Tips to safely outsource your security functions

* How to safely give away the keys to your kingdom

When making a security outsourcing decision, you not only have to trust that the company can competently do the work, but you have to trust that you can trust them. After all, you are handing them the keys to the kingdom.

A recent survey by the Computer Security Institute and the FBI, found that security functions are increasingly being outsourced. The bigger the company, the more security functions are being outsourced.

Companies with an average revenue of less than $10 million outsourced 8% of their security functions overseas this year, compared with 4% last year. Midsize companies of $100 million to $1 billion in revenue also nearly doubled the work they sent offshore, from 7% last year to 13% this year. Large corporations with more than $1 billion saw the biggest increase in outsourcing, sending 15% of their security functions offshore, up from 9% last year.

The kinds of security functions you might look to outsource include:

* Third-party infrastructure security assessments. These activities are important and include vulnerability assessments, war dialing (using a modem to dial every telephone number in a local area to find out where computers are available, then attempting to access them by guessing passwords), perimeter scanning, scanning internal network including servers and desktops, and reviewing policies and procedures. Such reviews can include certification to standards.

* Management of security devices. The management of firewalls, intrusion detection and prevention systems, especially where round-the-clock surveillance is necessary.

* Application security reviews. Focus on customer facing Web-based applications and other critical programs.

* Development and enforcement of information security policy. Outside expertise is valuable in establishing information security policy.

* Due diligence activities. Third-party assistance may be helpful when evaluating service providers or acquisitions.

Not everyone agrees with outsourcing security functions. See this anonymously written column from CSO online for a discussion of the worries and frustrations one chief security officer faced with an impending outsource of all security functions. There are also several good posts following the column. While a bit emotional and clearly anti-finance department for forcing the outsourcing decision for ROI reasons, there are significant intangible or hard to quantify issues raised. These are things to think about for anyone in the process of making a security outsourcing decision.

Also, keep the following in mind when contemplating security outsourcing:

* Start by outsourcing the tactical and temporary tasks.

* Review all terms and conditions as well as service-level agreements. Try to avoid long-term contracts.

* Avoid conflicts of interest when signing up with service providers. For instance, don't let firewall services be handled by the same vendor that provides intrusion-monitoring services. Use separate vendors for vulnerability analysis and penetration testing.

* Work through issues in a logical order. Before hiring consultants for vulnerability testing, be sure to take obvious steps such as patching software, ensuring strong passwords and closing open ports. Then hire a vulnerability assessment service to find out if anything has been missed.

* Check the vendor. Ask for references, and make sure the company has a specific understanding and knowledge of your business.

* Security functions that involve the protection of strategic assets should be kept in-house or if outsourced, additional care in the contracting and vendor due diligence phase should be taken.

* Retain sufficient internal staff to participate in policy determination and to manage the outsourcer(s). This will also allow internal resources more closely connected to the business will be knowledgeable and available to react to alerts and issues raised by the outsourcer.


Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022