kritchanut - Fotolia
Managed network security services promise ongoing revenue to service providers but without adequate preparation, they can become a disaster for service providers and customers alike.
To ensure a successful engagement, it is essential that both the service provider and customer work together in partnership. Define upfront exactly what security services are to be provided. Also determine the proper equipment and procedures to address service requirements.
Before the managed network security services engagement can get underway, follow these seven steps to success.
1. Determine exactly what specific aspects of the customer network the service will cover. For instance, some customers may look simply to outsource email and email security, while others may seek a more comprehensive service.
Typical services may include monitoring the network for intrusions carried via the Web or email. Doing so may require the service provider to keep workstation antivirus software up to date and to monitor the firewall. In any case, it is vital to document in detail all the services to be provided.
2. Determine the value of the data to be protected. Credit card data is extremely valuable and is a constant target for thieves and hackers. Security measures must meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Health records also require extreme security and must meet Health Insurance Portability and Accountability Act (HIPAA) standards.
Both types of data and the relevant standards require specialized training. The PCI DSS and HIPAA standards are constantly updated to meet new threats. Service providers without this specialized knowledge should think twice before engaging customers with either requirement.
3. Assess the customer network relative to your staff capabilities and your organizational infrastructure. What security facilities, both hardware and software, are currently in place? Because there are dozens of network security vendors, it is unrealistic for any service provider to have in-house staff with the expertise to manage each and every vendor product.
If software and/or hardware must be replaced, define the payment structure. Will the service provider install the equipment and factor the cost into the monthly payment, or will the customer purchase the equipment? In any case, create and document a plan for installing the new software and hardware.
4. Review the customer's current access control and data protection processes and policies. Are access controls in place, or can anyone reconfigure the network at any time? How often are passwords changed? Does the customer permit laptops to be taken out of the facility? Do employees log in from home using their own computers? Are employees allowed to carry data into or out of the facility on a memory stick?
If the review identifies that any of these potential security problems have not been adequately addressed, explain the vulnerability to the customer. Work with the customer to create policies that adequately address the problem. Make sure employees understand the policy, the reason for it, and the consequences of failing to adhere to it.
5. Create a procedure for changes to the network. Adding a new switch, a new router or a new link mo>eans increasing the number of devices and interfaces to be monitored. Simply replacing a device with a newer model or upgrading an existing device to a new software revision can impact the parameters to be monitored.
The policy must specify a process that defines how and by whom any proposed change is reviewed, how it is documented, and how the change is communicated to the service provider.
6. Designate a single point of contact for both the service provider and customer. Set up a regular, scheduled meeting between these individuals to review events and issues. Require them to issue a report describing these items and when necessary, a plan to address problems.
7. Create a comprehensive, detailed SLA (service-level agreement) describing the service to be provided and the cost. Define a scale of problem criticality with a definition of each level. Specify the required response time for each level as well as staff roles. When a fix becomes available, who will install it? Will the service provider staff go on site? Who will apply routine security patches?
Specify hours of service. Is 24x7 service required? If the service will normally be provided during weekday business hours, agree on whether service will be extended when non-critical problems occur. Also, determine the cost of extending hours when extra service is required, such as at the end of the month or the quarter.
More on managed security service providers
Small customer companies often do not have the resources to devote to security. Learn how to make the most of your managed security services offerings.
Finally, remember that just as no network is static, no service can remain static. Agree upfront to meet with your customer at an appropriate future time, ideally within a few months to review the SLA and update it as necessary. The bottom line: Maintaining a successful managed network security service requires an ongoing partnership between customer and service provider.
About the author:
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.
MSPS partner to provide cloud-based security offerings