What is the average cost of an MSSP?

BROWSE BY TAG Application Security,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Do Facebook URL security concerns justify blocking social networks? Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Can an IP spoofing tool be used to spam SPF servers? Will an application usage policy best control network bandwidth? How can URL-shortening services be manipulated? Is my security program ready for Web application firewall deployment? How to ensure the security of a shopping cart application When to use the service features of the Metasploit hacking tool Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions M86 buys Web security gateway vendor Finjan McAfee survey finds faults in midmarket enterprise security Cisco acquires SaaS security vendor ScanSafe Email archiving vendor sues Gartner over Magic Quadrant Analyst calls Barracuda-Purewire deal proof of cloud dominance Barracuda acquires Purewire expanding Web security reach McAfee, Verizon Business partner to develop cloud security services Security vendors can learn from ConSentry Networks demise Security on a budget: How to make the most of authentication tools 2009 Information Security magazine Readers' Choice Awards

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary snake oil  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Unfortunately, the variety and scale of managed service offerings are so broad that it's impossible to give one figure as an industry average. A bank, for example, that is considering outsourcing security would be looking at a completely different level and scale of service to, say, a small e-commerce enterprise. And, some organizations may want to manage some of their security systems and will not need certain services provided by the outsourced security organization.

Regardless of specific level of service required, there are some key issues to consider when examining managed security arrangements. The most important aspect of choosing a managed security service provider (MSSP) is to understand the services they offer and how they well the meet your organization's security policy requirements. You must first develop your organization's risk assessment and security policy, before you can select a suitable MSSP.

The service-level agreement with an MSSP should specify coverage and protection levels, response times, and reports, but also outline the repercussions for poor performance or losses related to security failures. Since you're entrusting some of your most precious data to a third party, it's important to sign non-disclosure and confidentiality agreements to ensure data protection and safekeeping. It's also important to understand how your own confidential or sensitive information will be handled, given that the provider will probably be sharing resources and services with its other customers. You must, of course, review any references or third-party reports and evaluations of your MSSP, and check the provider's financial status.

MSSPs have different styles, and the styles often vary depending on how an MSSP has arrived in the business. Some are traditional ISPs or telecommunications companies offering security services as an additional service to their core businesses. Even some of the big consulting firms offer managed security services. With that in mind, below is a list of services you can expect from a decent MSSP:

• Content filtering, antivirus and spyware/adware protection;
• Network boundary protection, including firewalls, intrusion detection/prevention;
• VPNs for secure remote access;
• Penetration testing and vulnerability assessment;
• Assessments of security risks or threats;
• Security monitoring and reporting services;
• Data backup and restoration as needed;
• Installation, patch management and maintenance services;
• Incident management, including emergency response and post-incident analysis and reports.

It is important to weigh the cost of a security breach against the cost of any service you're considering, and in most cases, small to medium-sized organizations will see the most benefit from outsourcing. Resilient network security requires round-the-clock staffing, so outsourcing saves an organization from having to develop the necessary capabilities in-house. For more information on outsourcing, download this Outsourcing Managed Security Services guide from the CERT Coordination Center.

More information: