Documentos de Académico
Documentos de Profesional
Documentos de Cultura
www.emeraldinsight.com/0968-5227.htm
IMCS
14,5 A framework for outsourcing
IS/IT security services
Maria Karyda and Evangelia Mitrou
402 Department of Information and Communication Systems Engineering,
University of the Aegean, Samos, Greece, and
Gerald Quirchmayr
Department of Informatics, Distributed and Multimedia Systems,
Multimedia Information Systems, University of Vienna, Wien, Austria
Abstract
Purpose – This paper seeks to provide an overview of the major technical, organizational and legal
issues pertaining to the outsourcing of IS/IT security services.
Design/methodology/approach – The paper uses a combined socio-technical approach to explore
the different aspects of IS/IT security outsourcing and suggests a framework for accommodating
security and privacy requirements that arise in outsourcing arrangements.
Findings – Data protection requirements are a decisive factor for IS/IT security outsourcing, not only
because they pose restrictions to management, but also because security and privacy concerns are
commonly cited among the most important concerns prohibiting organizations from IS/IT
outsourcing. New emerging trends such as outsourcing in third countries, pose significant new
issues, with regard to meeting data protection requirements.
Originality/value – The paper illustrates the reasons for which the outsourcing of IS/IT security
needs to be examined under a different perspective from traditional IS/IT outsourcing. It focuses on
the specific issue of personal data protection requirements that must be accommodated, according to
the European Union directive.
Keywords Communication technologies, Outsourcing, Information systems, Data security,
European directives
Paper type General review
1. Introduction
Outsourcing refers to the procurement of products and/or services from sources that
are external to an organization. Within the last 15 years, outsourcing has become a
common issue in organizations’ management agenda.
Information systems (IS) or information technology (IT) outsourcing can be defined
as the transferring of an IS/IT function that was previously carried in-house, to a third
party provider. IS/IT outsourcing began evolving in the early 1990s, mainly for
supplementing in-house application development. It covers a wide range of IS/IT
related functions, including software development, hardware maintenance and web
hosting, and constitutes a well established and fast growing industry.
Information Management &
Recently, there has been an increased demand for web hosting, e-commerce hosting
Computer Security and remote data storage services. This functionality is provided to organizations by
Vol. 14 No. 5, 2006
pp. 402-415 application service providers (ASPs), who provide hardware, software and network
q Emerald Group Publishing Limited
0968-5227
infrastructure, as well as business services. To deliver these services most ASPs manage
DOI 10.1108/09685220610707421 and store the organizations’ information resources, and provide access to the end-users
through public networks. ASPs are playing a very important role for IS/IT outsourcing, Outsourcing
that has driven researchers to characterize it as “netsourcing” (Kern et al., 2002). IS/IT security
Within the expanding range of IS/IT functions that are outsourced, a recent advent
has been the procurement of IS/IT security services. IS/IT security outsourcing is services
appealing to enterprises, because security is a high expertise area, and because many
security tasks, such as, for example, network monitoring, require substantial
resources, in terms of manpower and infrastructure. Thus, companies specializing in 403
security provide IS/IT security services to organizations which lack this expertise or do
not possess adequate resources to perform these functions internally.
Can security services outsourcing, however, be managed or considered under the
same terms as other IS/IT related functions?
This paper argues that IS/IT security outsourcing should be examined under
different lens from traditional IS/IT outsourcing. To demonstrate this, the paper
explores the specific organizational, technical and legal aspects of security
outsourcing, and focuses on the privacy and data protection requirements and how
these can be accommodated.
The rest of the paper is organized as follows: the next section reports on the major
issues organizations face before making an IS/IT outsourcing arrangement. Section 3
elaborates on the reasons that drive organizations to outsource their security functions
and on the most commonly outsourced security services. Section 4 presents the
organizational and technical issues that organizations should consider for IS/IT
security outsourcing. Section 5 presents the legal requirements pertaining to
outsourcing, by focusing on how personal data can be protected, from the perspective
of the directive adopted by the European Union. Finally, the last section presents the
overall conclusions and issues for further research.
2. IS/IT outsourcing
The reasons for which companies turn to IS/IT outsourcing are primary financial; they
include expectations of improved rate of returns on investments (ROI), reduced cost
and economies of scale that could not be realized internally. By outsourcing their IS/IT
functions organizations also aim to:
.
have improved access to specialized knowledge and best-practices;
.
receive better quality services;
.
have increased business continuity capability in case of internal incidents; and
.
achieve flexibility with regard to technology.
In a recent study (Khalfan, 2004) loss of data confidentiality was ranked first among a
set of five risk factors in IS/IT outsourcing. Security considerations in general are
widely recognized as important factors impeding wider adoption of IS/IT outsourcing.
