The current issue and full text archive of this journal is available at

www.emeraldinsight.com/0968-5227.htm

IMCS
14,5 A framework for outsourcing
IS/IT security services
Maria Karyda and Evangelia Mitrou
402 Department of Information and Communication Systems Engineering,
University of the Aegean, Samos, Greece, and
Gerald Quirchmayr
Department of Informatics, Distributed and Multimedia Systems,
Multimedia Information Systems, University of Vienna, Wien, Austria

Abstract
Purpose – This paper seeks to provide an overview of the major technical, organizational and legal
issues pertaining to the outsourcing of IS/IT security services.
Design/methodology/approach – The paper uses a combined socio-technical approach to explore
the different aspects of IS/IT security outsourcing and suggests a framework for accommodating
security and privacy requirements that arise in outsourcing arrangements.
Findings – Data protection requirements are a decisive factor for IS/IT security outsourcing, not only
because they pose restrictions to management, but also because security and privacy concerns are
commonly cited among the most important concerns prohibiting organizations from IS/IT
outsourcing. New emerging trends such as outsourcing in third countries, pose significant new
issues, with regard to meeting data protection requirements.
Originality/value – The paper illustrates the reasons for which the outsourcing of IS/IT security
needs to be examined under a different perspective from traditional IS/IT outsourcing. It focuses on
the specific issue of personal data protection requirements that must be accommodated, according to
the European Union directive.
Keywords Communication technologies, Outsourcing, Information systems, Data security,
European directives
Paper type General review

Information Management &
Computer Security
Vol. 14 No. 5, 2006
pp. 402-415
q Emerald Group Publishing Limited
0968-5227
DOI 10.1108/09685220610707421
1. Introduction
Outsourcing refers to the procurement of products and/or services from sources that
are external to an organization. Within the last 15 years, outsourcing has become a
common issue in organizations’ management agenda.
Information systems (IS) or information technology (IT) outsourcing can be defined
as the transferring of an IS/IT function that was previously carried in-house, to a third
party provider. IS/IT outsourcing began evolving in the early 1990s, mainly for
supplementing in-house application development. It covers a wide range of IS/IT
related functions, including software development, hardware maintenance and web
hosting, and constitutes a well established and fast growing industry.
Recently, there has been an increased demand for web hosting, e-commerce hosting
and remote data storage services. This functionality is provided to organizations by
application service providers (ASPs), who provide hardware, software and network
infrastructure, as well as business services. To deliver these services most ASPs manage
and store the organizations’ information resources, and provide access to the end-users
through public networks. ASPs are playing a very important role for IS/IT outsourcing, Outsourcing
that has driven researchers to characterize it as “netsourcing” (Kern et al., 2002). IS/IT security
Within the expanding range of IS/IT functions that are outsourced, a recent advent
has been the procurement of IS/IT security services. IS/IT security outsourcing is services
appealing to enterprises, because security is a high expertise area, and because many
security tasks, such as, for example, network monitoring, require substantial
resources, in terms of manpower and infrastructure. Thus, companies specializing in 403
security provide IS/IT security services to organizations which lack this expertise or do
not possess adequate resources to perform these functions internally.
Can security services outsourcing, however, be managed or considered under the
same terms as other IS/IT related functions?
This paper argues that IS/IT security outsourcing should be examined under
different lens from traditional IS/IT outsourcing. To demonstrate this, the paper
explores the specific organizational, technical and legal aspects of security
outsourcing, and focuses on the privacy and data protection requirements and how
these can be accommodated.
The rest of the paper is organized as follows: the next section reports on the major
issues organizations face before making an IS/IT outsourcing arrangement. Section 3
elaborates on the reasons that drive organizations to outsource their security functions
and on the most commonly outsourced security services. Section 4 presents the
organizational and technical issues that organizations should consider for IS/IT
security outsourcing. Section 5 presents the legal requirements pertaining to
outsourcing, by focusing on how personal data can be protected, from the perspective
of the directive adopted by the European Union. Finally, the last section presents the
overall conclusions and issues for further research.

2. IS/IT outsourcing
The reasons for which companies turn to IS/IT outsourcing are primary financial; they
include expectations of improved rate of returns on investments (ROI), reduced cost
and economies of scale that could not be realized internally. By outsourcing their IS/IT
functions organizations also aim to:
.
have improved access to specialized knowledge and best-practices;
.
receive better quality services;
.
have increased business continuity capability in case of internal incidents; and
.
achieve flexibility with regard to technology.

