Managing IT Security

When Outsourcing to an IT Service Provider:

Guide for Owners and Operators of Critical Infrastructure

May 2007

DISCLAIMER: To the extent permitted by law, this document is provided without any liability or warranty. Accordingly it is to be used only for the purposes specified and the reliability of any assessment or evaluation arising from it are matters for the independent judgment of users. This document is intended as a general guide only and users should seek professional advice as to their specific risks and needs.
Foreword

Managing Security When Outsourcing to an IT Service Provider: Guide for Owners and Operators of Critical Infrastructure (guide) is designed to help managers to identify and address IT security issues when organisations are negotiating new, or renegotiating existing outsourcing contracts for their IT arrangements.

The guide has been prepared by the Department of Communications, Information Technology and the Arts (DCITA) on behalf of the IT Security Expert Advisory Group (ITSEAG)[1] of the Trusted Information Sharing Network (TISN)[2].

The guide is based on a document released by the former National Infrastructure Security Coordination Centre in the United Kingdom (UK) (now known as the Centre for the Protection of Critical Infrastructure) entitled, ‘Outsourcing: Security Governance Framework for IT Managed Service Provision’[3]. DCITA would like to thank the UK Government for allowing the Australian Government to draw on this resource. DCITA would also like to thank DLA Phillips Fox who provided advice in relation to the Australian legal and regulatory environment.

This guide is not intended to replace established information security standards issued by industry bodies. Organisations should also continue to seek appropriate legal advice to ensure that any IT outsourcing contract sets out in detail, and in a legally enforceable manner, the security requirements and outcomes identified by the organisation.

A shorter version of this document has been prepared for Chief Executive Officers and Senior Executives[4].

Critical Infrastructure Security

Infrastructure and Security

ITSEAG Secretariat

Department of Communications, Information Technology and the Arts

Email:

Web: www.dcita.gov.au/

www.tisn.gov.au

Table of contents

Executive summary 4

1. Issues in outsourcing information security 7

1.1. IT security governance and outsourcing 7

1.2. IT governance: the relationship to critical infrastructure 8

1.3. Information security issues preceding an outsourcing arrangement 8

1.4. Potential IT security pitfalls associated with IT outsourcing 11

2. Managing IT security when outsourcing IT functions 13

2.1. Your organisation’s and your service provider’s responsibilities 13

2.2 Effectively managing security in the outsourcing process 16

2.3. Risk assessments 17

2.4. Transitional arrangements 18

2.5. Issues to be addressed in the contract 19

3. Resources 24

Attachment A Regulatory and Risk Environment 25

Attachment B Security Requirements, Communication, Management and Assurance Approaches 28

Attachment C Key Elements and Tasks—Outsourcing and Information Security 32

Executive summary

This guide provides resources and checklists to assist managers to address IT security issues when organisations are negotiating new, or renegotiating existing outsourcing contracts for their IT arrangements. The ITSEAG has released a guide to effective IT security governance which should be seen as a companion to this guide.

This guide is not intended to be a stand-alone resource, and should be read in conjunction with the resources listed in Section 3 for further details as to specific requirements, in addition to obtaining independent legal advice as to regulatory compliance necessary for particular industry sectors.

Outsourcing an organisation’s IT functions is a complex process to manage with IT security one of the many elements that needs to be considered.

This guide includes advice on:

·  IT security issues to consider in the lead up to implementing an IT outsourcing arrangement;

·  steps which need to be taken before and during negotiation and preparation of IT outsourcing contracts;

·  a checklist of potential IT security pitfalls associated with IT outsourcing;

·  advice on how to put in place effective IT security arrangements between an organisation and the IT service provider; and

·  ideas on how to implement effective contractual arrangements and make them adaptive to changes in the IT security environment.

Good IT security governance is an essential part of an overall corporate governance strategy—particularly when considering outsourcing part, or all of an organisation’s IT functions. Ultimately, in the event of a significant incident involving an organisation’s IT, it is the organisation’s bottom-line and reputation that will be effected by disruptions caused by IT failure or the loss of confidential information. The consequences of failure, particularly for organisations dealing with critical infrastructure, can also have widespread national-security and social implications, and cause considerable economic disruption.