Other sources of reluctance for outsourcing are related to the qualification and
expertise of the providers’ employees and to the loss of important knowledge.
Moreover, possible risks that are often related to IS/IT outsourcing include unexpected
costs and possible complications. Finally, total outsourcing, usually with a single
provider, is considered as a high risk strategy.
Thus, organizations strive to achieve a balance between the expected benefits and
the relative risks stemming from outsourcing, by choosing the most appropriate
answers to the following questions: what to outsource, to whom, when or for how long
and finally how to manage the outsourcing arrangement. With regard to the first
question, both researchers and practitioners agree that activities related to the core
business of the organization should be kept in-house, while those that are peripheral to
the business are more suitable for outsourcing. Companies also often chose to
externalize activities that are tedious or monotonous. Finally, knowledge-intensive and
resource intensive activities are also considered for outsourcing.
The answer to the second question is far more complicated and is usually related to
tasks such as examining business profiles and credentials and managing business
partnerships. Kim and Chung (2003) found that the selection of the provider is
considered to be the most critical success factor for IS/IT outsourcing. As far as the
duration of the outsourcing arrangement is concerned, outsourcing arrangements can
be temporary or last for an indefinite period; usually their duration is from three to ten
years. Service level agreements (SLAs) are commonly used to regulate the outsourcing
arrangement and define the basis for the relationship between the company and the
provider. SLAs also function as a guarantee for the performance levels agreed. Rohde
(2004) reports that only few companies seek legal advice prior to signing outsourcing
contracts.
Lately, management has yet another issue to consider during the outsourcing
decision-making process: the answer to the “where” question. The development of IT
infrastructures in developing countries, which offer the necessary infrastructure,
skilled personnel and expertise in the IS/IT field at lower cost, makes organizations
increasingly consider outsourcing some of their IS/IT functions in vendors located in
developing countries.
Legal
Framework
Business
goals
Business processes
Information Systems
IT Infrastructure Figure 1.
(software, hardware, communications) Framework for the
analysis of IS/IT security
outsourcing critical factors
IMCS outsourcing process (for example, liability issues and contractual arrangements).
14,5 Business objectives, together with the business processes which pursue them,
determine the role of IS/IT security and consequently designate which security
functions should be better kept in-house and which should be outsourced.
In the following paragraphs, we explore the major organizational and technical
issues companies need to take into consideration for managing security outsourcing
408 arrangements. The major legal requirements related to issues of privacy and
confidentiality with regard to outsourcing are explored in detail in the next section.
5.1 Core legal requirements on data protection as defined in the European data
protection directive
Privacy and protection of the so-called “personal data” have for several decades been at
the very centre of IT-related discussions in most European countries. As an answer to
the public demand for effective protection, several countries have adopted data
protection laws. Differences in the way EU member states approached the data
protection issue impeded the free flow of data, which has led to the adoption of the
EUDP (1995), in order to establish a common set of legally binding principles and rules
for the protection of individuals with regard to the processing of their personal data
(Holvast et al., 2000). Compared to other national and international legal frameworks
(see, for example, the OECD Guidelines or the Council of Europe’s Convention No. 108),
the EDPD establishes very restrictive minimum standards with respect to the
processing of personal data.
The introduction of the European directive has not only made it compulsory for, but
also encouraged, data users to review all stages of the management of their personal
data (European Commission, 1998). To the extent that outsourcing relates to or
includes the processing of personal data, the “Controller” of the data, i.e. the (natural or
legal) person who defines the purpose and means of processing (Art. 2d), has to comply
with the specific requirements of the directive, as implemented in the national law of
each member state. Since, the directive covers the processing of personal data by both
automated and manual means (Art. 3), it is undisputable that all forms of outsourced
processing involving personal data has to be organized in compliance with its
requirements.
A first critical question refers to the responsibilities of the Controller and these of
the “Processor,” i.e. the natural or legal person (included public authorities, agencies or
other bodies) that processes personal data on behalf of the Controller (Art. 2e). He or
she is charged with the responsibility of ensuring that all data protection principles
(finality, proportionality, accuracy, duration limits, etc.) are respected. The controller
must ensure that the requirements concerning the grounds for legitimately processing
personal data (Art. 7) and the specific conditions for the processing of sensitive data
(Art. 8) are fulfilled.
Undoubtedly, under the European directive it is the controller who has to comply
with the general rules on the lawfulness of the processing of personal data, regardless
of whether the processing of data has been outsourced. This issue of management
responsibility has been overlooked, up to now, by enterprises that assumed that by
outsourcing their data processing operations, all liabilities for being compliant with the
directive would be automatically transferred to the service provider.
