Sidebar: More Tips for Selecting a Managed Security Service Provider

Computerworld - Here are additional suggestions for protecting your interests if you decide to outsource security functions:

• Enterprises should evaluate their service provider on its experience, breadth and depth of offerings, reputation, network reach, global footprint and ability to provide an end-to-end solution that secures the entire infrastructure. Ask about the credentials of their staff and their experience securing critical infrastructure. Make sure they have the capability to implement a comprehensive security program that would enable strong threat protection utilizing a variety of methods, such as intrusion detection, authentication and 24/7 monitoring and management. -- Bob Blakley, manager of security services, MCI (WorldCom Inc.), Ashburn, Va.


• Ask a lot of questions to find out if the service provider is truly serious about security. For example, what sources of security advisories does it monitor, and how fast does it promise to respond to announced vulnerabilities? Ask for copies of third-party evaluations and audits of the provider's security posture and products and see if they measure up. Find out just exactly who will be accessing the security appliance (and consequently your network). -- Ryan Moon, security engineer, Aventail Corp., Seattle


• Make sure you understand the liability the service provider is assuming. Make sure you understand what your ability is to audit the provider, and write the contract so that you are granted the right to do an audit -- with little or no advance notice -- within the first few months of the deal. -- Rich Salz, chief security architect, DataPower Technology Inc., Cambridge, Mass.


• Make sure your outsourcer is schooled in the art of layered security (or defense in depth) to protect critical assets, and compartmentalize successful attacks to prevent them from spreading throughout the network. -- Dave Roberts, co-founder, Inkra Networks Corp., Fremont, Calif.


• Global reach of the provider is important for multinationals. For example, if a company opens an office in Japan, there are many security factors to assess, including a security policy for far-flung offices as well as the local regulatory environment. Always ask how the provider supports global deployment, especially in regions such as Asia-Pacific, the Middle East and Africa. -- Bob Blakley, MCI


• Make sure the managed security service provider (MSSP) can modify its processes to fit your business needs. Not all companies follow the exact same processes. -- A large multinational customer of NetSec Inc., Herndon, Va.


• Ensure that there is a clear and tangible ROI in addition to meeting corporate security requirements. Adding cost to increase security is much harder to justify. Outsource the security headaches to free up IT resources for more strategic tasks. For example, spam is a global problem that is best handled by an MSSP with a distributed network. The ancillary benefits of having an expert filter corporate e-mail include protection from mail bombs, "dictionary harvest attacks" and viruses, as well as lessening the load on e-mail servers, network bandwidth and storage. -- Grant Johnson, vice president, FrontBridge Technologies Inc., Marina del Rey, Calif.


• Check into the quality of the reporting. A reputable MSSP will report back on all e-security-related issues and will assist in establishing information security strategies for the organization. Comprehensive reports should provide details about all detected vulnerabilities and threats and establish priorities according to urgency of action. There should also be real-time reporting of any significant vulnerabilities or weaknesses requiring immediate action. -- Julie Lancaster, director of marketing, Visualware Inc., Turlock, Calif.


• Look at security as a framework -- not a hodgepodge of security products. There is no single security product or service that can combat all potential security threats. Many security providers focus on a specific type of security protection, which often doesn't adequately address the entire picture. -- Bob Blakley, MCI


• Have a clear exit strategy. Entering into an agreement with an MSSP is much like getting married, so you need to plan for the "divorce" in case it doesn't work out. You need to develop an exit clause, both throughout the term of the contract and, more important, at the end of the contract, if you are considering moving to another vendor. -- A large multinational customer of NetSec