Appendix O
411
12. Does the MSSP have information security policies and procedures?
Guidance:
The MSSP should have an information security program with
a foundation of policies and procedures. As part of the due diligence pro-
cess, the company should have asked to see their policies and procedures.
As a follow-on question, the MSSP should be able to answer how it en-
sures compliance with security policies and procedures — i.e., what type
of enforcement takes place. The MSSP should also have a mechanism for
ensuring that its policies and procedures are up to date based on new secu-
rity threats.
Risk:
The MSSP should have a top-notch information security program.
The risk associated with not having one is that the MSSP may have a less
than adequate information security program, which can result in weakened
security for the company.
Client Response:
13. Since the inception of the contract, has any significant turnover occurred
at the MSSP and is there a qualified staff to run the MSSP?
Guidance:
A MSSP is as good as the staff that runs it. No matter how good
the technology, the quality of the staff ultimately determines the quality of
service provided by a MSSP. When determining the quality of staff, some
things to look for include certifications such as the Certified Information
Systems Security Professional (CISSP
)
or specific vendor certifications,
the experience level of the staff, and the management team. Its important
to note that MSSP analysts are not just looking at a monitor and reporting
results; they are conducting security analysis and research, which is one of
the “value adds” of a MSSP. When reviewing the staff credentials, it is also
important to note what type of turnover the MSSP has. A high turnover rate
may indicate problems with the MSSP. Relative to turnovers, it is critical
for the MSSP to have a strong employee termination process to ensure that
employees that leave the MSSP have their access removed. In a MSSP en-
vironment, where the analysts are very tech savvy, risks related to disgrun-
tled employees are very significant. Reviewing the staffing with a MSSP
should be an ongoing process and not something that is just done at the time
of the contract inception.
Risk:
The risk if the MSSP has significant turnover and unqualified staff
is that the company may receive inadequate security services. In addition,
a weak termination process combined with a disgruntled employee can re-
sult in a number of negative impacts for the company.
AU1706_book.fm Page 411 Tuesday, August 17, 2004 11:02 AM