Organizations are becoming increasingly reliant on information system services provided by external providers to carry out important missions and business functions. External information system services are services implemented outside of the authorization boundaries established by the organization for its information systems. These external services may be used by, but are not part of, organizational information systems. In some situations, external information system services may completely replace the functionality of internal information systems.

Organizations are responsible and accountable for the risk incurred by the use of services provided by external providers. When the risk of using externally provided system is greater than the organization is willing to accept, management must address this risk by implementing compensating controls.

Relationships with external service providers are established in a variety of ways; for example, through joint ventures, business partnerships, outsourcing arrangements (e.g., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. The growing dependence on external service providers and new relationships being forged with those providers presents new and difficult challenges for the organization, especially in the area of information system security. These challenges include:

• Defining the types of external services provided to the organization;
• Describing how the external services are protected in accordance with the security requirements of the organization; and
• Obtaining the necessary assurances that the risk to organizational operations and assets, individuals, other organizations, and the organizational context arising from the use of the external services is acceptable.

Many regulations for both public and private organizations, as well as internal operating policies, require (or should require) external providers handling sensitive information or operating information systems on behalf of the organization to meet the same security requirements as the organization itself.
Security requirements for external providers— including security controls for the processing, storage, and/or transmission of information—should be expressed in appropriate contracts or other formal agreements with technology and service providers. Organizations can require external providers to implement all required controls, with the exception of the security authorization step. Security authorization (managerial authorization of systems that reflect, among other things, acceptance of system security criteria) remains an inherent internal responsibility directly linked to the management of organizational risk.

Assurance or confidence that the use of external services represents an acceptable level of risk depends largely on the trust that the organization places in the external service provider. Trust levels can vary widely, ranging from high trust (e.g., in business partners in a joint venture that share a common business model and common goals) to lower trust (e.g., in business partners in one endeavor who are also competitors in another market sector), depending on the operational context and degree of risk represented by any given provider.

In some cases, trust is based on the amount of direct control the organization can exert on the external service provider to ensure both the existence of security controls and the evidentiary assurance of control effectiveness. Whenever explicit agreements—including contractual terms and Service Level Agreements (SLAs)—are feasible and practical, the organization should develop agreements to require the use of security controls equivalent to those employed for internal systems. Such contractual controls and can range from extensive (e.g., a legal contract or SLA negotiated to specify detailed security control and audit requirements) to very limited (e.g., a generic contract or SLA for commodity services, such as commercial telecommunications services).

Full contractual control is not always possible, however. Contracts with commercial providers of commodity-type services typically represented limited-control relationships. Commodity-service providers typically organize business models and services around shared resources and devices for a broad and diverse customer base. Standardized, non-negotiable terms  often characterize commodity-service contracts. Organizational risk assessment and mitigation activities must reflect the real control gaps of this scenario, establishing compensating security controls that provide necessary protections for internal systems that rely on such external services.

Centralized acquisition is another scenario that can limit direct internal control over external systems. In such cases it can be more efficient and cost effective for the originator of the contract (usually the centralized procurement organization) to establish and maintain a stated level of trust—including the definition and required assurance of security controls—with the external provider. Internal organizations that subsequently acquire services from the contracted provider can assume the negotiated trust level established by the centralized contract, averting costly repetition of trust-establishment activities.

Contracts and agreements can also specify controls by the contracting organization. For example, the organization may be required to install public key encryption-enabled client software, as recommended by the service provider.

Organizations should require that an appropriate level of trust be established with the entire chain of external service providers, including subsidiary providers that contribute to the end-service purchased by the organization. This "chain of trust" requires that the organization establish and retain a level of confidence that each provider contributing to the final service deliverable provides adequate protection for its service component. A chain of trust can be complicated, due to the number of entities participating and the types of relationship between the parties.

Each contributing provider may also, in turn, outsource parts of its services to other external entities, making the chain of trust even more complex and difficult to manage. Depending on the nature of the service, it may simply be untenable for the organization to place significant trust in the provider—not due to any inherent untrustworthiness on the provider's part, but due to intrinsic risk in complex service provision structures.

In environments where provider security controls are not or cannot be contractually required, the organization may attempt to base trust levels on other factors, such as the quality or nature of the business relationship. For example, a separately authorized service provided through a well-established line-of-business relationship might justify a high degree of trust and represent a tolerable risk range.

In all cases, however, the responsibility for adequately mitigating unacceptable risks arising from the use of external services ultimately remains with the authorizing official¹ in the purchasing organization. If provider risks cannot be contractually mitigated, the organization should establish and document its explicit assumptions about the security capabilities of the service. This documentation supports informed risk decisions.

When a sufficient level of trust cannot be established, the organization must decide whether it wants accept, mitigate, or reject the risk. There are only three options: 1) employ compensating controls; 2) accept the greater degree of risk represented by the service provider; or 3) choose not to engage the service. For the final option, the decision to reject a service option must be weighed against the risks and costs associated with the organization's ability to fulfill its missions or business operations with reduced levels of system functionality—or possibly no functionality at all.

Footnotes

1. An authorizing official is a senior manager, official, or executive possessing authority to formally assume responsibility for operating an information system at an acceptable level of risk. In evaluating the system risk represented by any system, including vendor-provided systems, the authorizing official must consider risks to organizational operations, organizational assets, customers, employees, other organizations, business value (the business mission, functions, image, or reputation), and the business context.

This article is tightly based on Appendix I of the Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Special Publication 800-37, Revision 1), released in February 2010 by the US National Institute of Standards and Technology (NIST). The complete document is available for free download at http://csrc.nist.gov/publications/PubsSPs.html.

Portions of this document extract have been edited for readability and relevance to broad business sectors. All edits have been made with the goal of retaining the original meaning and value of the source document.