This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
Ironing Out the Details
In the outsourced VM services world, the phrase "vulnerability assessment" usually means scanning a network of target devices for current patch levels and configurations, and matching this information against technical security policy requirements and known vulnerabilities.
The question that often arises from customers is whether the vulnerability assessment offered as part of a VM service is the same kind of large-scale vulnerability assessment offered by consulting firms and even some VM outsourcers. The answer is, "No, not really."
VA, as part of VM, is tightly focused on automated scanning and information gathering from target devices. A full-blown security and vulnerability assessment usually includes a people, process and technology review of security and vulnerability in an enterprise. A large-scale security and vulnerability assessment project can include a number of moving parts:
Any company that is considering outsourcing vulnerability management needs to take a long, hard look at accountability issues. The bottom line is that accountability cannot be outsourced. This places additional management and monitoring responsibility on the company that has contracted with an outsourcer. If a critical accounting server goes down in the last quarter of the year, your IT department will be accountable even if the server went down because of an error by the VM outsourcer. Simply put, any information that is lost and any downtime that is suffered will be your IT department's responsibility.
Cyber-insurance may defray the cost of losses due to internal or outsourcer errors. Think through what kind of data the outsourcer will be holding, and whether you trust the outsourcer to hold this data. If your servers do not have the latest patches, does that constitute a risk to your organization? This vulnerability could be used by an attacker to know where to strike, or by a lawyer to prove lack of diligence.
Also, you need to examine the level of communication that you expect between your IT team and the outsourcer. Defining key liaisons from each team to work together can increase the success of the communication process. Make weekly status calls to go over any outstanding issues. The communication plan should extend to escalation and disaster procedures: When and why should the outsourcer start paging internal administrators? What constitutes an emergency? What is the escalation path at your organization that the outsourcer should take to get resolution?
Once your questions have been addressed, get everything in writing before contracting the service. Clear, concise, enforceable service level agreements (SLAs) can go a long way to keep the relationship productive. It also helps to have a clause in the SLA regarding remuneration should the outsourcer fail to keep to the terms of the agreement. Although accountability can't be transferred, partial cost of failure can be distributed back to the outsourcer in the event of a security incident.
This was first published in August 2006