Moreover, companies expect to gain increased competitiveness and a chance to

focus their efforts and use their resources on their core competence. Goo et al. (2000)
found that organizations in different industries are likely to have different
motives for outsourcing their IT/IS functions, while Yang and Huang (2000) argue
that a major factor for IS/IT outsourcing decisions is the need to improve
performance. In general, IS/IT outsourcing is particularly appealing to small and
medium sized enterprises, because they often face more financial constraints
compared to large firms.
Outsourcing, however, is not a risk free process. Lacity and Willcock(1998) name a
set of risk factors for IS/IT outsourcing, including:
IMCS .
treating IT as an undifferentiated commodity to be outsourced;
14,5 .
incomplete contracting;
.
failure to build and retain requisite in-house capabilities and skills;
.
power asymmetries developing in favour of the vendor;
.
unrealistic expectations with multiple objectives for outsourcing; and
404 .
poor sourcing and contracting for development and new technologies.

In a recent study (Khalfan, 2004) loss of data confidentiality was ranked first among a
set of five risk factors in IS/IT outsourcing. Security considerations in general are
widely recognized as important factors impeding wider adoption of IS/IT outsourcing.
Other sources of reluctance for outsourcing are related to the qualification and
expertise of the providers’ employees and to the loss of important knowledge.
Moreover, possible risks that are often related to IS/IT outsourcing include unexpected
costs and possible complications. Finally, total outsourcing, usually with a single
provider, is considered as a high risk strategy.
Thus, organizations strive to achieve a balance between the expected benefits and
the relative risks stemming from outsourcing, by choosing the most appropriate
answers to the following questions: what to outsource, to whom, when or for how long
and finally how to manage the outsourcing arrangement. With regard to the first
question, both researchers and practitioners agree that activities related to the core
business of the organization should be kept in-house, while those that are peripheral to
the business are more suitable for outsourcing. Companies also often chose to
externalize activities that are tedious or monotonous. Finally, knowledge-intensive and
resource intensive activities are also considered for outsourcing.
The answer to the second question is far more complicated and is usually related to
tasks such as examining business profiles and credentials and managing business
partnerships. Kim and Chung (2003) found that the selection of the provider is
considered to be the most critical success factor for IS/IT outsourcing. As far as the
duration of the outsourcing arrangement is concerned, outsourcing arrangements can
be temporary or last for an indefinite period; usually their duration is from three to ten
years. Service level agreements (SLAs) are commonly used to regulate the outsourcing
arrangement and define the basis for the relationship between the company and the
provider. SLAs also function as a guarantee for the performance levels agreed. Rohde
(2004) reports that only few companies seek legal advice prior to signing outsourcing
contracts.
Lately, management has yet another issue to consider during the outsourcing
decision-making process: the answer to the “where” question. The development of IT
infrastructures in developing countries, which offer the necessary infrastructure,
skilled personnel and expertise in the IS/IT field at lower cost, makes organizations
increasingly consider outsourcing some of their IS/IT functions in vendors located in
developing countries.

