Assess security vendor performance using FIPS standards
Takeaway: While outsourcing continues to be a hotly debated topic in the IT industry, this practice can offer several benefits. But to make sure you're getting the most bang for your buck, you've got to find a way to properly evaluate vendor performance. In this edition of Security Solutions, Mike Mullins recommends using the FIPS government standards and details what these requirements include.
Many organizations have outsourced all or part of their security to a third-party contractor. While outsourcing continues to be a hotly debated topic in the IT industry, this practice can offer several benefits. One such advantage is security vendors' exceptionally well-trained and experienced staff, which means your company doesn't have to incur the costs of building and maintaining information security skill sets.
However, while outsourcing contracts are generally specific about duties and responsibilities, they're much more vague when it comes to measuring success. Regardless of whether your security vendor receives incentives for service performance, your company needs to be able to quantify its efforts and determine if it's getting the best bang for its buck.
If you're having a hard time coming up with a list of areas to use for judging vendor performance, I suggest looking to U.S. government standards. Although they tend to be lengthy, they do provide measurable areas for your organization to use when writing and reviewing service-level agreements (SLAs).
One of the most widely used federal standards is the Federal Information Processing Standards (FIPS) Publication 200. This document specifies minimum security requirements that your company can use to judge performance in a wide variety of security functions.
The publication details 17 specific security-related areas that encompass an information security program. Depending up the scope of your security vendor's duties, you can use these areas to better judge vendor performance. Let's take a closer look.
- Access control—limiting information system access to authorized users
- Audit and accountability—creating, protecting, and retaining information system audit records
- Awareness and training—ensuring users are aware of security risks, and properly educating personnel assigned security-related duties
- Certification, accreditation, and security assessments—assessing, implementing, and monitoring security controls
- Configuration management—establishing baseline configurations, and maintaining security configurations
- Contingency planning—establishing and implementing plans for emergency response
- Identification and authentication—identifying and validating the identities of users and devices that operate on the network
- Incident response—establishing and maintaining incident handling, documenting, and reporting capabilities
- Maintenance—conducting periodic maintenance and upgrades on information security systems
- Media protection—safeguarding system information (both paper and digital), and sanitizing systems before disposal or reuse
- Personnel security—ensuring personnel meets established security criteria and complies with security policies and procedures
- Physical and environmental protection—limiting physical access to information systems to authorized personnel, and protecting information security systems from environmental hazards
- Planning—developing, documenting, and updating security plans
- Risk assessment—conducting regular assessments of security risks to the organization's information systems
- System and services acquisition—maintaining life cycle replacements, and ensuring protection from outsourced equipment, applications, and services
- System and communications protection—monitoring communications at key boundaries, and using security best practices
- System and information integrity—identifying, reporting, and correcting system flaws, as well as protecting against malicious code and monitoring alerts and advisories
Final thoughts
There's nothing wrong with outsourcing your security—leveraging the knowledge base and capabilities of a security vendor is a smart way to do business. But it's important to make sure you're getting the performance your organization needs by holding the vendor to quantifiable standards. If they don't perform, find another—you have plenty of options.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
SponsoredWhite Papers, Webcasts, and Downloads
- Live Webcast: The 2008 Email Security Benchmarking Report Google
- Opening the Door to VoIP--and More Effective Phone Communications ShoreTel
- Converged Solutions white paper from Stratecast/Frost & Sullivan Sprint
- IP Telephony from A to Z: The Complete IP Telephony eBook ShoreTel
- Microsoft SQL Server 2005: Deployment and Tests in an iSCSI SAN Dell EqualLogic
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
