Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."

Download it now to read this article plus other related content.

Vulnerability Assessment

    Requires Free Membership to View

Ironing Out the Details

In the outsourced VM services world, the phrase "vulnerability assessment" usually means scanning a network of target devices for current patch levels and configurations, and matching this information against technical security policy requirements and known vulnerabilities.

The question that often arises from customers is whether the vulnerability assessment offered as part of a VM service is the same kind of large-scale vulnerability assessment offered by consulting firms and even some VM outsourcers. The answer is, "No, not really."

VA, as part of VM, is tightly focused on automated scanning and information gathering from target devices. A full-blown security and vulnerability assessment usually includes a people, process and technology review of security and vulnerability in an enterprise. A large-scale security and vulnerability assessment project can include a number of moving parts:
  • Tiger team penetration testing
  • Process and procedure reviews
  • Interviews with key personnel
  • Documentation reviews
  • Code reviews
  • In-depth assessment of threat models and paths
  • Recovery readiness
Clearly, a vulnerability or security assessment of that level is a much more complicated process than automated scanning of systems. Before contracting with a VM outsourcer, check to see what the company will explicitly provide as part of the vulnerability assessment service. If you need a deeper and more complete VA, it's possible to outsource that, too. Be aware, though, that you may need to contract with a specialized consulting firm (such as one of the Big 4) for this type of detailed assessment work.

--Kelley Damore

Accountability
Any company that is considering outsourcing vulnerability management needs to take a long, hard look at accountability issues. The bottom line is that accountability cannot be outsourced. This places additional management and monitoring responsibility on the company that has contracted with an outsourcer. If a critical accounting server goes down in the last quarter of the year, your IT department will be accountable even if the server went down because of an error by the VM outsourcer. Simply put, any information that is lost and any downtime that is suffered will be your IT department's responsibility.

Cyber-insurance may defray the cost of losses due to internal or outsourcer errors. Think through what kind of data the outsourcer will be holding, and whether you trust the outsourcer to hold this data. If your servers do not have the latest patches, does that constitute a risk to your organization? This vulnerability could be used by an attacker to know where to strike, or by a lawyer to prove lack of diligence.

Also, you need to examine the level of communication that you expect between your IT team and the outsourcer. Defining key liaisons from each team to work together can increase the success of the communication process. Make weekly status calls to go over any outstanding issues. The communication plan should extend to escalation and disaster procedures: When and why should the outsourcer start paging internal administrators? What constitutes an emergency? What is the escalation path at your organization that the outsourcer should take to get resolution?

Once your questions have been addressed, get everything in writing before contracting the service. Clear, concise, enforceable service level agreements (SLAs) can go a long way to keep the relationship productive. It also helps to have a clause in the SLA regarding remuneration should the outsourcer fail to keep to the terms of the agreement. Although accountability can't be transferred, partial cost of failure can be distributed back to the outsourcer in the event of a security incident.

This was first published in August 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: