Service providers invest considerable time in defining the technical details surrounding service-level agreements
(SLA) for a managed network security relationship. But SLA best practices demand that you also expend equal -- or even more -- effort in maintaining and strengthening the customer relationship.
More is required than simply alerting the customer of virus attacks and aiding in dealing with them. The service provider must be proactive and alert the customer about network vulnerabilities, such as misconfigured network devices or workstations with antivirus updates turned off. If the customer has installed Web monitoring, the service provider must alert the customer that an employee is visiting off-limits sites even if no virus infiltration has occurred yet.
Here are four steps that can help ensure a successful customer relationship when offering managed network security services.
Step #1: Work together to determine priorities
In many cases, priorities are clear. Any event that disrupts the customer network is high priority, as are software updates from Microsoft and other vendors that address serious vulnerabilities. In other cases, updates may not appear critical but are. For example, an "optional" Microsoft update, which doesn't apply to all Windows systems, may become urgent when it does apply to the customer's systems.
In other cases, priorities are less clear. A software update that appears critical to the customer may appear low priority to the service provider because it addresses a situation that is extremely unlikely. In other cases, the customer may resist addressing a potentially critical issue to avoid downtime during a busy period. In these cases, both customer and service provider must clearly explain their views to reach a mutually agreed resolution.
Step #2: Continue to refine responsibilities
Although the SLA defines each party's responsibilities, no agreement can anticipate and cover all contingencies. In some cases, both service provider and customer share responsibility. For instance: Who is responsible when a customer employee introduces a virus into the network from a home computer? Is it the employee who disregarded security practices or the service provider who didn't detect the virus before it spread through the network?
Service providers should stay informed about new attacks and be prepared to assume appropriate actions to protect customers. For example, it is important to verify that customer workstations are configured to accept vendor antivirus updates. Customers must enforce policies and procedures to ensure employees do not shut off updates because their workstation slows down while the update is processed.
In such cases, service providers and customers should meet to discuss and agree on actions each must take to avoid a reoccurrence of the problem.
Step #3. Stay current and informed
Security requirements are never static. It is not enough to be familiar with the current data protection standards for credit card numbers and medical records. Service providers must keep abreast of, anticipate and prepare for changes as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) are strengthened to address the latest threats.
Staying current on regulations is critical, but not sufficient. Service providers must also stay current with the customer's business and its requirements. The SLA should have made clear the nature of the customer's data, but requirements may change as the customer's business expands either geographically or into new markets. Customers and service providers must continue to communicate to maintain proper protection.
Service providers must be familiar with the regulations and requirements impacting data in the vertical markets they serve. Schools receiving federal funds are subject to the Family Educational Rights and Privacy Act (FERPA), which governs how and to whom access to student data can be made available. Financial services are subject to the requirements of the Gramm-Leach-Bliley (GLBA) Act and Sarbanes-Oxley (SOX) auditing requirements.
You must also stay abreast of the specific requirements of the geographies where you and your customers do business. In addition to federal regulations, there are variable regulations across the various U.S. states, such as data encryption requirements in Massachusetts and Nevada requiring encryption of certain data.
Step #4: Communicate, communicate, communicate
Only constant communication between the customer and the provider can proactively address potential issues before disagreements escalate into major conflicts. Regular scheduled meetings should occur between the designated "point persons" of both organizations to troubleshoot and resolve differences. It is recommended that both service provider and customer work together to issue regular reports that clearly describe problems and lay out a plan for correction.
Ideally, ongoing communication should occur at all levels, including senior executives and support personnel from both organizations. Effective communication today sets the stage for future collaboration, providing both service providers and customers the opportunity for innovation and business growth.
About the author:
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.
Join us on LinkedIn.
Send your comments on this tip to Editor@searchsecuritychannel.com.