3. Outsourcing IS/IT security services

Outsourced security services, also referred to as managed security services (MMS),
entail that the resources (physical as well as human) related to security functions are
supplied and/or administered by external providers, who are specialized in the area of
IS/IT security. Whereas the outsourcing of physical security services is a very common Outsourcing
practice, organizations appear relatively reluctant to outsource their IS/IT security IS/IT security
functions. Security outsourcing is a risk mitigation practice and carries its own risks.
Providing IS/IT security services is now starting to become a thriving business services
area; the market for security services in Western Europe, as appreciated by Gartner,
was worth $548 million in 2002 and it is estimated to reach $1.4 million by 2007
(Whitworth, 2005). Researchers, however, have not yet placed IS/IT security 405
outsourcing issues in their research agenda. There is a multitude of reasons for that;
the fact that the theoretical tools currently applied to IS/IT outsourcing research, for
example, resource-based theory (RBT), transaction cost theory (TCT), resource
dependence theory (RDT) and agency cost theory (ACT) have not been applied in IS/IT
security research makes the endeavor to study IS/IT security outsourcing even harder.
The basic argument for IS/IT security outsourcing is that security issues are
handled by experts, allowing companies to focus on their core competencies. On the
other hand, an important issue that discourages companies from outsourcing their
security functions is the fear of losing control over their systems.
Decision making for traditional IS/IT outsourcing (e.g. application development)
typically takes into consideration criteria such as the expectance of cost reduction and
increased effectiveness. However, in the case of security outsourcing decision making
is much more complicated because:
.
It is not clear which security functions are suitable for outsourcing and which
should be kept internally. No set of criteria designating security services whose
outsourcing would significantly benefit companies exists.
.
IS/IT security can be of strategic importance for many organizations. However, it
is usually considered as a mere commodity asset.
.
Estimating the cost of security is problematic. Most traditional IS/IT outsourcing
decisions are based on cost estimation and return-on-investment evaluation;
however estimating the cost of security is not straightforward.
.
Confidentiality and privacy requirements are of critical importance for IS/IT
security outsourcing arrangements. Moreover, provision for these requirements
is often included in the relevant legal and regulatory framework.
.
Regardless of whether security is pursued in-house or outsourced, risk remains
with the organization, which has to bear the impact in case of manifested risks.
.
Finally, there is the issue of raising or enhancing security awareness among
end-users and creating a security culture within the organization, as many
researchers and practitioners suggest (Dhillon and Backhouse, 2000; Goodwin,
2004; Nosworthy, 2000; Siponen, 2000). This task is hindered when IS/IT security
services are provided by an external company and are thus transparent to the
end-users.
3.1 IS/IT security outsourcing rational
Probably the most important reason for which companies choose to outsource IS/IT
security is that, a single organization, especially one that is of middle or small size, is
unlikely to possess all skills and knowledge required for effective security
management, especially since security threats and incidents are increasing both in
numbers and in diversity, as recent surveys report (DTI, 2004). Indicatively, the SANS
IMCS Institute reports that in the second quarter of 2005 there has been a rise in the number
14,5 of new critical internet threats of 11 percent, in comparison to the first quarter
(Whitworth, 2005). Therefore, IS/IT security outsourcing is usually related with
knowledge intensive security activities (such as, for example, risk analysis,
vulnerability assessment, information security risk assessment, forensics), and
resource intensive activities (for example, network monitoring).
406 Another fact that drives organizations towards IS/IT security outsourcing is the
difficulty of attracting and retaining qualified and experienced employees in the area of
security, as well as the high costs of employing them. Moreover, IS/IT security is a
rapidly evolving area, making it necessary that security personnel is kept aware of new
types of threats and attacks, as well the use of new security software and hardware
systems, through continuous training and education. This, however, entails high costs
for organizations.
Finally, organizations that regard IS/IT security as a commodity asset are more
likely to outsource their security functions. On the other hand, companies that consider
that IS/IT security can provide them with strategic advantage seek to keep their
security functions in-house.