The Corporations Act 2001 imposes a number of legal responsibilities upon company directors, secretaries and officers and suggests an obligation to uphold due care and diligence[5]. Depending on the agreed terms of the contract, outsourcing transfers varying levels of management control, but it does not transfer compliance responsibility. Companies need to be aware that outsourcing IT functions to a service provider does not absolve a company, or its senior management, from its legal obligation to provide secure IT arrangements. In addition, government entities will not be absolved from any other obligations within government to comply with and implement government policies and procedures.

In Section 1, the guide outlines pre-outsourcing IT security considerations and examines the consequences of failing to implement stringent risk mitigation strategies during the outsourcing process and contract negotiation.

The potential consequences include loss of revenue, loss of market credibility and a resultant fall in the share price, and exposure to litigation (both corporate and personal). Critical infrastructure providers should note that they are particularly susceptible to class actions if disruptions to service provision or the operation of critical infrastructure causes interruption to the broader economy. In addition, the introduction of ‘corporate culture’ offences under the Commonwealth Criminal Code has created a new basis for potential liability in the outsourcing context. If a critical infrastructure provider fails to 'maintain a culture of compliance with Commonwealth laws', the provider itself can be held liable for a breach of those laws by its employees or contractors (including, in this context, the outsource contractor). Maintaining a culture of compliance will include ensuring that the critical infrastructure provider's information security practices and processes comply with all applicable Commonwealth legislation.

Section 1 also examines some of the pitfalls that could potentially befall an organisation in an IT outsourcing arrangement. These include:

·  the assumption that service providers will implement best-practice security, when in fact service providers are only obliged to implement what they have been contracted (and paid) to do; and

·  failure to define and enforce stringent security requirements and enforce an obligation for service providers and their subcontractors to perform against these requirements in each IT outsourcing contract.

Section 2 of the guide examines the management of security in the contracting lifecycle.

In Section 2, the guide also suggests the need to have people on-hand with suitable expertise to ensure that:

·  the outsourcing contract is going to be properly managed throughout its lifecycle;

·  appropriate monitoring and reporting as well as auditing procedures are being adhered too; and

·  if something does go wrong, incident management strategies are in place and staff know what to do.

Establishing key roles and making staff aware of their responsibilities (and knowing those of the service provider) will go a long way to building a culture of IT security.

This guide also provides additional tools to help implement an Information Security Management System (ISMS) internally, before outsourcing, and between your organisation and your IT service provider. An ISMS is an approach to IT security management which ensures that accountability for information security rests at the appropriate seniority level, that ongoing training and information are provided to employees and others, and that reasonable steps have been taken to ensure information security in light of:

·  the organisation's resources;

·  the organisation's risk profile and likely severity of harm to be sustained; and

·  the regulatory obligations applicable to the particular organisation.

A suitable ISMS can also assist in managing the relationship between your organisation and the service provider and its subcontractors, and ensure the flow of information concerning risk assessment, security requirements, reporting, security assurance, and right of audit is managed throughout the contract lifecycle.

1. Issues in outsourcing information security

Your organisation is responsible for its IT security in any IT outsourcing arrangement. An organisation cannot effectively achieve IT security objectives without a strong and effective security governance framework. The ITSEAG has released a guide to effective IT security governance which should be seen as a companion to this guide.

1.1. IT security governance and outsourcing

Outsourcing can be seen as a business or commercial strategy pursued to achieve the strategic goals of an organisation. Drivers may include cost savings, increased business flexibility, exploitation of new technologies and accessing specialist expertise. No matter what the drivers are for outsourcing, if IT security is not properly considered, an incident involving your IT functions caused by human error, systems failure, or even malicious code could end up negating any net benefits derived from the outsourcing arrangement.


Organisations should view IT security governance as a significant component of an overall IT outsourcing model. Given the role information and IT systems now play in the core operations of organisations, IT security governance is now a key element of good corporate governance.

