403
Appendix O
Managed Security
Although outsourcing information technology (IT) operations has been happening
for some time, outsourcing the security function has become more popular recently.
In the past, companies have signed significant outsourcing contracts with companies
such as IBM and EDS to manage all or part of their entire IT operations. The main
drivers for these outsourcing agreements have been:
•
Cost —
There is a clear business case for outsourcing IT. Companies that
have done it have achieved substantial reductions in their overall IT costs.
Cost reductions are not only seen in IT, but also with all of the support
areas such as finance and human resources.
•
Expertise —
As IT became and continues to become more complicated,
many companies cannot hire and retain the level of qualified IT personnel
needed to effectively run the IT organization. Although many companies
do not outsource, most of them are forced to use consultants extensively
to get the work done.
•
Concentration on core competencies —
A trend exists where companies
are focusing on what they are good at. For example, some banks have
made a decision to focus on their core business, which is banking, and
outsource other areas where they do not have the expertise.
In the same way that companies concentrate on their core competencies, IT
outsourcers are doing the same. Their core competency is running IT operations,
and they are able to do it cheaper and better (in some cases) because of economies
of scale. For example, it is cheaper for an IT outsourcer to have a big data center
where several companies’ IT operations can be hosted than for the individual com-
panies to each have separate data centers.
Although this trend continues, IT outsourcing is far from perfect. Companies
must go through a thorough due diligence process and develop a solid contract when
entering into an agreement with an IT outsourcer. Also, IT outsourcing is not a
turnkey operation. Companies must actively manage their outsourcer to ensure that
services are delivered as agreed to in the contract.
Security has started to follow a path similar to that of IT outsourcing but with
some different drivers. As the typical company’s IT environment has become more
distributed and the Internet has become a central component of the IT infrastructure,
AU1706_book.fm Page 403 Tuesday, August 17, 2004 11:02 AM
404
A Practical Guide to Security Assessments
electronic and physical attacks have become more sophisticated. As a result, the
security measures required to effectively mitigate risks related to these attacks have
also become more sophisticated. Security measures include a focus on internal
processes as well as the deployment of security technologies. Managing these secu-
rity technologies and the security function in general can be a full-time task for
several people in an organization. Hiring and retaining individuals who possess
expertise in security technologies and how they fit into the organization from a
business perspective is very difficult. For this reason and others, which are listed
below, managed security is becoming popular:
•
Attacks occur 24/7 —
Attacks do not follow the schedule that regular
employees keep. They can occur at any time. Managed security services
typically provide 24/7 support or off-hours monitoring as required.
•
Cost —
The main costs for security, personnel and technology, can be
very expensive and hard to justify. One of the reasons that the cost is hard
to justify is that the security personnel may not always be busy even
though you are paying for all of their time. On the other hand, with a
Managed Security Service Provider (MSSP), the business case for out-
sourcing security from a cost perspective can easily be made.
•
Technology —
Security, like other technologies, is constantly changing
and difficult to keep up with. The evolution of security technologies
largely coincides with the evolution of attacks. To ensure good ongoing
security, changes in technology must be kept up with. This is another area
where a MSSP is in a better position because of their expertise.
For these and other reasons, many companies are turning to MSSPs for their
security needs. MSSPs can provide a range of services including (but not limited
to) managed firewalls, managed intrusion detection, and managed vulnerability
services. Companies should thoroughly evaluate their security requirements to deter-
mine what MSSP makes the most sense for them.
Some of the key benefits of using a MSSP include:
•Leveraging the MSSP’s security infrastructure and paying for only a
portion of it
•Having security staff with subject matter expertise
•Focusing on the company’s core competencies and letting the MSSP focus
on security
These benefits are not guaranteed, however. The MSSP relationship should not
be treated as a turnkey relationship. To get the most out of a MSSP relationship,
companies must conduct the proper due diligence during the selection process and
monitor the relationship throughout the duration of the contract (just as with general
IT operations).
This questionnaire, like the others in this book, focuses on processes relating to
selecting and using a MSSP and is technology neutral. The questions try to ascertain
whether the right mechanisms are in place to ensure success with the MSSP rela-
tionship and to determine whether the current MSSP is performing adequately. The
AU1706_book.fm Page 404 Tuesday, August 17, 2004 11:02 AM
Appendix O
405
questions are a starting point and should be modified based on the specific business
requirements of the company. In addition, depending on the service that the MSSP
is providing, you should ask other questions specifically related to the particular
service being provided.
QUESTIONS
1. Does someone “own” the relationship with the MSSP? How is the rela-
tionship with the MSSP monitored?
