Tip

How secure is your managed service provider?

How secure is your managed service provider?
By Linda Christie

Managed service providers (MSPs) offer expertise, trained personnel and cost-effective solutions that allow IT departments to focus their resources on core business initiatives. However, many companies are simply afraid to outsource the management of their information assets.

"Utilizing the services of an MSP does not mean you have to compromise security," said Allen Vance, director of Offer Development in the Managed Security Services business unit of

    Requires Free Membership to View

Internet Security Systems (ISS), a leading provider of security management solutions for the Internet. "To minimize security risks as well as ease the concerns of shareholders, you can request a security audit be conducted by a trusted security auditor, just like you would request a financial audit from a reputable accounting firm."

In addition to interviews and walk-though inspections, security auditors employ a number of automated tools that can detect network security problems as well as recommend fixes. A vulnerability scan, for example, checks firewall configurations, password strength and operating system configuration, as well as looks for unknown or unauthorized devices attached to the network, remote control applications and signs of intruder infiltration, including sniffer and back-door programs. A report rates each vulnerability low, medium, or high risk and suggests fixes.

"The audit should include both external and internal assessments," Vance said. "The external assessment looks at the network perimeter -- firewall, router, Web servers, etc. -- from the hacker's eye view via the Internet. The vulnerability scan is performed internally, behind the firewall. In addition, you may want to request a penetration test - with the MSP's permission. During a penetration test, security experts literally try to hack into the network and take information to prove they got there."

After the service provider implements needed remedies, Vance recommends another scan be performed. "The MSP may not allow you to see the detailed security report because it may contain proprietary security information. However, you can request a security risk analysis report from the independent auditor. Depending on the level of security needed, some companies require vulnerability assessments on a monthly basis."

About the author
Linda Christie is a contributing editor based out of Tulsa, Okla.

Related book

Information Security Management Handbook, Fourth Edition, Volume Two
Author : Harold F. Tipton
Publisher : CRC Press
ISBN/CODE : 0849308003
Cover Type : Hard Cover
Pages : 640
Published : Oct. 2000
Summary:
The runaway growth of computer viruses and worms and the ongoing nuisance posed by malicious hackers and employees who exploit the security vulnerabilities of open network protocols make the tightness of an organization's security system an issue of prime importance. And information systems technology is advancing at a frenetic pace. Against this background, the challenges facing information security professionals are increasing rapidly. Information Security Management Handbook, Fourth Edition, Volume Two is an essential reference for anyone involved in the security of information systems.


This was first published in May 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.