So what specific security functions should a midsized company consider for outsourcing?
Third-party infrastructure security assessments. These activities are most important and include vulnerability assessments; war dialing; scanning your perimeter; scanning your internal network, server and desktop; and reviewing your policies and procedures. In some cases, a third party can certify that your firm meets predetermined standards. SysTrust, WebTrust and others perform certification.
While the cost of certification depends on factors such as the number and size of your IT facilities, you can expect to pay in the low six figures, with slightly lower ongoing costs to maintain certification. These certifications are reassuring for online customers, business partners and corporate customers. Employing a full-time, specialized staffer for this work is often impractical.
Application security reviews. These functions usually require outside knowledge, and it's difficult to find staff to manage them. Such reviews focus on your most critical computer programs, particularly customer-facing, Web-based ones. Midmarket companies often build proprietary applications, modifying commercial products or installing off-the-shelf software. Each must be tested thoroughly and regularly.
Due diligence activities. Third-party assistance is also advised when your company is engaged in a due diligence exercise requested by a service provider. Due diligence covers everything from the provider's financial health to the resilience of its technology infrastructure and physical security. Frequently, smaller companies don't have the internal expertise for such reviews, so bringing in a qualified consultant is worth the cost. For internal resources, consultants and travel, one can expect to spend between $10,000 for a local vendor and $50,000 for a distant vendor with several facilities.
Development and enforcement of information security policy. Outside expertise is valuable in information security policy, which is so specialized that even your internal legal counsel may not be qualified to judge it. The Web offers sample security policies, but it's important to have expert opinion on whether the policy addresses all relevant laws and regulations.
Management of security devices. Finally, the management of firewalls, intrusion detection and prevention systems is often targeted for outsourcing, especially where round-the-clock surveillance is necessary. Since these service providers guard the gates to your enterprise, check their references. And retain internal expertise to keep a watchful eye on the outsourcer. Staff your oversight function with people knowledgeable enough to respond to an outsourcer's alerts.
C. Warren Axelrod is a security officer at a midsized subsidiary of a major financial institution and the author of Outsourcing Information Security. Write to him at Podium@ciodecisions.com.
This was first published in February 2006