In the aftermath of this summer’s big debate in both Swedish and international media, regarding the governmental function Transportstyrelsen and their outsourcing deal which led to state secret data being accessible by non-vetted personnel outside of Swedish borders—changes were made. Now the Swedish security police (SÄPO) has released their recommended 10-step guide for Information Security in Outsourcing, with special focus on public sector/authorities.
What strikes me, is that some points are activities which definitively should be established and exist, no matter if anything is being outsourced or not. In general, there are sub-bullets within each area which are directed towards involving a 3rd party (I don’t highlight those), but all the others.
So, in short:
- Security Analysis of the organizations information
A good mapping of the organizations information as in what/where/why/owner etc. should absolutely exist already and was actually be one of the core discussions of the incident as such since the responsible persons claim they didn’t even know that they had that sensitive data in their systems. This have a major impact no matter whom operates the systems. Conclusion: NOT BECAUSE OF OUTSOURCING
- Information classification based on type of data
Should definitively also already exist. Level of confidentiality controls criteria’s for being able to access and organizations information, usually in a model like Public, Restricted, Confidential and Strictly Confidential. Without this framework and awareness amongst the own staff, there is a problem far greater than whether you should outsource or not. GDPR will add an additional layer on top of this. Conclusion: NOT BECAUSE OF OUTSOURCING
- Security Assessment of systems in scope
This do have an impact on outsourcing, although this is an activity that should be done even within your own environment. Unless you have a flat network, no zoning etc, this assessment is the one showing where the system should be placed, additional controls etc and frankly, should already exist and not be created just because of potential outsourcing. Conclusion: NOT BECAUSE OF OUTSOURCING
- Involve Subject Matter Experts
Not much to say. A guidance to ensure that the appropriate resources and responsible are involved in creating the requirements which of course happens all the time no matter if you run the systems yourself… right? Conclusion: NOT BECAUSE OF OUTSOURCING
- Make sure security agreement is appropriate
This agreement is directly linked with using a 3rd party, so….. Conclusion: Related to OUTSOURCING
- Only specify security requirements that are measurable
Make sure that security controls are measurable, reported and followed up is certainly not only required when outsourcing. On the other hand, you might even claim that a lot of businesses actually don’t do that until the day they are going to outsource which means that until then, they haven’t got control of what they have. Conclusion: NOT BECAUSE OF OUTSOURCING
- Special considerations with non-domestic suppliers
This especially have a direct impact on national secret type of data, the legal aspects and possibility to perform vetting of staff. That does not in any way means that domestic suppliers will deliver a more secure environment or with a higher quality. Conclusion: Related to OUTSOURCING
- Cloudbased services
Strict dependency to 1, 2 and 3. I mean, we all have control of this right? Your staff doesn’t use Dropbox, Onedrive, Evernote, Hotmail, Gmail etc for convenience. Conclusion: NOT BECAUSE OF OUTSOURCING
- Integrate Information Security in your business processes
Not even going to comment this since this is something that is fundamental and should even be needed to highlight…. Conclusion: NOT BECAUSE OF OUTSOURCING
- Notify Security Police of new and cancellation of security agreement and national secret type-vetting
One bullet out of four is regarding the security agreement. The rest are still to be done, including mandatory Incident notification to Swedish authority, which in itself has been a discussion since it isn’t done. Conclusion: NOT BECAUSE OF OUTSOURCING
The document as such is very good and definitively contains elements that are key to information security, and not only applicable for the public sector or businesses which manage state secret data. However, labelling the entire document “guidelines for outsourcing” when the majority of the sections are independent of whether you’re about to outsource, or continue to run your infrastructure in-house, is a pity since it will easily be missed by all businesses not about to outsource.