3.2 Managed security services

IS/IT security services that organizations are more likely to outsource include intrusion
monitoring, e-mail virus and spam filtering, penetration testing, IT auditing, firewall
configuration and management, virus protection, intrusion detection systems
management, server management, network monitoring, security policy development
and application, security education and training, security upgrades, VPN management,
user access management, data classification, contingency planning, business
continuity planning and disaster recovery. Other security services that are usually
outsourced are (Allen et al., 2003) network boundary protection, including managed
services for firewalls, incident management, including emergency response, and
penetration testing, content filtering services, data archiving and restoration.
Security installations such as firewalls and VPNs, which offer encryption services,
are expensive and require a significant level of expertise to be effective. These security
functions are also usually outsourced to managed security services providers (MSSPs),
as a cost effective solution. Management and monitoring of security systems,
especially when there is a requirement for round the clock monitoring, is also a task
that, due its high requirements in employees, organizations often chose to outsource.
Gartner Group estimates that as much as 60 percent of companies will be involved in
outsourcing some form of perimeter security monitoring by 2005.
It is evident from the prior analysis that companies increasingly turn to IS/IT
security providers, while at the same time they keep in-house the security services they
consider more sensitive. The question that arises is the following: how can companies
control and regulate best the IS/IT security outsourcing arrangement? In the following
paragraphs, we explore the critical organizational, legal and technical factors
pertaining to IS/IT security outsourcing, and suggest a framework that can assist
management take informed decisions with regard to IS/IT security outsourcing. The
ultimate goal is to achieve the balance between in-house and outsourced security
services that will lead to better IS security management at reasonable costs for
organizations.
4. Organizational and technical aspects of IS/IT security outsourcing Outsourcing
Decision making with regard to IS/IT security outsourcing is a complex issue, that IS/IT security
entails finding effective solutions to such questions as the ones described in the
previous paragraphs. A significant part of the difficulties and the complexity related to services
IS/IT security outsourcing can be ascribed to the different aspects that must be
considered, as well as to the sensitive character of IS/IT security.
To explore these issues, we follow a socio-technical approach, as shown in Figure 1. 407
This approach focuses on three very important, yet not adequately addressed issues of
IS/IT security outsourcing: the organizational, the technical and the legal dimension.
This framework can be of assistance to answer the “how” to outsource question.
In the first place, decisions on security services outsourcing need to take into
consideration the legal and regulatory requirements pertaining to the organizational
context. For security outsourcing arrangements, meeting the privacy and confidentiality
requirements laid by the relative legal framework is of critical importance and entails
considering many factors, as described in the following section. IS operate and are used by
organizations with the purpose of facilitating and achieving business goals. IS (which we
consider as socio-technical systems, comprising of hardware, software, processes, data
and individuals) provide critical services of strategic importance for many organizations.
For these organizations management of the outsourcing arrangement is also of critical
importance. Finally, the technical aspect of IS/IT security outsourcing, meaning the
technical infrastructure, has also to be considered for making a security arrangement.
For our analysis, legal requirements play a decisive role both in the decision-making
process (affecting, for example, the choice of provider), and in the management of the

Legal
Framework

Business
goals

Business processes

Information Systems

IT Infrastructure Figure 1.
(software, hardware, communications) Framework for the
analysis of IS/IT security
outsourcing critical factors
IMCS outsourcing process (for example, liability issues and contractual arrangements).
14,5 Business objectives, together with the business processes which pursue them,
determine the role of IS/IT security and consequently designate which security
functions should be better kept in-house and which should be outsourced.
In the following paragraphs, we explore the major organizational and technical
issues companies need to take into consideration for managing security outsourcing
408 arrangements. The major legal requirements related to issues of privacy and
confidentiality with regard to outsourcing are explored in detail in the next section.

4.1 The organizational dimension

Organizations should consider their security strategy before outsourcing their security
functions. The security strategy, which must be aligned with the business objectives
(Dhillon, 1997), will also assist management evaluate the effectiveness of the
outsourcing arrangement. Organizations need also to decide on the relationship IS/IT
security has with their core competencies. Should they decide that IS/IT security is
closely related to their business core, then outsourcing should be considered under a
very limited scope. In their vast majority, however, companies share the view that IS/IT
security is not a part of their core competencies, and therefore, their functions could be
effectively outsourced under the proper conditions. Researchers, however, point out that
IS/IT security is an issue of critical importance for companies, and should be addressed
at the strategic level (Palmer, 2001; Von Solms, 2001; Dhillon, 1997).
On the other hand, companies that hold IS/IT as a commodity, have to consider the
extent of security outsourcing. Total security outsourcing entails the risk that in the
long run, the company might be deprived from security skills internally. This in an
issue of critical importance, especially in the case that an organization decides to
terminate its outsourcing arrangement and bring the outsourced services in house, as
about one in four organizations does (Deloitte, 2005). Companies that have been
practicing total security outsourcing are more likely to find themselves unable to
manage IS/IT related risks.
As mentioned previously, total security outsourcing might also mean that no
security culture is developed within the organization, while employees lack awareness
on security related issues. Therefore, there should be some provision by management
that a certain level of IS/IT security experience and expertise is maintained within the
organization.
Besides, the extent of security outsourcing, organizations need also make the choice
of whether to outsource IS/IT security functions to a single or multiple providers.
Companies with many providers face increased management cost and have a smaller
negotiation power; on the other hand, outsourcing to a single provider entails more
risks in case of adverse effects.
Pricing is another important issue for security outsourcing arrangements, especially
because for many companies security expenses constitute a significant percent of their
overall IS/IT budget. Current practice shows that, with regard to IS/IT security,
companies lean towards paying an agreed fixed cost, usually on a monthly basis, to
avoid incremental and hidden costs.
Choosing to outsource security functions might also have some side effects for
organizations. The development and application of security policies, for example, is a
fundamental security management practice that organizations often outsource. As a
result, security policies and procedures are often developed a-contextually, without Outsourcing
considering the current organisational characteristics, such as the organisation culture IS/IT security
and the internal relationships. Such policies and procedures are more likely to be
confronted with resistance by employees, as they perceive them as constraints to services
fulfilling their tasks.
Finally, the issue of resource ownership should also be addressed. In many
outsourcing arrangements suppliers own the facilities as well as the labour needed for 409
providing the IS/IT security services. In such cases, liability issues must also be taken
into consideration.

