Managed Security Services Buying Tips
Users, analysts and experts share insights into how to successfully scope, fund and procure Managed Security Services (MSS). Includes MSS RFP guidance, feature checklists and buying tips.
| Outsourcing: Security Governance Framework for IT Managed Service Provision |
| A detailed look at the components of a Managed Security Services provider relationship, including extensive guidance on terms and relationship structure. From the Resource: "[This report] provides a framework for managing information security throughout the contract lifecycle and also contains a number of illustrative contractual clauses that organisations may wish to refer to when drafting IT outsourcing contractual requirements." |
| Centre for the Protection of National Infrastructure |
| Evaluating MSSP Security before Taking the Plunge |
| Items to address in a Managed Security Services service level agreement: 1) Response time in the event of a security incident. You'll need to spell out exactly how quickly you'd like to be notified and provide details on the various scenarios that trigger an alert. 2) Timeliness of signature updates, software upgrades, security patches and related maintenance. The easiest course of action here is to take your own internal standards and apply them to the MSSP as well. 3) Access rights on security and other devices provided to both the MSSP and your organization's staff. You probably want to guarantee the MSSP will always allow you administrative access to the systems they manage. This provides a sense of security in the event the MSSP goes belly-up. 4) Personnel security controls implemented by the MSSP. Again, consider applying the standards that you use in your own organization here as well. If you conduct criminal history checks and credit checks for your own employees, insist that the MSSP follow a similar policy for the people that will be working on your account. 5) Frequency and nature of service reviews. At a minimum, plan to get together with the MSSP on an annual basis to review what's working well and what can be an opportunity for improvement. |
| Mike Chapple, SearchSecurity.com |