Controllers have to take all the necessary measures to comply with the requirements
related to the information and access rights of the data subjects (Art. 10,11,12), as well as
to their right to object to the processing of data (Art. 14). They have to re-design their Outsourcing
procedures to respond to the requests of data subjects, even if the processing of data is IS/IT security
carried out by an external provider (processor). However, both controllers and
processors are subject to the control of the independent data protection authorities (Art. services
28). In case of law infringements, both controllers and processors face the sanctions
provided in Art. 24 of the directive and they remain responsible in cases where a person
has suffered damage as a result of unlawful processing (Dammann and Simitis, 1997). 411
5.1.1 Security and confidentiality requirements. The most significant requirements
for an outsourcing arrangement refer to the confidentiality (Art. 16) and security (Art.
17) of data processing. Article 16 provides that any person acting under the authority
of the controller or of the processor (including the Processor himself/herself) must not
process personal data except on instructions from the controller, unless required to do
so by law. In the case of outsourcing, controllers have to specify the conditions as well
as the limits of the processing in written contacts. Processors must be bound to the
requirement to take all technical and organizational measures to secure the
confidentiality of the data. To ensure that the required high level of confidentiality
is achieved, an outsourcing partner will have to implement all necessary technological
and organizational safeguards, resulting in full access control and in the monitoring of
all access to personal data. The contracts should designate the authority granted to
independent contractors. In the case of absence of formal, clear and written
instructions, the processors may require an indemnity from the Controller to cover the
risk of liability (European Commission, 1998).
Art. 17 of the European directive poses significant security requirements for the
outsourcing arrangement; it imposes obligations on controllers with respect to the
protection of personal data against incidents such as accidental or unlawful
destruction, accidental loss, alteration, unauthorized disclosure or access, or other
unlawful forms of processing. The obligations assigned on the controller are also
incumbent on the processor (Art. 17 § 3), who shall act only on instructions of the
controller. More specifically, the controller should choose providers (processors) who
can provide sufficient guarantees in respect of the technical security measures and
organizational measures governing the processing. Controllers have to develop closer
relationships with processors than was previously the case (European Commission,
1998). In order to establish clarity as well as for evidential purposes, the parts of the
contract relating to the security measures to be adopted must be in writing or in
another equivalent form.
5.1.2 Outsourcing to third countries. Outsourcing is an outcome of the trend towards
globalization of the information flows and more specifically of the processing of data.
Usually the choice of outsourcing serves the aim of the controller to reduce the cost of data
processing, which results to the choice of processors who are sited in low-cost countries
(Simitis, 2003). However, despite the commercial benefits of outsourcing contracts with
partners outside the European Union, the compliance with the requirements of the
directive can very easily become a serious obstacle for outsourcing arrangements. For this
reason, several large European enterprises have recently been contemplating an
alternative to traditional “offshoring,” the so-called “nearshoring,” limiting outsourcing
operations to areas in which European Union legislation is already applied.
When outsourcing presupposes or results to the transfer of personal data to a third
country, then it is subject to the rules laid down by Articles 25 and 26 of the Directive.
IMCS Art. 25 establishes a case by case, flow by flow approach, requiring that the transfer
14,5 may only take place if the third country provides an adequate level of protection. In
assessing the adequacy of the data protection level, Art. 25 § 2 provides a non
exhaustive list of criteria that should be taken into account (including circumstances
surrounding the data transfer, nature of data, purpose, duration, sectoral rules,
professional rules, security measures, etc.).
412 The adequacy of the level of protection is usually assessed by Data Protection
Authorities that can authorize or ban the transfer. In the absence of an adequate level
of protection, the directive (Art. 26) sets down a limited series of derogations (consent
of the data subject, conclusion and performance of contracts where the data subject is
contracting part, etc.). The list of exceptions provided in article 26 is extremely limited
and is in general not applicable to outsourcing contracts. While some industry sectors
are still protected by bilateral or multilateral agreements like the “Open Skies
Agreement” or have managed to define a workable compromise for certain geographic
areas, such as the “Safe Harbor Agreement,” the export of personal data to third
countries can easily turn into a major problem both for the controller and the processor,
especially in situations where the Processor employs subcontractors from outside the
European Union. Moreover, controllers and processors may not make use of the
Commission’s Decision on Standard Contractual Clauses for the transfer of personal
data to third countries, issued in 2001, which is an essential possibility for maintaining
the flow of data without unnecessary burdens for economic operators, as it is stated
that this decision does not cover the transfers to recipients established outside the
territory of the EU who act only as processors.