4.2 Technical issues

The area of IS/IT security is fast evolving, and as stated before, it is not only the
threats and the related incidents that are increasing, but also the security products and
technologies develop and change at a fast rate. This fact is one of the main reasons
enterprises face difficulties in managing IS/IT security on their own. At the same time,
however, the same holds true for security services providers. Therefore, organizations
must ensure, possibly by including provisions in their outsourcing agreements that the
supplier must possess the most recent security systems and update them regularly so
as to keep pace with technological advents.
Various security functions that are outsourced entail that data is stored with the
supplier’s premises; in this case the appropriate techniques and tools should be used to
provide data confidentiality and integrity, such as encryption mechanisms,
authorization schemes, etc.

5. Privacy considerations for outsourcing: the European perspective

Organizations as well as security providers need to take into account the legal
obligations and restrictions that arise from outsourcing arrangements. Liability,
protection of intellectual property, security and confidentiality are critical issues for
outsourcing. The legal and regulatory frameworks, however, do not only provide
restrictions with regard to outsourcing; they can also facilitate decision making on
which organizations to trust for outsourcing security functions and how to manage the
outsourcing arrangement. Issues such as liabilities and intellectual property rights are
usually arranged within the respective contractual agreement. Therefore, defining the
applicable law as well as the jurisdiction under which the organization and the
provider operate is of paramount importance, especially in the case they differ.
The preservation of security and confidentiality of information are named as
primary inhibitors for organizations contemplating to outsource their functions.
Moreover, failure to meet legal requirements pertaining to security and confidentiality
entails possible liabilities for the organizations. Since, security and confidentiality are
of paramount importance for outsourcing, this section focuses on the data protection
regulatory framework, which encompasses the requirements pertaining to security and
confidentiality.
Recent regulatory developments on the liability of enterprises and management,
such as the Sarbanes Oxley Act (2002), the requirements stated in (Basel II, 2005) and
the discussions around proposals for a European Data Retention Guideline, together
with specific regulations for the telecommunications, telemarketing and electronic
IMCS commerce sectors (EUEC, 2000) have increased and are in fact steadily increasing the
14,5 amount of requirements which have to be met by outsourcing partners.
The first part of this section looks at selected requirements pertaining to the
protection of privacy and personal data as laid out in the European data protection
directive (EUDP, 1995). In the second part, a scalable model for incorporating these
requirements into a general framework for outsourcing security services and
410 operations is described.

