Avoid trouble - ask the right questions first

Avoid trouble -- ask the right questions first
Bob McKee

This tip is excerpted from an online event on the searchsecurity Web site. Bob McKee is vice president, advisory services, senior advisor and managing director, for

    Requires Free Membership to View

Technology Risk Advisors.

Q: What are the basic security questions that need to be asked in the initial stages of evaluating a service provider?
A: How does the provider address: secure connectivity (VPNs, encryption of data), perimeter security (firewalls, access control lists), activity monitoring (intrusion detection, log management), security scanning (servers scans for vulnerabilities), identification and authentication of users (server certificates, extended authentication techniques, remote assess authentication), access control (authorization) and security management (policy, standards).

Q: What are some of the security services that an outsourcer can provide?
A: Managing firewalls and VPNs, performing vulnerability analyses, intrusion detection, anti-virus software installation and definitions, and designing, implementing and/or managing a security architecture.

Q: Who are some of the providers of security services?
A: In addition to well-known providers such as the "Big 5," IBM Global Services, EDS and CSC, there is a growing list of providers who emphasize security services including: ISS (Internet Security Systems), Counterpane Internet Security, RIPTECH, Foundstone, OneSecure, Guardent, Exodus and RedSiren.

Q: As part of the security "due diligence" process what other steps should a company take before signing a contract with a service provider?

  1. Assign responsibility for security coordination to a senior person in your organization. Remember, your organization is still responsible for the protection of your information assets. Primary accountability for this cannot be delegated to the service provider.
  2. Clearly define the security responsibilities of the provider.
  3. Establish clear communication mechanisms. If an incident occurs you will need to know about it immediately.
  4. Make security a major part of your service level agreement (SLA) with the provider.
  5. Does the provider participate in industry groups such as the ASP Consortium or the ISP DDoS Working Group? The ISP DDoS Working Group is made up of technology companies looking at methods to address the growing problem of distributed denial-of-service (DDoS) attacks, which can shut down the provider and disrupt service by flooding the provider with bogus messages which overwhelm their servers.

Q: What are the security components of the SLA that exist in the contract with the service provider?
A: What is your system availability standard? What is your problem resolution standard? Describe how your business contingency/disaster recovery program works. Specify the actions the SP will take in the event of a security incident (a warning only or an attempt to address the issue). Understand the actions taken by the SP to guard against denial-of-service attacks (e.g., filtering out DoS traffic).

Q: Should client references be asked for and checked out?
A: Always. It is important that these references are managed service clients and not just professional services (consulting) clients. Many vendors provide both services. Discussing security concerns with professional services clients will not provide you with the information you need to make a good decision on a service provider's approach to security.

Go to searchsecurity.com to read a transcript of the entire online event.

Did you like this tip? Let us know. E-mail to sound off, or visit our tips page to rate this, and other tips.

Related Book

The Concise Guide to Enterprise Internetworking and Security
Authors : Joseph F Dries, III and Kyle Cassidy
Publisher : QUE
ISBN/CODE : 0789724200
Cover Type : Soft Cover
Pages : 316
Published : Dec 2000
Summary :
This book provides network professionals with information they need to securely design and maintain efficient, scalable Internet connections. It includes planning solutions, office bandwidth delivery technologies, security practices, hardware considerations and testing.

This was first published in April 2001

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.