Problem solve Get help with specific problems with your technologies, process and projects.

Security standards for outsourcing agreements

I am attempting to define a list of security issues, concerns, best practices that can be used when we negotiate outsource agreements with application service providers and other providers such as ADP, ALLTEL, etc. What subjects, questions or suggestions would you include in such a list? Where can I find research materials I could use? Are there any widely recognized security or quality standards that could be used as a basis, similar to ISO 9000?
There are several recognized security or quality standards that can be used.

Control Objectives for Information and Related Technology is a generally applicable and accepted standard for IT security and control practices.

Common Criteria (which was developed from the military Orange Book and other sources) assists in developing criteria for evaluation of IT security. Another site provides information on the Common Evaluation Methodology.

ISO 17799 is also recognized security standard based upon BS7799. The ISO 17799 was first published in December 2000 based from BS7799, which had its last publication in May 1999.

Consultative, Objective and Bi-functional Risk Analysis combines several standards such as BS7799 / ISO 17799 and Data Protection legislation to encourage compliance with security policies.

Regarding outsourcing agreements, the below Web sites (and their self-written overviews) may offer assistance.

White Paper: Applying Benchmarks to IT Outsourcing Agreements

"The SLA should be clear and free from complex language. It should be tightly focused on business needs. In other words, avoid the weasel language." -- https://www.computerworld.com/cwi/stories/0,1199,NAV47-81_STO56572,00.html

"This document by Anne Caine offers one attorney's excellent overview detailing how to prepare effective service agreements." -- http://www.gtlaw.com.au/pubs/negotiating.html

"This paper by lawyer John Gray complements Anne Caine's paper - Negotiating An Effective Service Level Agreement part I - by focusing more on vendor's issues in outsourcing." -- http://www.gtlaw.com.au/pubs/negotiatingservice.html

"Created so ITAA members can view SLAs submittted by member companies. All companies are kept anonymous, and access is limited to ITAA member companies submitting SLAs..." -- http://www.itaa.org/asp/slalibrary.htm

"ITAA has played a leading role in defining the emerging ASP industry. With assistance from member volunteers, ITAA has created a broad definition to provide guidance to the ASP industry." -- http://www.itaa.org/asp/itaasla.pdf

"This article discusses how management service providers are finding ways to assure clients that performance goals will be met." -- http://www.informationweek.com/story/IWK20000901S0006

"An overview of effective SLAs and some of the challenges in negotiating these agreements..." -- http://www.outsourcing-journal.com/issues/nov1997/html/munch.html

"Providing information on SLAs as a part of outsourcing agreements. Includes information on negotiating effective SLAs, an online forum for buyers and sellers of outsourcing, articles, expert advice and outsourcing FAQs." -- http://www.outsourcing-sla.com/

This was last published in September 2001

Dig Deeper on Information security policies, procedures and guidelines