processes, applications, or IT systems are newly built up and provided to customers, these SHOULD be regularly and on an ad-hoc basis risk-oriented assessed and documented. From the resulting findings, appropriate measures SHOULD be defined. Furthermore, the results SHOULD be used to further improve information security management.
OPS.3.2.A13 Connection to the Networks of Outsourcing Partners (S)
Before the data network of the providers is connected to the data network of the outsourcing users, all security-relevant aspects SHOULD be agreed in writing. Before both networks are connected, they SHOULD be analyzed for known security vulnerabilities. It SHOULD be checked whether the agreements for the network connection are being complied with and the required security level is demonstrably achieved. Before the networks are connected, the connection SHOULD be tested with test data. If there are security problems on either side, it SHOULD be specified who is to be informed and how escalation is handled.
OPS.3.2.A14 Monitoring of Processes, Applications, and IT Systems (S)
The processes, applications, and IT systems deployed for customers SHOULD be continuously monitored.
OPS.3.2.A15 Reporting to Outsourcing Users (S)
The outsourcing providers SHOULD provide reports to the outsourcing users at specified intervals on the outsourced process. A report SHOULD be sent to the outsourcing users when changes to the process were made by the outsourcing providers or sub-service providers. For this purpose, standardized protocols for reporting SHOULD be established.
OPS.3.2.A16 Transparency on the Outsourcing Chain of Outsourced Customer Processes (S)
The outsourcing providers SHOULD maintain an outsourcing register for the sub-service providers used in customer processes. This SHOULD contain information on the sub-service providers, performance indicators, criticality of the processes, concluded contracts and agreements, and changes. Changes to the outsourcing register SHOULD be tracked. The outsourcing register SHOULD also address the further transfers by the sub-service providers. The outsourcing providers SHOULD regularly and on an ad-hoc basis review the outsourcing register.
OPS.3.2.A17 Access, Admission, and Access Control (S)
Access, admission, and access authorizations SHOULD be regulated both for the personnel of the outsourcing providers and for the personnel of the outsourcing users. Likewise, access, admission, and access authorizations for auditors and other reviewers SHOULD be defined. In doing so, only as many rights SHOULD be granted as are necessary for the activity.
OPS.3.2.A18 Regulations for the Deployment of Sub-Service Providers (S)
Personnel of outsourcing providers and sub-service providers SHOULD be briefed on their tasks and informed about existing information security regulations of the outsourcing providers. Insofar as required, the personnel of outsourcing providers and sub-service providers SHOULD be vetted according to the requirements of the outsourcing users, e.g. through a certificate of good conduct. The personnel of outsourcing providers and sub-service providers SHOULD be obligated in writing to comply with relevant laws and regulations, confidentiality agreements, and internal regulations. Substitution regulations SHOULD exist in all areas.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
OPS.3.2.A19 Security Vetting of Employees (H)
The trustworthiness of the personnel of outsourcing providers SHOULD be verified through appropriate evidence. Contractual criteria SHOULD be agreed with the outsourcing users.
OPS.3.2.A20 Encrypted Data Transmission and Storage (H)
For the transmission of data to and from the outsourcing users as well as for storage, a secure encryption method SHOULD be agreed with the outsourcing users. In doing so, the encryption method used SHOULD be oriented towards the protection needs of the data. The encryption method SHOULD be regularly and on an ad-hoc basis checked for its functionality.
OPS.3.2.A21 Conducting Joint Emergency and Crisis Exercises (H) [Emergency Officers]
Joint emergency and crisis exercises with the outsourcing users SHOULD be conducted and documented (see DER.4 Emergency Management). The result of the exercise SHOULD be used to improve the contingency concept and in particular the joint action plans. The emergency and crisis exercises SHOULD be conducted regularly and on an ad-hoc basis.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides in the standard ISO/IEC 27001:2013 in Chapter A.15.2 “Management of supplier service delivery” requirements for the management of service providers. In DIN ISO 37500:2015-08, further information on dealing with service providers is provided in the “Outsourcing Guide.”
Furthermore, in ISO 27002:2021 the outsourcing relationship is detailed and specified from Chapter 5.19 to 5.22, thereby specifying the requirements of ISO/IEC 27001:2013.
The “Guide to Implementation of Legal Framework Conditions” of the Federal Association for Information Technology, Telecommunications and New Media (Bitkom) provides information on the topic of “compliance” in IT outsourcing projects and assistance in implementing the legal framework conditions in an outsourcing relationship.
The National Institute of Standards and Technology (NIST) provides in NIST Special Publication 800-53 requirements for service providers. In a further publication NISTIR 8276, NIST describes best practices in the risk management of a “Cyber Supply Chain.”
The BSI Standard 200-4 Emergency Management contains important information and templates for creating and establishing a functional contingency concept.