404
A Practical Guide to Security Assessments
electronic and physical attacks have become more sophisticated. As a result, the
security measures required to effectively mitigate risks related to these attacks have
also become more sophisticated. Security measures include a focus on internal
processes as well as the deployment of security technologies. Managing these secu-
rity technologies and the security function in general can be a full-time task for
several people in an organization. Hiring and retaining individuals who possess
expertise in security technologies and how they fit into the organization from a
business perspective is very difficult. For this reason and others, which are listed
below, managed security is becoming popular:
•
Attacks occur 24/7 —
Attacks do not follow the schedule that regular
employees keep. They can occur at any time. Managed security services
typically provide 24/7 support or off-hours monitoring as required.
•
Cost —
The main costs for security, personnel and technology, can be
very expensive and hard to justify. One of the reasons that the cost is hard
to justify is that the security personnel may not always be busy even
though you are paying for all of their time. On the other hand, with a
Managed Security Service Provider (MSSP), the business case for out-
sourcing security from a cost perspective can easily be made.
•
Technology —
Security, like other technologies, is constantly changing
and difficult to keep up with. The evolution of security technologies
largely coincides with the evolution of attacks. To ensure good ongoing
security, changes in technology must be kept up with. This is another area
where a MSSP is in a better position because of their expertise.
For these and other reasons, many companies are turning to MSSPs for their
security needs. MSSPs can provide a range of services including (but not limited
to) managed firewalls, managed intrusion detection, and managed vulnerability
services. Companies should thoroughly evaluate their security requirements to deter-
mine what MSSP makes the most sense for them.
Some of the key benefits of using a MSSP include:
•Leveraging the MSSP’s security infrastructure and paying for only a
portion of it
•Having security staff with subject matter expertise
•Focusing on the company’s core competencies and letting the MSSP focus
on security
These benefits are not guaranteed, however. The MSSP relationship should not
be treated as a turnkey relationship. To get the most out of a MSSP relationship,
companies must conduct the proper due diligence during the selection process and
monitor the relationship throughout the duration of the contract (just as with general
IT operations).
This questionnaire, like the others in this book, focuses on processes relating to
selecting and using a MSSP and is technology neutral. The questions try to ascertain
whether the right mechanisms are in place to ensure success with the MSSP rela-
tionship and to determine whether the current MSSP is performing adequately. The
AU1706_book.fm Page 404 Tuesday, August 17, 2004 11:02 AM