Appendix O: Managed Security (2/3)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

408

A Practical Guide to Security Assessments

6. Is the MSSP’s Security Operations Center (SOC) physically secure? Does

it meet the client’s physical security standards?

Guidance:

The MSSP’s SOC should meet certain physical security stan-

dards. The best way to determine this is to do a walkthrough of the facilities

before signing any contract. If a contract has already been signed, physical

security should be audited as part of a regular audit program. Because of

the nature of the MSSP’s business, the SOC should meet fairly rigorous

standards. To put it into perspective, the MSSP’s SOC is an extension of

the company’s network — if the SOC goes down, so does the company’s

network (potentially). The importance of the MSSP being secure is critical

to the well-being of the company’s network.

Risk:

If the MSSP is not physically secure, a risk exists that the company’s

information assets are not secure.

Client Response:

7. Does the MSSP have a tested business continuity/disaster recovery plan?

Has the company’s own business continuity and disaster recovery plan

been updated to reﬂect the MSSP?

Guidance:

As part of the initial due diligence effort and the ongoing audit

process, the company should ensure that the MSSP has a tested business

continuity and disaster recovery plan in place. Similar to the earlier ques-

tion about physical security, the SOC’s ability, or lack thereof, to become

operational after a disaster is critical to your company. In addition, the

company’s own business continuity/disaster recovery plan should be up-

dated to reﬂect that the company is using a MSSP.

Risk:

The risk associated with MSSPs not having a business continuity/di-

saster recovery plan is that the company loses a critical portion of its infor-

mation security infrastructure in the event that the MSSP suffers a disaster.

Client Response:

8. Does the client have any data retention requirements as they relate to the

security data collected by the MSSP? If so, are they addressed in the contract,

and does the MSSP retain the data according to those requirements?

AU1706_book.fm Page 408 Tuesday, August 17, 2004 11:02 AM

Appendix O

409

Guidance:

When developing a contract with a MSSP, the company should

review its own internal policies to understand the data retention require-

ments and determine whether any of the data collected by the MSSP are

subject to them. For example, companies may have a policy of retaining

security-related log data for potential investigations. As part of the moni-

toring procedures, the company should ensure that data is retained per the

contract. This question should tie into the data retention questionnaire ear-

lier in the book as well as any data retention policy the company might

have. See the Data Classiﬁcation and Data Retention appendices (Appen-

dices D and E, respectively) for more detailed questions.

Risk:

Without making the appropriate provisions in the LMSSP contract

for retention of data, the company

may not retain key system-related infor-

mation per the company’s internal requirements.

Client Response:

9. What is the ﬁnancial condition of the MSSP? Does it have enough funds

and future revenues to sustain operations over the long term?

Guidance:

Documented cases exist of MSSPs that have gone bankrupt

and left their customers high and dry. As part of the selection process, it is

absolutely critical to ensure that the MSSP has the ability to sustain itself

ﬁnancially for at least the duration of the contract and preferably, even fur-

ther out. The MSSP should also be ﬁnancially stable enough to afford qual-

ity staff and have a good SOC. When assessing ﬁnancial viability, look for

what type of funding the MSSP has received or, if it is a publicly traded

company, look at its ﬁnancials, which are available on the Internet. In

addition, look at the management team leading the MSSP and research

what kind of track record they have had with other companies they have

led. The ﬁnancial situation of a MSSP should be reviewed not only during

initial selection but also on an ongoing basis as part of the audit process.

Risk:

The risk associated with not critically examining the ﬁnancial con-

dition of a MSSP is that the company may choose a MSSP that is not

ﬁnancially stable. If the MSSP goes out of business or is forced to cut cor-

ners due to lack of funds, the security posture of the company can be sig-

niﬁcantly weakened.

Client Response:

AU1706_book.fm Page 409 Tuesday, August 17, 2004 11:02 AM

410

A Practical Guide to Security Assessments

10. What measures does the MSSP have in place to ensure that their other

customers do not have access to the company’s data?

Guidance:

Depending on how the MSSP has the service set up, customers

might have some level of access into the Security Operations Center. The

company must ensure that access controls are set up so that one company

cannot see another company’s information — e.g., network addresses,

general IT architecture–related information. The expectation that the com-

pany’s data is kept conﬁdential should be formalized, and conﬁdentiality

of data should be addressed in the contract. This is a more signiﬁcant issue

if the MSSP has any competitors of the company as customers.

Risk:

The risk associated with inadequate access controls in the MSSP is

that it can lead to unauthorized access to the company’s sensitive information.

Client Response:

11. If the company is subject to any legal or regulatory requirements related

to security, is the MSSP meeting those requirements?

