Tuesday, May 19, 2009

Using service providers for information assurance

As information security officer, my role is to ensure that my organization's information resources are not exposed to unwanted risks. One tool that is commonly used is to commission an external (independent) entity to assess how well resources are protected from a technology point of view.

Unfortunately, all too often, an external assessment, or even a penetration test, will yield results that were mostly predictable. While having an independent entity confirm issues may bring a higher sense of urgency and grants the claim more credibility, it is still unsatisfactory to be spending a lot of money on a test of which you were able to anticipate the results. Of course, independent auditors tend to have easier access to people higher in an organization, and using an auditor to further your own goals is an acceptable tactic to get things done.

One disadvantage of having external groups conduct vulnerability assessments or penetration tests is that they will only provide you with a snapshot in time. The many issues revolving around PCI-compliance have clearly demonstrated that compliance on a certain day does not lead to continued compliance.

Lately, I have started to look around to see what service providers are out there that offer a "solution" (as much as I despise the word) that provides full-time (or on-demand) assessments against a fixed and predictable rate.

Whether that assessment is done through manual scanning, automatic scanning, or by installing agents on end-points is really not so much of a concern to me. If I can obtain a (near) real-time overview of certain aspects in my infrastructure, provided by a credible and knowledgeable outside provider, why not research that further?

More than likely, I will be able to lower security costs by reducing the scope of annual vulnerability assessments (or pentests), drop the frequency at which those engagements take place, and concentrate on improving processes and procedures, rather than bring in more technology that brings with it more security concerns.

At the moment, I am evaluating several offerings, and depending on how much vendors are willing (and able) to work on price, I may be very interested.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.