http://www.networknews.co.uk/Analysis/1129412 Liesbeth evers [21-02-2002] While many network managers are reluctant about outsourcing their network security, it is a reality they may soon have to face. Neil Barrett, technical director of independent security consultant Information Risk Management, believes that there are a number of good reasons to outsource security. In his research to collect forensic evidence in IT security breaches, he has rarely found crimes linked to outsourced network security. "Outsourcing security is more intimate than, for instance, outsourcing cleaning, but I cannot think of a reason for not doing it," he said. "In fact, there are a number of good reasons that tip the balance in favour of outsourcing security." The Data Protection Act, for instance, defined a legal responsibility for the security of data set handling. Outsourcing security can shift this responsibility onto a third party with the expertise to manage it. The thing to keep in mind is to verify where processing would take place, as the Act says that there needs to be a specific contract for overseas data export. "But the rule about overseas data handling shouldn't be a stopper for outsourcing security," Barrett said. "You just need to set up the appropriate legal agreement." Another reason for outsourcing security is that third-party contracts can be more rigorous about staff checks than network managers tend to be themselves. "Vetting staff is very important for security," explained Barrett. "But if it's done internally, most don't even bother to check references." Companies tend to have outsourced more of their security than they realise. Many use various contractors to deliver expertise, proxy virus checkers, or VPN links that handle security between intranets. "Many who claim they haven't outsourced their security - banks, for instance - have effectively outsourced huge chunks of their corporate network without realising it," said Barrett. "Security has become so complex that nobody can claim to know all its technologies. Outsourcing is a good alternative, but make sure you check the outsourcing company you plan to deal with to ensure it has a good reputation." John Cheney, managing director of managed security company Activis, argued that the need to maintain vigilance around the clock was a strong drag on stretched budgets. In the short term, outsourcing security could reduce costs by eliminating network security staffing problems. In the long term, Cheney argued, it could add value by releasing IT resources to focus on core business activities. "The benefits from outsourcing security can only be realised if the process of selecting providers is guided by sound principles," Cheney warned. He advised network managers to be specific in the questions they ask to evaluate the experience of security providers. Questions to raise with a security provider Experience * How long has it been in business? * What kind of customers does it have? * Has it got reference sites? * Does it use contractors? Service Level Agreement * What is the response time to incidents? * Is there a firewall uptime guarantee? * Are there performance tracking and reports systems? * Are there penalties for poor performance? Round-the-clock service * Is there a call-out rota or are centres actually manned 24 hours a day? * Staff accreditation: Is there rigorous vetting? * How many employees are accredited in the applied technology? Infrastructure * Is it scalable? * Does it provide continuity and integration? * Does it rely on internet connectivity? * Service Portfolio: Does it cover immediate needs? Development process? * Does it have accreditation? * What is its long-term viability? * What is its policy on security best practice? - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 02:36:11 PST