Guidance:

There are new regulatory requirements with security implica-

tions, which must be adhered to. Laws such as the Health Insurance Port-

ability and Accountability Act (HIPAA) and the Gramm–Leach–Bliley Act

(GLBA) have been fully implemented.

As security concerns become more

prevalent, it is likely that other laws and regulations will spring up. The

MSSP should have expertise with regulations and work with the company

to ensure that the MSSP contract and services address these requirements.

It is important to note that ultimately, the company, whether or not it has a

contract with a MSSP, is responsible for ensuring that legal requirements

are met. Therefroe, the company should actively work with the MSSP to

ensure compliance with relevant requirements.

Risk:

The risk associated with the MSSP not addressing legal regulatory

requirements is potential ﬁnes for the company as well as potential damage

to the reputation of the company in the event of a security breach.

Client Response:

AU1706_book.fm Page 410 Tuesday, August 17, 2004 11:02 AM

Appendix O

411

12. Does the MSSP have information security policies and procedures?

Guidance:

The MSSP should have an information security program with

a foundation of policies and procedures. As part of the due diligence pro-

cess, the company should have asked to see their policies and procedures.

As a follow-on question, the MSSP should be able to answer how it en-

sures compliance with security policies and procedures — i.e., what type

of enforcement takes place. The MSSP should also have a mechanism for

ensuring that its policies and procedures are up to date based on new secu-

rity threats.

Risk:

The MSSP should have a top-notch information security program.

The risk associated with not having one is that the MSSP may have a less

than adequate information security program, which can result in weakened

security for the company.

Client Response:

13. Since the inception of the contract, has any signiﬁcant turnover occurred

at the MSSP and is there a qualiﬁed staff to run the MSSP?

Guidance:

A MSSP is as good as the staff that runs it. No matter how good

the technology, the quality of the staff ultimately determines the quality of

service provided by a MSSP. When determining the quality of staff, some

things to look for include certiﬁcations such as the Certiﬁed Information

Systems Security Professional (CISSP

)

or speciﬁc vendor certiﬁcations,

the experience level of the staff, and the management team. Its important

to note that MSSP analysts are not just looking at a monitor and reporting

results; they are conducting security analysis and research, which is one of

the “value adds” of a MSSP. When reviewing the staff credentials, it is also

important to note what type of turnover the MSSP has. A high turnover rate

may indicate problems with the MSSP. Relative to turnovers, it is critical

for the MSSP to have a strong employee termination process to ensure that

employees that leave the MSSP have their access removed. In a MSSP en-

vironment, where the analysts are very tech savvy, risks related to disgrun-

tled employees are very signiﬁcant. Reviewing the stafﬁng with a MSSP

should be an ongoing process and not something that is just done at the time

of the contract inception.

Risk:

The risk if the MSSP has signiﬁcant turnover and unqualiﬁed staff

is that the company may receive inadequate security services. In addition,

a weak termination process combined with a disgruntled employee can re-

sult in a number of negative impacts for the company.

AU1706_book.fm Page 411 Tuesday, August 17, 2004 11:02 AM

412

A Practical Guide to Security Assessments

Client Response:

14. Has the MSSP had a SAS 70 or some other independent review performed?

What were the results, and were ﬁndings addressed?

Guidance:

One way to determine the security posture of the MSSP is to

see if it has been audited or reviewed by a third party. One popular review

is the SAS 70 (Statement of Auditing Standards) which is a standard

developed by the AICPA (American Institute of Certiﬁed Public Accoun-

tants). A SAS 70 review looks at the internal controls that a service

organization (in this case, the MSSP) has in place and determines whether

these controls mitigate risk as intended. The SAS 70 is an internationally

recognized standard that only qualiﬁed individuals can perform. Only

independent ﬁrms with the appropriate credentials can issue a SAS 70

opinion.

Risk:

Not applicable. This question is to determine whether the company

has had an independent review done. A clean SAS 70 report is a favorable

sign for the MSSP.

Client Response:

15. Does the MSSP have a change management policy and procedure and

are they followed?

Guidance:

One of the key information security policies that the MSSP

should have in place is change management. Having this policy in place

and following it indicates that the MSSP is careful about its environment

and that only tested and approved changes are allowed in production.

Risk:

Without proper change management, a risk exists that unauthorized

and untested changes may be introduced into the production environment,

which could result in the MSSP having an unstable environment.

Client Response:

AU1706_book.fm Page 412 Tuesday, August 17, 2004 11:02 AM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Appendix O: Managed Security (2/3)

Create new playlist

Sign In

Sign Up

Table of Contents for
Appendix O: Managed Security (2/3)