Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, July 03, 2006

Outsourcing Managed Security

Many companies are turning to outside experts for help in dealing with the risks involved in handling confidential information.  Hacking incidents, losing data in transit, transmitting and storing data in ways that violate company policy, and money laundering all form a witches’ brew of vulnerabilities that can easily lead to millions of dollars in losses in lawsuits, regulatory actions, and damaged reputations.  It’s no wonder, then, that providers of managed security services are offering to relieve the burden of protecting sensitive data.  They can eliminate the pitfalls of managing and monitoring security devices and events, and ensure a rapid response to real threats.  Obtaining security services from an outsourcer demands an understanding of what such services are, as well as the ability to subject a company’s security policies, technology, and standards to objective scrutiny by a third party.

“This type of protection doesn’t come easy or cheap,” says Nick Sharma, global head of infrastructure management services at Satyam Computer Services, which provides hosted services from a data center in Chennai, India, and other sites such as Cleveland.

This requires different types of experts: those who can understand and interpret the security aspects of regulations such as Sarbanes-Oxley, as well as those skilled at engineering a secure network, making threat assessments, and developing business-continuity plans.

As the threat of computer-initiated attacks increases and as regulators pressure financial institutions to shore up their information assets, banks are turning toward outsourcing their information-security functions to third parties.

In a managed security deal, the organization shares information security and business risks with the managed services provider.  Such deals provide access to a range of security services and to skilled staff whose full-time job is security.  The cost of managed security services is typically less than hiring in-house, full-time secur- ity experts.  For example, a managed security provider can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware.

When retaining a managed security services provider, banks need to consider issues such as trust, dependence, and ownership.  Establishing a good working relationship and building trust between a client and service provider are critical in deciding whether to outsource security services.  The shared operational environment used by many service providers to support multiple clients poses more risks than an in-house environment.  Service-level agreement guidelines fall into two categories: ser- vice-specific agreements and operational security practice agreements.

Managing the relationship with a service provider should include guidelines for moving from in-house services to provider-supplied ones or from one provider to another.

Finally, there are guidelines to consider using when terminating a relationship with a service provider, whether at the end of a contract or at some earlier point.

Posted on 07/03