This is part two of the xSP Insider's focus on Managed Security Service Providers. This edition offers advice on
how to effectively negotiate service level guarantees when outsourcing your network security services.
Outsourcing network security -- Negotiating service level guarantees
According to the 2001 Top Ten Technology list published by The American Institute of Certified Public Accountants (AICPA), information security and control ranks as the number one concern in the CPA profession. However, many companies simply cannot afford implementing and maintaining best-in-class network security solutions and 24x7 monitoring. As a result, many companies are turning to Security Service Providers (SSP) to help them assess security vulnerabilities, develop security policies, plan security initiatives, design firewall and VPN implementation, perform 24x7 monitoring, and take care of maintenance and upgrades.
With security being such a critical issue, many companies want providers to sign ironclad service level agreements (SLA) that will guarantee network integrity. However, according to Steve Munroe, chief operating officer for Interliant, a global provider of managed application hosting and professional consulting services, securing a network is a joint effort that depends as much on the company's ability to manage security as it does on the infrastructure.
"If network security policies are nonexistent or ignored, if a former employee's password remains open, or if unauthorized personnel have access to backup tapes or servers, no amount of technology will protect the network from vandalism," Munroe said. "In addition, the very network architecture, itself, may make it more vulnerable to attack."
Munroe said companies can negotiate SSP service level agreements that will increase their level of protection. "Response time can be critical if your network is attacked by hackers or a virus. So, make sure your SLA requires your SSP to dive in and fix these problems immediately. Also document how quickly they will address system errors and ongoing administrative tasks such as making rules base changes."
Upgrades and patches are also vital for preserving network integrity. "If you purchase a virus scanning offering, find out how up-to-date their virus signature files are and what database they're using," Munroe said. "Get them to spell out in the SLA how quickly they will update tables when a new virus hits. Also negotiate time frames for installing security patches for operating systems, managed security devices, and application software."
Purchasing insurance to cover losses caused by security breaches is expensive, and many times impossible. "We don't see insurance companies offering policies unless the network is a certified infrastructure," Munroe said. "However, you can make sure your security service provider is certified. For example, if they've passed an AICPA SAS70 audit, you can be reasonably certain that they have practices, policies and standard operating procedures in place that will allow them to perform as expected."About the author
Linda Christie is a contributing editor based out of Tulsa, Okla.
Related book The complete guide to IT service level agreements: Matching service quality to business needs
By Andrew Hiles
Covering all aspects of service level agreements, this essential manual is a step-by-step guide to designing, negotiating and implementing SLAs into your organization. It reviews the disadvantages and advantages, gives clear guidance on what types are appropriate, how to set up SLAs and control them.