Legal issues
Security requirements
Confidentiality requirements
Contract Checking
Execution Monitoring
Execution Auditing
Organizational issues
IS/IT Security
Security Strategy Outsourcing Strategy
Relation to core competencies
Scope of outsourcing
Business partnerships
In-house expertise
Organizational culture
References
Allen, J., Gabbard, D. and May, C. (2003), Outsourcing Managed Security Services Authors,
Software Engineering Institute, Carnegie Mellon.
Basel II Risk Management Committee of European Banking Supervisors (2005), CEBS CP 10,
Guidelines on the Implementation, Validation and Assessment of Advanced Measurement
(AMA) and Internal Ratings Based (IRB) Approaches, July.
Dammann, U. and Simitis, S. (1997), EG-Datenschutzrichtlinie-Kommentar.
Deloitte (2005), Calling a Change in the Outsourcing Market, Deloitte Development LLC, April,
available at: www.deloitte.com/
Dhillon, G. (1997), Managing Information System Security, Macmillan Press, Basingstoke.
Dhillon, G. and Backhouse, J. (2000), “Information system security management in the new
millennium”, Communications of the ACM, Vol. 43 No. 7, pp. 125-8.
DTI (2004), Information Security Breaches Survey 2004, Technical Report, Department of Trade
and Industry, London.
EUDP (1995), “Directive 95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of personal data and on
the free movement of such data”, Official Journal L 281, November 23 1995, pp. 31-50.
EUEC (2000), “Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000
on certain legal aspects of information society services”, in particular electronic commerce,
in the internal market (Directive on electronic commerce).
European Commission (1998), Handbook on Cost-effective Compliance with Directive 95/46/EC,
European Commission, Brussels.
Goo, J., Kishore, R. and Rao, H. (2000), “A content-analytic longitudinal study of the drivers for Outsourcing
information technology and systems sourcing”, Proceedings of the 21st International
Conference on Information Systems, Brisbane, Queensland, Australia, December 10-13, IS/IT security
pp. 601-11. services
Goodwin, B. (2004), “Companies are at risk from staff ignorance”, Computer Weekly, 00104787,
January 27.
Holvast, J., Madsen, W. and Roth, P. (Eds) (2000), The Global Encyclopaedia of Data Protection 415
Regulation, Kluwer Law International, Looseleaf.
Kern, T., Lacity, M. and Willcocks, L. (2002), Netsourcing: Renting Business Applications and
Services over a Network, Prentice-Hall, New York, NY.
Khalfan, A. (2004), “Information security considerations in IS/IT outsourcing projects: a
descriptive case study of two sectors”, International Journal of Information Management,
Vol. 24, pp. 29-42.
Kim, S. and Chung, Y. (2003), “Critical success factors for IS outsourcing implementation from an
interorganizational relationship perspective”, Journal of Computing Information Systems,
Vol. 43 No. 4, pp. 81-90.
Lacity, M.C. and Willcocks, L. (1998), “An empirical investigation of information technology
sourcing practices: lessons from experience”, Management Information Systems
Quarterly, Vol. 22 No. 3, pp. 363-408.
Nosworthy, J. (2000), “Implementing Information Security in the 21st century – do you have the
balancing factors?”, Computers and Security, Vol. 19, pp. 337-47.
Palmer, M. (2001), “Information security policy framework: best practices for security policy in
the e-commerce age”, Information Systems Security, May/June, pp. 13-27.
Rohde, F. (2004), “IS/IT outsourcing practices of small- and medium-sized manufacturers”,
International Journal of Accounting Information Systems, Vol. 5, pp. 429-51.
Sarbanes Oxley Act (2002), H. R.3763.
Simitis, S. (Ed.) (2003), Kommentar zum Bundesdatenschutzgesetz, Baden-Baden.
Siponen, M. (2000), “A conceptual foundation for organizational information security
awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
Von Solms, B. (2001), “Corporate governance and information security”, Computers and Security,
Vol. 20, pp. 215-8.
Whitworth, M. (2005), “Outsourced security – the benefits and risks”, Network Security, October,
pp. 16-19.
Yang, C. and Huang, J. (2000), “A decision model for IS outsourcing”, International Journal of
Information Management, Vol. 20 No. 3, pp. 225-39.
Further reading
European Commission (2003), First Report on the Implementation of the Data Protection
Directive, European Commission, Brussels.
Rüling, C. (2005), “Popular concepts and the business management press”, Scandinavian Journal
of Managament, Vol. 21, pp. 177-95.
Corresponding author
Gerald Quirchmayr can be contacted at: gerald.quirchmayr@univie.ac.at