With venture capital being poured into fledgling managed security service providers (MSSPs), there is no shortage of vendors out there vying for your business. In evaluating a potential vendor, one of the most critical components to look at is their service level agreement (SLA.)
SLA is a widely used term in today's service-based economy. For many offerings, such as Internet access service, the SLA is a key component. But when it comes to a company's security, it takes on an entirely new meaning. Outsourcing all or part of an organization's network security is a big decision. Although the managed security services model has been proven to be successful, it still requires providing an external source with access to mission-critical systems. Establishing a level of trust in the vendor is essential to a successful relationship.
The process begins by defining your precise security needs. These should include what you need managed or monitored and the type of service you demand. We recommend assembling a team from your organization early in the process to help set and review these parameters. Finance, legal and business line management should participate, and once your needs have been established, they should be clearly communicated to your prospective MSSP and incorporated into your SLA. This assessment should include an analysis of the consequences of failure on the part of the MSSP to meet agreement terms. This will be used to establish the penalties that will be applied for non-compliance.
The SLA should detail vendor responsibilities through a 'statement of work.' For example, if you outsource your firewall management to an MSSP, the SLA should specifically spell out three important items: what, how and when. What will be managed on that device? Will the MSSP apply the software updates or patches for the device? If so, how will these updates be applied? As they become available from the product vendor, when will they be applied - every month, every six months or once a year? With new threats emerging daily, timely management and application of software patches is critical to the security of your business.
Even though an MSSP manages and monitors your network components, you will still be faced with security threats. While one of the primary advantages of an MSSP is continuous monitoring, it may not be clear what happens when a network intrusion device alert goes off. The SLA should detail the procedures for notifying you in case of a security incident. The types of incidents that require notification should also be clearly defined; otherwise the MSSP might qualify a true security threat as 'not important.' The exact notification procedure - whom to notify and when - should all be clearly spelled out, as should the MSSP's responsibility for taking appropriate action.
The best-written SLA can miss certain contingencies, and you may be faced with a unique situation that requires resolution with your MSSP. For example, many security breaches require an immediate physical visit to the customer site. What would happen if a security analyst was sent to fix your problem and was detained by an automobile accident en route? Scenarios such as this are often overlooked in SLAs, and can lead to disputes. For this reason, your SLA should include a 'dispute resolution' clause which clearly defines the process for resolving disputes in a timely manner.
If the MSSP violates the SLA, non-compliance penalties, such as rebates, should be applied. For example, a penalty might be invoked if your MSSP fails to inform you of a significant security threat within 15 minutes of its occurrence. Using advanced reporting technology, some MSSPs can allow you to view through an enhanced GUI all alerts which are generated on your network, along with the MSSP's subsequent reaction. This improves your ability to determine whether or not your MSSP is living up to the SLA.
If an MSSP continuously fails to live up to the SLA, it might be time to consider terminating the service. However, doing so should not adversely affect your security posture. Thus it is important that your SLA clearly spells out an exit strategy. For example, if your MSSP installs their own equipment on your premises, a transition period should clearly be defined which stipulates how and when the equipment is to be removed.
Outsourcing security is a big step for any organization, but one that can bring great value and save time and money. Although it will vary from organization to organization, a well constructed, legally binding SLA will foster a successful relationship between you and your MSSP.
Nathan Tennant is senior manager, solutions marketing for Ubizen (www.ubizen.com).