Ask the Expert

Security standards for outsourcing agreements

I am attempting to define a list of security issues, concerns, best practices that can be used when we negotiate outsource agreements with application service providers and other providers such as ADP, ALLTEL, etc. What subjects, questions or suggestions would you include in such a list? Where can I find research materials I could use? Are there any widely recognized security or quality standards that could be used as a basis, similar to ISO 9000?

    Requires Free Membership to View

There are several recognized security or quality standards that can be used.

Control Objectives for Information and Related Technology is a generally applicable and accepted standard for IT security and control practices.

Common Criteria (which was developed from the military Orange Book and other sources) assists in developing criteria for evaluation of IT security. Another site provides information on the Common Evaluation Methodology.

ISO 17799 is also recognized security standard based upon BS7799. The ISO 17799 was first published in December 2000 based from BS7799, which had its last publication in May 1999.

Consultative, Objective and Bi-functional Risk Analysis combines several standards such as BS7799 / ISO 17799 and Data Protection legislation to encourage compliance with security policies.

Regarding outsourcing agreements, the below Web sites (and their self-written overviews) may offer assistance.

White Paper: Applying Benchmarks to IT Outsourcing Agreements

"The SLA should be clear and free from complex language. It should be tightly focused on business needs. In other words, avoid the weasel language." -- http://www.computerworld.com/cwi/stories/0,1199,NAV47-81_STO56572,00.html

"This document by Anne Caine offers one attorney's excellent overview detailing how to prepare effective service agreements." -- http://www.gtlaw.com.au/pubs/negotiating.html

"This paper by lawyer John Gray complements Anne Caine's paper - Negotiating An Effective Service Level Agreement part I - by focusing more on vendor's issues in outsourcing." -- http://www.gtlaw.com.au/pubs/negotiatingservice.html

"Created so ITAA members can view SLAs submittted by member companies. All companies are kept anonymous, and access is limited to ITAA member companies submitting SLAs..." -- http://www.itaa.org/asp/slalibrary.htm

"ITAA has played a leading role in defining the emerging ASP industry. With assistance from member volunteers, ITAA has created a broad definition to provide guidance to the ASP industry." -- http://www.itaa.org/asp/itaasla.pdf

"This article discusses how management service providers are finding ways to assure clients that performance goals will be met." -- http://www.informationweek.com/story/IWK20000901S0006

"An overview of effective SLAs and some of the challenges in negotiating these agreements..." -- http://www.outsourcing-journal.com/issues/nov1997/html/munch.html

"Providing information on SLAs as a part of outsourcing agreements. Includes information on negotiating effective SLAs, an online forum for buyers and sellers of outsourcing, articles, expert advice and outsourcing FAQs." -- http://www.outsourcing-sla.com/


This was first published in September 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: