322
A Practical Guide to Security Assessments
• Is the provider’s business continuity plan robust enough to allow the
provider to be operational within a time frame that is acceptable to the
company?
• Is the data adequately backed up so that data is not permanently lost?
• Has the business continuity plan been tested?
• Is the plan updated on a regular basis based on changes to the business?
• In the event of a disaster, what priority does the company have relative
to other customers serviced by the external provider?
As a part of the assessment, you should review the provider’s business
continuity plan and determine whether the company’s outsourced opera-
tions can be recovered in an acceptable time frame.
Risk:
If the provider does not have an adequate business continuity plan,
there is a risk of long-term disruption of key operations or loss of data.
Client Response:
23. Is there a service level agreement between the company and the provider
that specifies the specific services to be provided and the metrics against
which it will be measured? Are there any remedies if the provider is not
in compliance with the SLA? Some of the items to look for in a SLA
include:
• Site availability
• Reliability
• Quality of service
• Security
Guidance:
A client is dependent on the external provider to provide a cer-
tain level of service in terms of availability, reliability, security, quality of
service, and other factors. The SLA provides details about different as-
pects of the service including the scope of service, roles and responsibili-
ties, performance metrics, and support. A SLA clearly defines the services
being provided and metrics for the provider to meet. The metrics help en-
sure that the provider understands the level of service required and makes
them accountable. When reviewing the metric, two key characteristics to
look for include:
•
Metric measurement —
Ideally, the metric should be measured by some
automated means, if possible. Automated measurements are more accu-
rate and objective and as a result, less opportunity to dispute the metric
exists. Manually generated measures are subject to human error and
are not as accurate.
•
Penalties for not meeting the metric —
A metric is much more valuable
if penalties are associated with it. Failing to meet the metrics should
AU1706_book.fm Page 322 Wednesday, July 28, 2004 11:06 AM