Figure 1—Corporate, IT and security governance relationships[6]

The broad stages which require consideration in ensuring information security in outsourcing arrangements are as follows (more detail is provided in Attachment C):

1.  Ensure appropriate internal information security management system (ISMS) in place;

2.  Identification, assessment and evaluation of risks;

3.  Procurement security steps;

4.  Roles and responsibilities;

5.  Contracting for information security;

6.  Transitional security arrangements;

7.  Assurance and conformance;

8.  Ongoing security management (including change management);

9.  Incident management and reporting; and

10.  Termination and transition.

Although you may have internal IT and security governance systems in place, it is possible that your IT and security governance policies may not have been designed for an outsourcing arrangement where the roles and responsibilities are shared between your organisation and a new service provider (Section 1.3).

Your IT security governance policies, both internal and external, should be firmly based on an understanding of potential threats (including those of potential outsourcing pitfalls) to your organisation, legislative and regulatory compliance obligations and be underpinned by risk assessments, incident management strategies and testing.

It is important to make a distinction between IT security governance and IT security management. IT security governance sets the tone from the top down for implementing a culture of accountability and is used to ensure that all security management functions are designed and properly implemented. IT security management, on the other hand, is more a method of delivering IT systems in accordance with governance principles. Section 2.2 discusses a model for information security management.

1.2. IT governance: the relationship to critical infrastructure

Good IT security governance is even more critical, and the consequences of disruption more severe, if you are an owner or operator of critical infrastructure.

The Australian Government defines critical infrastructure as:

“….those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia’s ability to conduct national defence and ensure national security.” [7]

Information Communication Technologies (ICTs) are now an indispensable feature of the modern economy and, therefore, inextricably linked with critical infrastructure. In such an environment, the consequences of poor IT governance and subsequent IT failure can have widespread flow-on effects.

1.3. Information security issues preceding an outsourcing arrangement

Prior to entering into an IT outsourcing arrangement, care should be taken to ensure that any internally developed policies, standards and compliance requirements are sound and that they are regularly reviewed. This is important, because if poorly conceived, they could find their way into IT outsourcing arrangements and significantly distort and disrupt IT security compliance.

An organisation needs to be confident that it has the in-house expertise to profile risk for its IT security and the capability to manage and review the IT security functions it intends to outsource. If an organisation lacks capability in these areas, it is unlikely to be able to design an outsourcing contract that ensures that the outsourced IT security functions are properly managed by the service provider. During the earlier stages of planning the outsourcing contract, your organisation should determine whether it has the in-house capability to effectively manage its IT security or whether it would be better to outsource IT security management to a qualified third party.

This guide is based on the premise that you have decided to outsource part, or all of your IT functions, and that outsourced functions will be brought under the umbrella of your organisation’s IT security governance policies and strategies.

Before you start the outsourcing process, it is suggested that you run through a quick ‘check list’ of information security issues to make sure that your IT security governance and procedures will have sufficient security, staffing and reporting mechanisms in place to effectively ensure information security and protect your IT functions. It is possibly too late, or will involve a significant, resource-intensive effort to vary an outsourcing arrangement, once a contract is in place. Figure 2 provides a checklist of some issues that you should consider.


Figure 2—Information security issues checklist

Information Security Requirements

/
System and communication security standards to be met by both provider and the organisation’s systems /
Protection of confidential information and intellectual property of the organisation /
Protection of personal information and client data /
Compliance with information, security and privacy policies, laws and regulations /
Removal of data from redundant systems and any leased systems /

Internal & External Staffing Considerations

Employment of appropriately qualified and experienced staff and information security managers /
Details of staff and contractor supervision /
Security clearance, staff checks and police checks as appropriate /
Access Protocols and remote access controls to be met by the provider, its staff and contractors /
Supervision, monitoring, security clearance and control of, and responsibility for, subcontractors /
Indemnity provisions to be provided by provider and its contractors /

Accountability, Reporting & Compliance Considerations

System security requirements and compliance /
Security reviews and security audits /
Reporting security breaches /
Disaster recovery, evidence retention protocols and reporting policy /
Business continuity plans—your own and the provider’s /
Security incident and risk management and reporting obligations /

Contract Transition/Termination

A clear contractual arrangement for the termination/transition process /
A clear understanding by the organisation and the service provider of the termination process /

1.4. Potential IT security pitfalls associated with IT outsourcing

Outsourcing your organisation’s IT functions while maintaining IT security is a complex process, and cannot be dealt with in a simplistic way. A number of IT outsourcing pitfalls of which you should be aware when drafting and negotiating the outsourcing contract are detailed below: