“This type of protection doesn’t come easy or cheap,” says Nick Sharma, global head of infrastructure management services at Satyam Computer Services, which provides hosted services from a data center in Chennai, India, and other sites such as Cleveland.
This requires different types of experts: those who can understand and interpret the security aspects of regulations such as Sarbanes-Oxley, as well as those skilled at engineering a secure network, making threat assessments, and developing business-continuity plans.
As the threat of computer-initiated attacks increases and as regulators pressure financial institutions to shore up their information assets, banks are turning toward outsourcing their information-security functions to third parties.
In a managed security deal, the organization shares information security and business risks with the managed services provider. Such deals provide access to a range of security services and to skilled staff whose full-time job is security. The cost of managed security services is typically less than hiring in-house, full-time secur- ity experts. For example, a managed security provider can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware.
When retaining a managed security services provider, banks need to consider issues such as trust, dependence, and ownership. Establishing a good working relationship and building trust between a client and service provider are critical in deciding whether to outsource security services. The shared operational environment used by many service providers to support multiple clients poses more risks than an in-house environment. Service-level agreement guidelines fall into two categories: ser- vice-specific agreements and operational security practice agreements.
Managing the relationship with a service provider should include guidelines for moving from in-house services to provider-supplied ones or from one provider to another.
Finally, there are guidelines to consider using when terminating a relationship with a service provider, whether at the end of a contract or at some earlier point.
http://www.informationweek.com/story/showArticle.jhtml?articleID=189800154