1 Policy Statement
All contracts with external suppliers for providing services to XXX shall be monitored and reviewed to ensure that information security requirements are being satisfied. Contracts shall include appropriate provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another party. Outsourcing and Supplier Policy sets out the conditions that are required to maintain the security of the information and systems when third parties other than the organization’s own staff are involved in their operation. This may occur in at least three distinct circumstances:
- When third parties (for example, contractors) are involved in the design, development or operation of information systems for the organization. There may be many reasons for this to happen, including developing and installing bespoke software, third party maintenance or operation of systems, to full outsourcing of an IT facility;
- When access to the organization’s information systems is granted from remote locations where computer and network facilities may not be under the control of the organization;
- When users who are not members of the organization are given access to information or information systems.
Each of these circumstances involves a risk to the organization’s information, which should be assessed before the third party is granted access. Such access must be subject to appropriate conditions and controls to ensure that risks can be managed.
The Outsourcing and Supplier Policy sets out the conditions that are required to maintain the security of the organization’s information and systems when third parties are involved in their operation.
3 Policy axioms
- The commercial benefits of outsourcing non-core business functions must be balanced against the commercial and information security risks.
- The risks associated with outsourcing must be managed through the imposition of suitable controls, comprising a combination of legal, physical, logical, procedural and managerial controls
This policy applies to all Suppliers, Contractors, and Third Parties who provide IT-related services .
4.2 IT Assets
This policy is applicable for all network systems, services and information systems.
The documentation shall consist of Outsourcing and Supplier Policy, and related procedures & guidelines. The Outsourcing and Supplier Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.
Records being generated as part of the Outsourcing and Supplier Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
4.4 Distribution and Maintenance
The Outsourcing and Supplier Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and system administrators.
The Outsourcing and Supplier Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
The Outsourcing and Supplier Policy shall be implemented by the CISO / designated personnel.
7.1 Choosing an outsourcer
Criteria for selecting an outsourcer shall be defined and documented, taking into account the:
- company’s reputation and history;
- quality of services provided to other customers;
- number and competence of staff and managers;
- financial stability of the company and commercial record;
- retention rates of the company’s employees;
- Quality assurance and security management standards currently followed by the company (e.g. certified compliance with ISO 9000 and ISO/IEC 27001).
Further information security criteria may be defined as the result of the risk assessment.
7.2 Assessing outsourcing risks
Management shall nominate a suitable owner for each business function/process outsourced. The owner, with help from the local Information Risk Management Team, shall assess the risks before the function/process is outsourced, using XXX’s standard risk assessment processes. In relation to outsourcing, specifically, the risk assessment shall take due account of the:
- nature of logical and physical access to information assets and facilities required by the outsourcer to fulfill the contract;
- sensitivity, volume and value of any information assets involved;
- commercial risks such as the possibility of the outsourcer’s business failing completely, or of them failing to meet agreed service levels or providing services to XXX’s competitors where this might create conflicts of interest; and
- security and commercial controls known to be currently employed by XXX and/or by the outsourcer.
The result of the risk assessment shall be presented to management for approval prior to signing the outsourcing contract. Management shall decide if XXX will benefit overall by outsourcing the function to the outsourcer, taking into account both the commercial and information security aspects. If the risks involved are high and the commercial benefits are marginal (e.g. if the controls necessary to manage the risks are too costly), the function shall not be outsourced.
7.3 Contracts and confidentiality agreements
A formal contract between XXX and the outsourcer shall exist to protect both parties. The contract shall clearly define the types of information exchanged and the purpose for so doing. If the information being exchanged is sensitive, a binding confidentiality agreement shall be in place between XXX and the outsourcer, whether as part of the outsource contract itself or a separate non-disclosure agreement (which may be required before the main contract is negotiated). Information shall be classified and controlled in according with XXX policy. Any information received by XXX from the outsourcer who is bound by the contract or confidentiality agreement shall be protected by appropriate classification and labeling. Upon termination of the contract, the confidentiality arrangements shall be revisited to determine whether confidentiality has to be extended beyond the tenure of the contract. All contracts shall be submitted to the Legal for accurate content, language and presentation.