5.1 Core legal requirements on data protection as defined in the European data
protection directive
Privacy and protection of the so-called “personal data” have for several decades been at
the very centre of IT-related discussions in most European countries. As an answer to
the public demand for effective protection, several countries have adopted data
protection laws. Differences in the way EU member states approached the data
protection issue impeded the free flow of data, which has led to the adoption of the
EUDP (1995), in order to establish a common set of legally binding principles and rules
for the protection of individuals with regard to the processing of their personal data
(Holvast et al., 2000). Compared to other national and international legal frameworks
(see, for example, the OECD Guidelines or the Council of Europe’s Convention No. 108),
the EDPD establishes very restrictive minimum standards with respect to the
processing of personal data.
The introduction of the European directive has not only made it compulsory for, but
also encouraged, data users to review all stages of the management of their personal
data (European Commission, 1998). To the extent that outsourcing relates to or
includes the processing of personal data, the “Controller” of the data, i.e. the (natural or
legal) person who defines the purpose and means of processing (Art. 2d), has to comply
with the specific requirements of the directive, as implemented in the national law of
each member state. Since, the directive covers the processing of personal data by both
automated and manual means (Art. 3), it is undisputable that all forms of outsourced
processing involving personal data has to be organized in compliance with its
requirements.
A first critical question refers to the responsibilities of the Controller and these of
the “Processor,” i.e. the natural or legal person (included public authorities, agencies or
other bodies) that processes personal data on behalf of the Controller (Art. 2e). He or
she is charged with the responsibility of ensuring that all data protection principles
(finality, proportionality, accuracy, duration limits, etc.) are respected. The controller
must ensure that the requirements concerning the grounds for legitimately processing
personal data (Art. 7) and the specific conditions for the processing of sensitive data
(Art. 8) are fulfilled.
Undoubtedly, under the European directive it is the controller who has to comply
with the general rules on the lawfulness of the processing of personal data, regardless
of whether the processing of data has been outsourced. This issue of management
responsibility has been overlooked, up to now, by enterprises that assumed that by
outsourcing their data processing operations, all liabilities for being compliant with the
directive would be automatically transferred to the service provider.
Controllers have to take all the necessary measures to comply with the requirements
related to the information and access rights of the data subjects (Art. 10,11,12), as well as
to their right to object to the processing of data (Art. 14). They have to re-design their Outsourcing
procedures to respond to the requests of data subjects, even if the processing of data is IS/IT security
carried out by an external provider (processor). However, both controllers and
processors are subject to the control of the independent data protection authorities (Art. services
28). In case of law infringements, both controllers and processors face the sanctions
provided in Art. 24 of the directive and they remain responsible in cases where a person
has suffered damage as a result of unlawful processing (Dammann and Simitis, 1997). 411
5.1.1 Security and confidentiality requirements. The most significant requirements
for an outsourcing arrangement refer to the confidentiality (Art. 16) and security (Art.
17) of data processing. Article 16 provides that any person acting under the authority
of the controller or of the processor (including the Processor himself/herself) must not
process personal data except on instructions from the controller, unless required to do
so by law. In the case of outsourcing, controllers have to specify the conditions as well
as the limits of the processing in written contacts. Processors must be bound to the
requirement to take all technical and organizational measures to secure the
confidentiality of the data. To ensure that the required high level of confidentiality
is achieved, an outsourcing partner will have to implement all necessary technological
and organizational safeguards, resulting in full access control and in the monitoring of
all access to personal data. The contracts should designate the authority granted to
independent contractors. In the case of absence of formal, clear and written
instructions, the processors may require an indemnity from the Controller to cover the
risk of liability (European Commission, 1998).
Art. 17 of the European directive poses significant security requirements for the
outsourcing arrangement; it imposes obligations on controllers with respect to the
protection of personal data against incidents such as accidental or unlawful
destruction, accidental loss, alteration, unauthorized disclosure or access, or other
unlawful forms of processing. The obligations assigned on the controller are also
incumbent on the processor (Art. 17 § 3), who shall act only on instructions of the
controller. More specifically, the controller should choose providers (processors) who
can provide sufficient guarantees in respect of the technical security measures and
organizational measures governing the processing. Controllers have to develop closer
relationships with processors than was previously the case (European Commission,
1998). In order to establish clarity as well as for evidential purposes, the parts of the
contract relating to the security measures to be adopted must be in writing or in
another equivalent form.
5.1.2 Outsourcing to third countries. Outsourcing is an outcome of the trend towards
globalization of the information flows and more specifically of the processing of data.
Usually the choice of outsourcing serves the aim of the controller to reduce the cost of data
processing, which results to the choice of processors who are sited in low-cost countries
(Simitis, 2003). However, despite the commercial benefits of outsourcing contracts with
partners outside the European Union, the compliance with the requirements of the
directive can very easily become a serious obstacle for outsourcing arrangements. For this
reason, several large European enterprises have recently been contemplating an
alternative to traditional “offshoring,” the so-called “nearshoring,” limiting outsourcing
operations to areas in which European Union legislation is already applied.
When outsourcing presupposes or results to the transfer of personal data to a third
country, then it is subject to the rules laid down by Articles 25 and 26 of the Directive.
IMCS Art. 25 establishes a case by case, flow by flow approach, requiring that the transfer
14,5 may only take place if the third country provides an adequate level of protection. In
assessing the adequacy of the data protection level, Art. 25 § 2 provides a non
exhaustive list of criteria that should be taken into account (including circumstances
surrounding the data transfer, nature of data, purpose, duration, sectoral rules,
professional rules, security measures, etc.).
412 The adequacy of the level of protection is usually assessed by Data Protection
Authorities that can authorize or ban the transfer. In the absence of an adequate level
of protection, the directive (Art. 26) sets down a limited series of derogations (consent
of the data subject, conclusion and performance of contracts where the data subject is
contracting part, etc.). The list of exceptions provided in article 26 is extremely limited
and is in general not applicable to outsourcing contracts. While some industry sectors
are still protected by bilateral or multilateral agreements like the “Open Skies
Agreement” or have managed to define a workable compromise for certain geographic
areas, such as the “Safe Harbor Agreement,” the export of personal data to third
countries can easily turn into a major problem both for the controller and the processor,
especially in situations where the Processor employs subcontractors from outside the
European Union. Moreover, controllers and processors may not make use of the
Commission’s Decision on Standard Contractual Clauses for the transfer of personal
data to third countries, issued in 2001, which is an essential possibility for maintaining
the flow of data without unnecessary burdens for economic operators, as it is stated
that this decision does not cover the transfers to recipients established outside the
territory of the EU who act only as processors.

