[ISN] Outsourcing looms for core security

From: InfoSec News (isnat_private)
Date: Mon Feb 25 2002 - 23:15:11 PST

  • Next message: InfoSec News: "[ISN] UK bill would "infringe scientists' freedom""

    Liesbeth evers [21-02-2002] 
    While many network managers are reluctant about outsourcing their
    network security, it is a reality they may soon have to face.
    Neil Barrett, technical director of independent security consultant
    Information Risk Management, believes that there are a number of good
    reasons to outsource security. In his research to collect forensic
    evidence in IT security breaches, he has rarely found crimes linked to
    outsourced network security.
    "Outsourcing security is more intimate than, for instance, outsourcing
    cleaning, but I cannot think of a reason for not doing it," he said.  
    "In fact, there are a number of good reasons that tip the balance in
    favour of outsourcing security."
    The Data Protection Act, for instance, defined a legal responsibility
    for the security of data set handling. Outsourcing security can shift
    this responsibility onto a third party with the expertise to manage
    it. The thing to keep in mind is to verify where processing would take
    place, as the Act says that there needs to be a specific contract for
    overseas data export.
    "But the rule about overseas data handling shouldn't be a stopper for
    outsourcing security," Barrett said. "You just need to set up the
    appropriate legal agreement."
    Another reason for outsourcing security is that third-party contracts
    can be more rigorous about staff checks than network managers tend to
    be themselves.
    "Vetting staff is very important for security," explained Barrett.  
    "But if it's done internally, most don't even bother to check
    Companies tend to have outsourced more of their security than they
    realise. Many use various contractors to deliver expertise, proxy
    virus checkers, or VPN links that handle security between intranets.
    "Many who claim they haven't outsourced their security - banks, for
    instance - have effectively outsourced huge chunks of their corporate
    network without realising it," said Barrett. "Security has become so
    complex that nobody can claim to know all its technologies.  
    Outsourcing is a good alternative, but make sure you check the
    outsourcing company you plan to deal with to ensure it has a good
    John Cheney, managing director of managed security company Activis,
    argued that the need to maintain vigilance around the clock was a
    strong drag on stretched budgets.
    In the short term, outsourcing security could reduce costs by
    eliminating network security staffing problems. In the long term,
    Cheney argued, it could add value by releasing IT resources to focus
    on core business activities.
    "The benefits from outsourcing security can only be realised if the
    process of selecting providers is guided by sound principles," Cheney
    warned. He advised network managers to be specific in the questions
    they ask to evaluate the experience of security providers.
    Questions to raise with a security provider
    * How long has it been in business? 
    * What kind of customers does it have? 
    * Has it got reference sites? 
    * Does it use contractors?
    Service Level Agreement
    * What is the response time to incidents? 
    * Is there a firewall uptime guarantee? 
    * Are there performance tracking and reports systems? 
    * Are there penalties for poor performance?
    Round-the-clock service
    * Is there a call-out rota or are centres actually manned 
      24 hours a day?
    * Staff accreditation: Is there rigorous vetting? 
    * How many employees are accredited in the applied technology?
    * Is it scalable?
    * Does it provide continuity and integration? 
    * Does it rely on internet connectivity? 
    * Service Portfolio: Does it cover immediate needs? 
      Development process? 
    * Does it have accreditation?
    * What is its long-term viability? 
    * What is its policy on security best practice?
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 02:36:11 PST