Security Management Strategies for the CIOBy Linda Christie Managed service providers (MSPs) offer expertise, trained personnel and cost-effective solutions that allow IT departments to focus their resources on core business initiatives. However, many companies are simply afraid to outsource the management of their information assets. "Utilizing the services of an MSP does not mean you have to compromise security," said Allen Vance, director of Offer Development in the Managed Security Services business unit of
Requires Free Membership to View
Internet Security
Systems (ISS), a leading provider of security management solutions
for the Internet. "To minimize security risks as well as ease the
concerns of shareholders, you can request a security audit be
conducted by a trusted security auditor, just like you would request
a financial audit from a reputable accounting firm."
In addition to interviews and walk-though inspections, security
auditors employ a number of automated tools that can detect network
security problems as well as recommend fixes. A vulnerability scan,
for example, checks firewall configurations, password strength and
operating system configuration, as well as looks for unknown or
unauthorized devices attached to the network, remote control
applications and signs of intruder infiltration, including sniffer
and back-door programs. A report rates each vulnerability low,
medium, or high risk and suggests fixes.
"The audit should include both external and internal assessments,"
Vance said. "The external assessment looks at the network perimeter
-- firewall, router, Web servers, etc. -- from the hacker's eye view
via the Internet. The vulnerability scan is performed internally,
behind the firewall. In addition, you may want to request a
penetration test - with the MSP's permission. During a penetration
test, security experts literally try to hack into the network and
take information to prove they got there."
After the service provider implements needed remedies, Vance
recommends another scan be performed. "The MSP may not allow you to
see the detailed security report because it may contain proprietary
security information. However, you can request a security risk
analysis report from the independent auditor. Depending on the level
of security needed, some companies require vulnerability assessments
on a monthly basis."
About the authorLinda Christie is a contributing editor based out of Tulsa, Okla. Related book Information Security Management Handbook, Fourth Edition, Volume Two
Author : Harold F. Tipton
Publisher : CRC Press
ISBN/CODE : 0849308003
Cover Type : Hard Cover
Pages : 640
Published : Oct. 2000
Summary:
The runaway growth of computer viruses and worms and the ongoing nuisance posed by malicious hackers and employees who exploit the security vulnerabilities of open network protocols make the tightness of an organization's security system an issue of prime importance. And information systems technology is advancing at a frenetic pace. Against this background, the challenges facing information security professionals are increasing rapidly. Information Security Management Handbook, Fourth Edition, Volume Two is an essential reference for anyone involved in the security of information systems.
This was first published in May 2001
Join the conversationComment
Share
Comments
Results
Contribute to the conversation