The contract shall clearly define each party’s responsibilities toward the other by defining the parties to the contract, effective date, functions or services being provided (e.g. defined service levels), liabilities, limitations on use of sub-contractors and other commercial/legal matters normal to any contract. Depending on the results of the risk assessment, various additional controls should be embedded or referenced within the contract, such as:
- Legal, regulatory and other third party obligations such as data protection/privacy laws, money laundering etc.;
- Information security obligations and controls such as:
- Information security policies, procedures, standards and guidelines, normally within the context of an Information Security Management System such as that defined in ISO/IEC 27001;
- Background checks on employees or third parties working on the contract;
- Access controls to restrict unauthorized disclosure, modification or destruction of information, including physical and logical access controls, procedures for granting, reviewing, updating and revoking access to systems, data and facilities etc.;
- Information security incident management procedures including mandatory incident reporting;
- Return or destruction of all information assets by the outsourcer after the completion of the outsourced activity or whenever the asset is no longer required to support the outsourced activity;
- Copyright, patents and similar protection for any intellectual property shared with the outsourcer or developed in the course of the contract;
- Specification, design, development, testing, implementation, configuration, management, maintenance, support and use of security controls within or associated with IT systems, plus source code escrow;
- Anti-malware, anti-spam and similar controls;
- IT change and configuration management, including vulnerability management, patching and verification of system security controls prior to their connection to production networks;
- The right of XXX to monitor all access to and use of facilities, networks, systems etc., and to audit the outsourcer’s compliance with the contract, or to employ a mutually agreed independent third party auditor for this purpose;
- Business continuity arrangements including crisis and incident management, resilience, backups and IT Disaster Recovery.
Although outsourcers that are certified compliant with ISO/IEC 27001 can be presumed to have an effective Information Security Management System in place, it may still be necessary for XXX to verify security controls that are essential to address KDCC’s specific security requirements, typically by auditing them.
7.4 Hiring and training of employees
Outsource employees, contractors and consultants working on behalf of XXX shall be subjected to background checks equivalent to those performed on XXX employees. Such screening shall take into consideration the level of trust and responsibility associated with the position and (where permitted by local laws):
- Proof of the person’s identity (e.g. passport);
- Proof of their academic qualifications (e.g. certificates);
- Proof of their work experience (e.g. résumé/CV and references);
- Criminal record check;
- Credit check.
7.5 Access controls
In order to prevent unauthorized access to XXX’s information assets by the outsourcer or sub-contractors, suitable security controls are required as outlined in this section. The details depend on the nature of the information assets and the associated risks, implying the need to assess the risks and design suitable controls architecture. Technical access controls shall include:
- User identification and authentication;
- Authorization of access, generally through the assignment of users to defined user roles having appropriate logical access rights and controls;
- Data encryption in accordance with XXX’s encryption policies and standards defining algorithms, key lengths, key management and escrow etc.
- Accounting/audit logging of access checks, plus alarms/alerts for attempted access violations where applicable.
Procedural components of access controls shall be documented within procedures, guidelines and related documents and incorporated into awareness, training and educational activities. This includes:
- Choice of strong passwords;
- Determining and configuring appropriate logical access rights;
- Reviewing and if necessary revising access controls to maintain compliance with requirements;
Physical access controls shall include:
- Layered controls covering perimeter and internal barriers;
- Strongly-constructed facilities;
- Suitable locks with key management procedures;
- Access logging though the use of automated key cards, visitor registers etc.;
- Intruder alarms/alerts and response procedures;
If parts of XXX’s IT infrastructure are to be hosted at a third party data center, the data center operator shall ensure that XXX’s assets are both physically and logically isolated from other systems. XXX shall ensure that all information assets handed over to the outsourcer during the course of the contract (plus any copies made thereafter, including backups and archives) are duly retrieved or destroyed at the appropriate point on or before termination of the contract. In the case of highly classified information assets, this normally requires the use of a schedule or register and a process whereby the outsourcer formally accepts accountability for the assets at the point of hand-over.
7.6 Security audits
If XXX has outsourced a business function to an outsourcer based at a different location, it shall audit the outsourcer’s physical premises periodically for compliance to XXX’s security policies, ensuring that it meets the requirements defined in the contract. The audit shall also take into consideration the service levels agreed in the contract, determining whether they have been met consistently and reviewing the controls necessary to correct any discrepancies. The frequency of audit shall be determined by management on advice from functions such as Internal Audit, Information Security Management and Legal.
Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.
If you need assistance or have any doubt and need to ask any question contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.