Guidance:
All relationships with third parties should have a point person
who is responsible for the relationship. In the case of managed security, a
critical function is being outsourced to a third party. How well the MSSP
delivers the services can impact the operations and reputation of the com-
pany. Ideally, the person who is responsible should be someone at the man-
agement level who is knowledgeable about security and who can
effectively deal with the MSSP.
Risk:
The risk of not having someone own the relationship with the MSSP
is accountability. No one will be responsible for ensuring that the MSSP is
meeting the terms of the service level agreement.
Client Response:
2. What metrics, reports, or other communications are reviewed for purposes
of monitoring the relationship?
Guidance:
Service level agreements (SLAs) with many service providers
have documented performance metrics. The relationship with a MSSP
should not be treated any differently. As part of the monitoring process, the
company should have certain reports or metrics that are reviewed on a reg-
ular basis. The company should establish metrics, which should be defined
in the service level agreement with the MSSP. These metrics will depend
on the type of business and the nature of the relationship with the MSSP.
Metrics allow you to baseline the performance of a MSSP and have a better
understanding of how well the provider is performing. The metrics allow
an objective comparison between how well a MSSP provides security ser-
vices and how well it was being done internally, thus helping validate the
business case for having a MSSP. Metrics are also useful in negotiating
future contracts with MSSPs. If possible, the metrics should be based on
system-generated information because of the objectivity of the informa-
tion and the minimal effort required to collect it.
AU1706_book.fm Page 405 Tuesday, August 17, 2004 11:02 AM
406
A Practical Guide to Security Assessments
Risk:
The risk of not establishing metrics is that it reduces the company’s
ability to assess how well the MSSP is doing and hold MSSPs accountable
for certain service levels.
Client Response:
3. Are there service level agreements (SLAs) with defined metrics that MSSPs
must meet? Some of the key items that should be addressed in SLAs
include:
• Communication requirements
• Management reporting
• Penalties for not meeting SLAs
• Provisions for the client if the MSSP goes out of business
• Incident handling
Guidance:
SLAs are critical when establishing a relationship with a third-
party provider, such as a MSSP. The SLA articulates the scope of service,
roles and responsibilities, and other key components that define the rela-
tionship with the MSSP. In a way, the SLA is a more detailed version of
the contract and is focused on the service being provided. The SLA should
also include metrics where appropriate (e.g., the metric is system generat-
ed) and be referenced in the final contract with the MSSP. The items listed
in this question are just some of the areas that should be included in the
SLA.
Risk:
The risk associated with not having solid SLAs in place include:
• It is difficult to hold the MSSP accountable for service levels because
the required service levels are not documented. Although the contract
may have some details, it probably does not have details about service
levels.
• Roles and responsibilities may not be completely clear.
Client Response:
4. Does the contract explicitly define roles and responsibilities for both the
MSSP and the client?
Guidance:
It is critical that the roles and responsibilities are clearly de-
fined in the contract with the MSSP. Some of the key roles and responsi-
bilities to look for include:
AU1706_book.fm Page 406 Tuesday, August 17, 2004 11:02 AM
Appendix O
407
• MSSP responsibilities:
– Periodic management reporting that summarizes security events
– Reporting against established metrics
– Updating security infrastructure as necessary
– Communication of security breaches
• Customer responsibilities:
– Informing the MSSP of any technical changes to the company’s
environment so that security architecture can be reviewed and
updated if necessary
– Monitoring the service level agreement
– Communication with outside parties in the event of a security incident
The list above is a starting point and should be modified based on the com-
pany and the nature of its relationship with the MSSP.
Risk:
The risks related to not establishing clear roles and responsibilities
with a MSSP include:
• Confusion may exist over who is responsible for certain tasks, which
can lead to the task not being done at all.
• The company might not receive the expected level of service from the
MSSP.
Client Response:
5. Has a confidentiality agreement been signed between the company and
the MSSP to help ensure the confidentiality of the data to which the MSSP
has access?
Guidance:
a MSSP is a third party with access to some very sensitive in-
formation that can be used to learn about the company’s environment. This
knowledge can be used to potentially gain unauthorized access to the com-
pany’s IT resources. It is imperative that the MSSP adequately protects this
information. In addition, the MSSP is also providing similar services for
other customers — some of which may be the company’s competitors. It
is essential that the MSSP sign a confidentiality agreement with regards to
the company’s data to help ensure its confidentiality.
Risk:
Without a confidentiality agreement, the company has less ability to
take recourse against a MSSP in the event of a breach of confidentiality of
sensitive company information. The confidentiality agreement also helps
ensure that the MSSP is taking appropriate security measures to protect the
confidentiality of the company’s data.
Client Response:
AU1706_book.fm Page 407 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.