It Outsourcing Management

When an information system is outsourced to one or more third party service providers, proper security management processes must be in place to protect data, as well as to mitigate any security risks associated with the outsourced IT project and/or service. The following areas should be considered:

• When preparing an outsourcing service contract, the organisation should clearly define the security requirements of the information systems to be outsourced, such as how all personal and sensitive data should be handled throughout the contract. These requirements should form the basis of the tendering process and become an integral part of the performance metrics.

• The outsourcing contract should include requirements for all staff of third party service providers and vendors to sign non-disclosure agreements to protect sensitive data in the systems.

• The contract should also include a set of service level agreements (SLAs). SLAs are used to define the expected performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of non-compliance.

• The contract should include an escalation process for problem resolution and incident response, so that incidents can be handled according to a pre-defined process to minimise any impact on the organisation.

• When engaging IT service providers, an organisation should ensure that the vendor employs adequate security controls in accordance with their own organisational IT security policies, wider regulatory requirements (such as requirements from the Hong Kong Monetary Authority for the banking sector) or other industry best practices. Service providers should be subject to the same information security requirements and have the same information security responsibilities as those specified for internal staff.

• The security control compliance of service providers and users should be monitored and reviewed actively and periodically. The organisation must reserve the right to audit responsibilities defined in the service level agreement, and have those audits carried out by an independent third party.

• The organisation should ensure the adequacy of contingency plans and back-up processes provided by the service provider.

• The security roles and responsibilities of the service provider, internal staff and end-users pertaining to the outsourced information system should be clearly defined and documented.

• It is essential to ensure that all data to be handled by the outsourcing party are clearly and properly classified, and security privileges for access should only be assigned on an as-needed basis for the performance of their work or the discharging of contractual obligations.

• Although an information system can be outsourced, the overall responsibility and liability of any breach to sensitive or personal data remains entirely with the organisation.