5.2 Accommodating legal requirements for outsourcing security services

From a legal point of view, for managing any security outsourcing arrangement, it is
necessary to come up with a constraint-based model that allows checking whether an
outsourcing operation is compliant with current regulations. This framework has to be
able to incorporate the new legislative challenges, as described in the previous
paragraphs, and it also has to be able to cope with a growing number of regulations.
Figure 2 shows a scalable and maintainable outsourcing framework that can
facilitate organizations manage their security outsourcing arrangements, with regard
to the core legal requirements. This framework uses a constraint-based model that
allows checking the compliance of an outsourcing contract, with regard to the security
and privacy requirements defined in articles 16 and 17 of the European data protection
directive, as described in the previous paragraphs.
The management of security outsourcing arrangements needs to take into
consideration security and confidentiality requirements, not only at the beginning of
the contractual agreement, but also during the execution of the security outsourcing
and finally, for auditing and evaluation purposes, as shown in Figure 2.
The framework shown in Figure 2 can be complemented by other modules applying
the same basic structure, for example, to the requirements laid out in article 25. As this
concept is very modular, it can be expanded in a way that the collection of a set of
modules together forms the compliance checker for a certain piece of legislation. That
is why this component framework is scalable and allows for the incorporation or
removal of whole pieces of legislation or of individual rules that pertain to outsourcing
arrangements.
 Outsourcing
Confidentiality and Security Requirements Checking IS/IT security
services

Contract Execution Execution

Checking Monitoring Auditing 413
Confidentiality
Requirements
(Art. 16) Initial contract Operations Operations
auditing Monitoring Auditing
Security
Requirements Services Services
Continuous auditing
(Art. 17) Monitoring
contract
execution
monitoring Systems Systems
Monitoring Auditing Figure 2.
Conceptual model of a
compliance checker for
Periodical articles 16 and 17 of the
contract European data protection
auditing directive

Legal issues
Security requirements
Confidentiality requirements
Contract Checking
Execution Monitoring
Execution Auditing

Organizational issues
IS/IT Security
Security Strategy Outsourcing Strategy
Relation to core competencies
Scope of outsourcing
Business partnerships
In-house expertise
Organizational culture

Technical issues Figure 3.

Technology updates Critical issues for IS/IT
security outsourcing
IMCS 6. Conclusions and further research
14,5 IS/IT security outsourcing is a relatively recent issue, that has not been adequately
researched up to now. Owing to its particular organizational, legal and technical
aspects, security outsourcing should be treated on a different basis from traditional
IS/IT outsourcing. The management of organizations need to take into consideration a
multitude of factors, prior to engaging in a security outsourcing arrangement. Among
414 these factors, meeting the requirements on privacy protection is of critical importance,
not only because of the existing legal and regulatory framework, but also because
privacy is a fundamental element for building trust relations between companies and
their customers and/or business partners.
Moreover, there are important organizational issues that should be addressed.
These issues are, up to point related with the legal and regulatory framework within
which companies operate. Finally, the importance of issues related to IT technology
cannot be neglected since organizational as well as legal requirements are mostly
implemented through technical solutions.
Thus, organizations need to take into account not only technical, but also
organizational and legal issues for formulating their strategy with regard to IS/IT
security outsourcing, as shown in Figure 3.
The rapid growth of the relative market and the increasing number of companies
that choose to buy IS/IT security services make it necessary that more issues
pertaining to the contractual agreement are investigated, such as pricing and criteria
for choosing the most suitable provider.

