Regardless of specific level of service required, there are some key issues to consider when examining managed security arrangements. The most important aspect of choosing a managed security service provider (MSSP) is to understand the services they offer and how they well the meet your organization's security policy requirements. You must first develop your organization's risk assessment and security policy, before you can select a suitable MSSP.
The service-level agreement with an MSSP should specify coverage and protection levels, response times, and reports, but also outline the repercussions for poor performance or losses related to security failures. Since you're entrusting some of your most precious data to a third party, it's important to sign non-disclosure and confidentiality agreements to ensure data protection and safekeeping. It's also important to understand how your own confidential or sensitive information will be handled, given that the provider will probably be sharing resources and services with its other customers. You must, of course, review any references or third-party reports and evaluations of your MSSP, and check the provider's financial status.
MSSPs have different styles, and the styles often vary depending on how an MSSP has arrived in the business. Some are traditional ISPs or telecommunications companies offering security services as an additional service to their core businesses. Even some of the big consulting firms offer managed security services. With that in mind, below is a list of services you can expect from a decent MSSP:
- Content filtering, antivirus and spyware/adware protection;
- Network boundary protection, including firewalls, intrusion detection/prevention;
- VPNs for secure remote access;
- Penetration testing and vulnerability assessment;
- Assessments of security risks or threats;
- Security monitoring and reporting services;
- Data backup and restoration as needed;
- Installation, patch management and maintenance services;
- Incident management, including emergency response and post-incident analysis and reports.
It is important to weigh the cost of a security breach against the cost of any service you're considering, and in most cases, small to medium-sized organizations will see the most benefit from outsourcing. Resilient network security requires round-the-clock staffing, so outsourcing saves an organization from having to develop the necessary capabilities in-house. For more information on outsourcing, download this Outsourcing Managed Security Services guide from the CERT Coordination Center.
This was first published in October 2006