Managed Security Services - Part 2: Risks and Best Practices
Establishing a good working relationship and building trust between a client and service provider is critical in deciding whether to outsource security services. Any service provider has access to sensitive client information and details about the clientâ€™s security posture and vulnerabilities. The intentional or inadvertent public release of such information can be extremely damaging to the client. A signed confidentiality agreement enacted in the later stages of contract negotiations can help mitigate this risk.
An organization can become operationally dependent on a single service provider. One risk mitigation approach is to outsource to multiple providers, but this comes with additional cost and management oversight responsibilities. An organization needs to carefully examine the providerâ€™s proposal to understand whether they use subcontractors and how they work.
A client retains ownership and responsibility for the secure operation of its infrastructure and the protection of its critical assets regardless of the scope of services provided by an service provider. Risk mitigation approaches include making information security the primary responsibility for one or more staff members and managers and conducting regular user security awareness and training sessions.
The shared operational environment used by many service providers to service multiple clients poses more risks than an in-house environment. Sharing a data transmission capability (such as a common network) or a processing environment (such as a general purpose server) across multiple clients can increase the likelihood of one organization having access to the sensitive information of another.
Initiating a managed security services relationship may require a complex transition of people, processes, hardware, software, and other assets from the client to the provider or from one provider to another, all of which may introduce new risks. IT and business environments may require new interfaces, approaches, and expectations for service delivery.
The CERT Coordination Center of Carnegie Mellon University provides a list of best practices for engaging managed security service providers. These practices were developed in collaboration with the BITS IT Service Providers Working Group. They are intended primarily for those responsible for the selection and day-to-day oversight of outsourced managed security services. This may include the chief information officer, chief financial officer, contracting/purchasing manager, information technology manager, chief security officer, and technical staff (system and network administrators).
To knowledgeably select, engage, manage, and terminate MSSP relationships and the services they provide, CERT recommends a three-step approach. It requires implementing security practices in three general areas: engaging a managed security service provider; managing the relationship with an MSS provider; terminating a managed security service provider relationship.
The first practice in engaging an MSS Provider provides guidance for a Request for Proposal (RFP). The RFP establishes the clientâ€™s requirements that need to be addressed in a providerâ€™s proposal. The second practice describes guidelines for evaluating a providerâ€™s proposal beyond those implied by the RFP guidelines. The third practice provides content guidance for a Service Level Agreement (SLA). The SLA is one part of the contract between client and provider. It addresses some of the RFP requirements.
SLA guidelines fall into two categories: service-specific agreements and operational security practice agreements. Service-specific agreements address characteristics and attributes of the service being provided. Operational security practice agreements address the quality of the operational security environment in which the services execute. This latter set of content guidance (titled Security Practices) does not typically appear in todayâ€™s SLAs but represents critical content upon which client and provide agreement should occur.
Managing the relationship with a service provider includes guidelines for establishing a new provider relationship, transitioning from in-house services to provider-supplied services, or transitioning from one provider to another. The second practice in this area addresses the ongoing client/provider relationship.
Finally, there are guidelines to consider using when an organization terminates a relationship with a service provider, whether at the end of a contract or for some other reason.