References
Allen, J., Gabbard, D. and May, C. (2003), Outsourcing Managed Security Services Authors,
Software Engineering Institute, Carnegie Mellon.
Basel II Risk Management Committee of European Banking Supervisors (2005), CEBS CP 10,
Guidelines on the Implementation, Validation and Assessment of Advanced Measurement
(AMA) and Internal Ratings Based (IRB) Approaches, July.
Dammann, U. and Simitis, S. (1997), EG-Datenschutzrichtlinie-Kommentar.
Deloitte (2005), Calling a Change in the Outsourcing Market, Deloitte Development LLC, April,
available at: www.deloitte.com/
Dhillon, G. (1997), Managing Information System Security, Macmillan Press, Basingstoke.
Dhillon, G. and Backhouse, J. (2000), “Information system security management in the new
millennium”, Communications of the ACM, Vol. 43 No. 7, pp. 125-8.
DTI (2004), Information Security Breaches Survey 2004, Technical Report, Department of Trade
and Industry, London.
EUDP (1995), “Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of personal data and on
the free movement of such data”, Official Journal L 281, November 23 1995, pp. 31-50.
EUEC (2000), “Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000
on certain legal aspects of information society services”, in particular electronic commerce,
in the internal market (Directive on electronic commerce).
European Commission (1998), Handbook on Cost-effective Compliance with Directive 95/46/EC,
European Commission, Brussels.
Goo, J., Kishore, R. and Rao, H. (2000), “A content-analytic longitudinal study of the drivers for Outsourcing
information technology and systems sourcing”, Proceedings of the 21st International
Conference on Information Systems, Brisbane, Queensland, Australia, December 10-13, IS/IT security
pp. 601-11. services
Goodwin, B. (2004), “Companies are at risk from staff ignorance”, Computer Weekly, 00104787,
January 27.
Holvast, J., Madsen, W. and Roth, P. (Eds) (2000), The Global Encyclopaedia of Data Protection 415
Regulation, Kluwer Law International, Looseleaf.
Kern, T., Lacity, M. and Willcocks, L. (2002), Netsourcing: Renting Business Applications and
Services over a Network, Prentice-Hall, New York, NY.
Khalfan, A. (2004), “Information security considerations in IS/IT outsourcing projects: a
descriptive case study of two sectors”, International Journal of Information Management,
Vol. 24, pp. 29-42.
Kim, S. and Chung, Y. (2003), “Critical success factors for IS outsourcing implementation from an
interorganizational relationship perspective”, Journal of Computing Information Systems,
Vol. 43 No. 4, pp. 81-90.
Lacity, M.C. and Willcocks, L. (1998), “An empirical investigation of information technology
sourcing practices: lessons from experience”, Management Information Systems
Quarterly, Vol. 22 No. 3, pp. 363-408.
Nosworthy, J. (2000), “Implementing Information Security in the 21st century – do you have the
balancing factors?”, Computers and Security, Vol. 19, pp. 337-47.
Palmer, M. (2001), “Information security policy framework: best practices for security policy in
the e-commerce age”, Information Systems Security, May/June, pp. 13-27.
Rohde, F. (2004), “IS/IT outsourcing practices of small- and medium-sized manufacturers”,
International Journal of Accounting Information Systems, Vol. 5, pp. 429-51.
Sarbanes Oxley Act (2002), H. R.3763.
Simitis, S. (Ed.) (2003), Kommentar zum Bundesdatenschutzgesetz, Baden-Baden.
Siponen, M. (2000), “A conceptual foundation for organizational information security
awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
Von Solms, B. (2001), “Corporate governance and information security”, Computers and Security,
Vol. 20, pp. 215-8.
Whitworth, M. (2005), “Outsourced security – the benefits and risks”, Network Security, October,
pp. 16-19.
Yang, C. and Huang, J. (2000), “A decision model for IS outsourcing”, International Journal of
Information Management, Vol. 20 No. 3, pp. 225-39.

Further reading
European Commission (2003), First Report on the Implementation of the Data Protection
Directive, European Commission, Brussels.
Rüling, C. (2005), “Popular concepts and the business management press”, Scandinavian Journal
of Managament, Vol. 21, pp. 177-95.

Corresponding author
Gerald Quirchmayr can be contacted at: gerald.quirchmayr@univie.ac.at

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints