Outsourcing looms for core security

[InfoSec News <isn () c4i org>]

http://www.networknews.co.uk/Analysis/1129412

Liesbeth evers [21-02-2002] 

While many network managers are reluctant about outsourcing their
network security, it is a reality they may soon have to face.

Neil Barrett, technical director of independent security consultant
Information Risk Management, believes that there are a number of good
reasons to outsource security. In his research to collect forensic
evidence in IT security breaches, he has rarely found crimes linked to
outsourced network security.

"Outsourcing security is more intimate than, for instance, outsourcing
cleaning, but I cannot think of a reason for not doing it," he said.  
"In fact, there are a number of good reasons that tip the balance in
favour of outsourcing security."

The Data Protection Act, for instance, defined a legal responsibility
for the security of data set handling. Outsourcing security can shift
this responsibility onto a third party with the expertise to manage
it. The thing to keep in mind is to verify where processing would take
place, as the Act says that there needs to be a specific contract for
overseas data export.

"But the rule about overseas data handling shouldn't be a stopper for
outsourcing security," Barrett said. "You just need to set up the
appropriate legal agreement."

Another reason for outsourcing security is that third-party contracts
can be more rigorous about staff checks than network managers tend to
be themselves.

"Vetting staff is very important for security," explained Barrett.  
"But if it's done internally, most don't even bother to check
references."

Companies tend to have outsourced more of their security than they
realise. Many use various contractors to deliver expertise, proxy
virus checkers, or VPN links that handle security between intranets.

"Many who claim they haven't outsourced their security - banks, for
instance - have effectively outsourced huge chunks of their corporate
network without realising it," said Barrett. "Security has become so
complex that nobody can claim to know all its technologies.  
Outsourcing is a good alternative, but make sure you check the
outsourcing company you plan to deal with to ensure it has a good
reputation."

John Cheney, managing director of managed security company Activis,
argued that the need to maintain vigilance around the clock was a
strong drag on stretched budgets.

In the short term, outsourcing security could reduce costs by
eliminating network security staffing problems. In the long term,
Cheney argued, it could add value by releasing IT resources to focus
on core business activities.

"The benefits from outsourcing security can only be realised if the
process of selecting providers is guided by sound principles," Cheney
warned. He advised network managers to be specific in the questions
they ask to evaluate the experience of security providers.


Questions to raise with a security provider

Experience

* How long has it been in business? 
* What kind of customers does it have? 
* Has it got reference sites? 
* Does it use contractors?

Service Level Agreement

* What is the response time to incidents? 
* Is there a firewall uptime guarantee? 
* Are there performance tracking and reports systems? 
* Are there penalties for poor performance?

Round-the-clock service

* Is there a call-out rota or are centres actually manned 
  24 hours a day?

* Staff accreditation: Is there rigorous vetting? 
* How many employees are accredited in the applied technology?

Infrastructure

* Is it scalable?
* Does it provide continuity and integration? 
* Does it rely on internet connectivity? 
* Service Portfolio: Does it cover immediate needs? 
  Development process? 

* Does it have accreditation?
* What is its long-term viability? 
* What is its policy on security best practice?



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.