Overseeing Compliance of Security Operations ◾ 167
© 2011 by Taylor & Francis Group, LLC
these performance expectations as part of disaster recovery, including acceptable
down time to allow for service swap from one location to another.
As the last paragraph alludes to, the use of an outside service transfers responsi-
bility from the enterprise to a supplier. To be successful at this, the enterprise needs
good Outsourcing Relationship Management (ORM). Outsourcing may include any
activity that is not the core expertise of the organization. For example, Small Tools,
Inc., likely has a core expertise in the manufacturing of handheld tools. eir
expertise is not likely to include information security. Hence, they may outsource
to a managed security service provider.
Managed Security Service Providers
With the complexity of technical security coupled with the increase in cyber threats,
many companies have opted to outsource security to managed security services pro-
viders (MSSPs). MSSPs oer security services that would otherwise be unaordable
to medium and small companies due to cost, or be unattainable due to resource
limitations like qualied security personnel. Many companies view security as a
core need, if not a core capability, and hesitate to turn over so much control to
a vendor. However, the economies of scale make the cost of using an MSSP very
attractive, and the proliferation and sophistication of attackers require highly spe-
cialized personnel, infrastructure, and procedures.
As competent and as trusted as the MSSP may be, good business practice dic-
tates that no company yields complete control of its networks to another orga-
nization. ere is still a need to maintain in-house expertise to ensure that the
organization’s interests are accurately conveyed to the MSSP and that the MSSP
acts accordingly to protect those interests. In-house eorts are still necessary to
produce security policies that govern MSSP activities and performance.
Develop condentiality agreements with the MSSP. e MSSP will have
intimate knowledge of your operations and condential information. Moreover,
your organization should develop incident response policies and procedures that
inuence the specics of the MSSP business agreement. is is still your net-
work and your responsibility. Operations, monitoring, detection, notication,
and resolution may be outsourced, but the security responsibility is only shared,
not abdicated.
e Cumulus Assessment Module (CAM) assists with the evaluation of SLA
fulllment, i.e., it veries that the MSSP lives up to the performance agreements
with your organization. Figure3.2 shows the CAM architecture with inputs of
SLA details, data distribution parameters, and statistical probe measurements, as
well as output of Cumulus Point (CP) balance over time. Every service will have
measurable, quantitative properties such as amount of resource usage, number of
resource accesses, and the length of time it may be used; these quantitative proper-
ties are known as parameters. e service agreement species expected performance