Avoid trouble -- ask the right questions first
Bob McKee

This tip is excerpted from an online event on the searchsecurity Web site. Bob McKee is vice president, advisory services, senior advisor and managing director, for Technology Risk Advisors.

Q: What are the basic security questions that need to be asked in the initial stages of evaluating a service provider?
A: How does the provider address: secure connectivity (VPNs, encryption of data), perimeter security (firewalls, access control lists), activity monitoring (intrusion detection, log management), security scanning (servers scans for vulnerabilities), identification and authentication of users (server certificates, extended authentication techniques, remote assess authentication), access control (authorization) and security management (policy, standards).

Q: What are some of the security services that an outsourcer can provide?
A: Managing firewalls and VPNs, performing vulnerability analyses, intrusion detection, anti-virus software installation and definitions, and designing, implementing and/or managing a security architecture.

Q: Who are some of the providers of security services?
A: In addition to well-known providers such as the "Big 5," IBM Global Services, EDS and CSC, there is a growing list of providers who emphasize security services including: ISS (Internet Security Systems), Counterpane Internet Security, RIPTECH, Foundstone, OneSecure, Guardent, Exodus and RedSiren.

Q: As part of the security "due diligence" process what other steps should a company take before signing a contract with a service provider?
A:

1. Assign responsibility for security coordination to a senior person in your organization. Remember, your organization is still responsible for the protection of your information assets. Primary accountability for this cannot be delegated to the service provider.
2. Clearly define the security responsibilities of the provider.
3. Establish clear communication mechanisms. If an incident occurs you will need to know about it immediately.
4. Make security a major part of your service level agreement (SLA) with the provider.
5. Does the provider participate in industry groups such as the ASP Consortium or the ISP DDoS Working Group? The ISP DDoS Working Group is made up of technology companies looking at methods to address the growing problem of distributed denial-of-service (DDoS) attacks, which can shut down the provider and disrupt service by flooding the provider with bogus messages which overwhelm their servers.

Q: What are the security components of the SLA that exist in the contract with the service provider?
A: What is your system availability standard? What is your problem resolution standard? Describe how your business contingency/disaster recovery program works. Specify the actions the SP will take in the event of a security incident (a warning only or an attempt to address the issue). Understand the actions taken by the SP to guard against denial-of-service attacks (e.g., filtering out DoS traffic).

Q: Should client references be asked for and checked out?
A: Always. It is important that these references are managed service clients and not just professional services (consulting) clients. Many vendors provide both services. Discussing security concerns with professional services clients will not provide you with the information you need to make a good decision on a service provider's approach to security.

Go to searchsecurity.com to read a transcript of the entire online event.

Did you like this tip? Let us know. E-mail to sound off, or visit our tips page to rate this, and other tips.

Related Book

The Concise Guide to Enterprise Internetworking and Security
Authors : Joseph F Dries, III and Kyle Cassidy
Publisher : QUE
ISBN/CODE : 0789724200
Cover Type : Soft Cover
Pages : 316
Published : Dec 2000
Summary :
This book provides network professionals with information they need to securely design and maintain efficient, scalable Internet connections. It includes planning solutions, office bandwidth delivery technologies, security practices, hardware considerations and testing.