When you go about procuring a new system, evaluating it based on usability, adaptability and how well it matches your internal processes is a no-brainer. Something that may not be quite as obvious for future system users is the information security aspect. Before initiating a procurement of IT-outsourcing it is important to define the information security requirements and to make sure that a potential system supplier can meet them.
Mikael Söderberg works with information security at Telia and heads the CIS Security Team. He has solid experience of information security demands from both a procurement and supplier perspective. Now he has written a guest blog post to help us figure out how to best address security when procuring a system like Telia ACE.
Start out with classification and risk analysis
When it comes down to it, information security is about making sure that you have the right level of protection for your various information types. To protect all information in a business would hardly be possible and certainly not make economical sense, rather it is important to figure out what information needs protecting. In practice that means that only authorized persons shall be able to access the information, that the data is always correct and that it is available when you need it. In order to evaluate what is the right level of protection the first step is to classify your information.
Information classification is the basis for good information security work and is a process where you define which information is worth protecting, in what respect and on what level. Some data may for example not under any circumstances fall into the wrong hands, and other information must always be available.
Following classification, a natural next step is to make one or several risk analyses to evaluate which risks it poses to hand over that information to an external party as well as what the information needs protecting from during the contract period.
Develop clear requirements for systematic information security work
After classification and risk analysis the work of establishing the actual requirements begins. Here my recommendation is to deliver clear and actionable requirements to the supplier together with your assessment of what is necessary for the information to be handled in a safe way. Since compliance is a vital part of information security it may also be a good idea to ask the supplier for an ISO-certification. Alternatively, ask questions in to establish whether the supplier works systematically with information security. Also ask to gain insight into the intended supplier’s system for information classification and compare how well it aligns to your internal structure.
For us as a supplier it also gives us opportunity to inform the customer if we do not think that a certain type of information belongs in our system. For example, we do not handle sensitive personal data such as union membership or religious affiliation in Telia ACE.
Before you sign any agreement, it is also important to have a plan for changing suppliers in the future. You need to be able to take back the management of the outsourced function, and to extract your data without suffering too much operative damage.
Ensure that your intended supplier treats personal data (at least) as well as you do
Make sure to sign a data processing agreement (DPA) with the supplier to assure that the personal data that is handled by the supplier will be protected in the same way as if you handled it yourselves. If the supplier uses subcontractors, they also need to follow the established requirements regarding information security.
Ask for routine descriptions about how the supplier can help you to follow the individual’s rights, meaning the right to have data corrected, erased or blocked, or to extract or move their data. Also ask about the policies regarding security incident management and how you will be informed about a security incident that has taken place.
Get the professionals involved
There’s a lot to gain from involving the security organization early in the procurement process. The requirements you present to your supplier should mirror your internal requirements as well as the external requirements that you are subject to by authorities and laws. As a supplier we would rather not have an extensive security attachment presented to us late in the process, and are much happier when we can evaluate our customers’ requirements in a calm and methodical way.
We’re here to talk security
If you are about to outsource there’s a lot to think about and if I were to point out a few advantages of Telia as a supplier I can mention that we have an extensive security department and are certified according to ISO 27001. We can also provide a single point of contact for security matters; a person who is well versed in the customer’s environment. We consider information our core business and best-of-breed security work is in our genes.