Vendor Management: 10 Tips for Hiring a Managed Security Services ProviderA managed security service provider (MSSP) is a vendor company that focuses in taking care of the business applications or services that other organizations outsource for a variety of reasons. Many of these services are provided via the internet and cover such tasks as IT services, remote data backup, network security, and management, desktop and security monitoring, incident tracking and technical assistance. It is also common for a managed security services provider to manage a company's web hosting and maintain their websites as well as handle system changes, modifications, and upgrades.
With the emphasis on information security and regulatory compliance governing financial institutions, coupled with unexpected security threats and incidents making headlines every day, banking institutions are pressured to manage the bottom line while providing increasingly convenient online services and maintaining personalized customer relationships.
Customer confidence in the bank's ability to secure personal financial information is a prerequisite for implementing the integrated services that ultimately provide satisfaction and cost-effectiveness. Also, managing network security has become a necessity, but often is an overwhelming task for many small-to-midsize financial institutions that are looking to outsource their network and security requirements to vendors who proactively provide specialized expertise and resources to handle these areas. All these factors have boosted the need for MSSP's in recent times.
Mike Martone, Information Security Officer at Central Bank, located in Houston, Texas, oversees network and computer security outsourced services at his bank, including vulnerability assessments, penetration tests, enterprise risk assessments, firewall technology/ monitoring and intrusion detection. Here, Martone discusses his criteria and factors for hiring a managed security service provider.
1. Knowing the Basics
Does the managed security service provider have an on going relationship with the FDIC? Has the vendor fulfilled the FFIEC guideline fundamentals like the SAS 70 and other security audits and understand what bank examiners are looking for? Do they follow best practices within information security?
2.Understanding Business, Security and Compliance
Does the IT security managed services vendor understand the banking business and all the risks associated with it? Do they currently deal with financial clients? Have they evaluated the risk in addressing their services and proposed solution? Are they 'on top of their game' to proactively protect and manage their client's environment? Is the vendor educated and aware of the federal laws and regulations governing financial institutions? "If I have to explain Gramm Leach Bliley Act (GLBA) to a vendor, I am probably not speaking to the right person," says Martone.
3.High Service Level
Do they have a 1-800 number that is functional? Do they have technical support, 24/7? How useful is their customer service? How accessible is the vendor to address queries and ad hoc questions when required? Does the vendor customize his services? For example: While analyzing log files, will the vendor interpret and explain the banking client what it specifically means for them?
4.Service Level Agreements
Does the vendor understand the depth of the service agreement from the client perspective? For example: the MSSP will agree to monitor the intrusion detection system (IDS) for its banking client, but it is one thing to monitor failure of IDS and then notify the bank vs. send a respond to an alert on IDS.
5.Vendor Due Diligence
How prepared is the vendor to do business with a bank? Do they have their due diligence package ready, which can be handed down for consideration? Are they prepared to provide banks answers to regulatory compliance issues? Do they have the knowledge of what financial institutions need from an IT security perspective?
6.Vendor Competency and Technical Ability
How competent are the MSSP's personnel? How deep and broad can they go in understanding issues and providing required services? Can they go beyond IDS and firewall monitoring and provide in depth reporting for a bank's compliance initiatives?
How long has the vendor company been around? What is its standing in the industry? Can its staff lead our institution through appropriate transitions and changes in our management, systems and processes? Have they provided us with valid references?
Do they have the required service and product offering that will satisfy our current need? Do they have a broad support structure to monitor different devices? What is their implementation plan?
How satisfied are the vendor's current clients? How long to they stay? What is their customer renewal rate?
Are the vendor personnel keeping ahead and evolving on a daily basis to protect information assets of their banking clients? Are they taking effective counter measures against security breaches and other emerging threats?