I hate to say it but the ITIL is more or less designed to address
this issue. They basically say that you follow ISO17799, which is
pretty reasonable. My view is somewhat more radical. I figure
outsourced or not the same security requirements apply. The problem
is that you can't get as good a set of feedback from them because you
don't own the management. Some use independent audits such as SAS-70
for financial institutions as the means for review, but this is
problematic for those who don't do it.
On Nov 30, 2005, at 2:42 PM, Dora Mandadjiev wrote:
Hello,
If a company uses a co-location facility for housing its IT
infrastructure:
1. What are things that are appropriate and necessary to review/
audit the service provider for on a regular basis (e.g., annually)?
Does anyone know of a good checklist or an audit program for such
review?
The same thing you would review if it were not outsourced.
Is it appropriate to ask the vendor to provide for review internal
policies and procedures for equipment maintenance, incident
handling, physical access, etc?
Not only appropriate but absolutely necessary.
How should I handle situations when the colocation provider with
whom our company has a colocation contract has outsourced the
facilities management to another company and says that the
maintenance P&Ps are part of the contract b/w the outsourced vendor
and them and are confidential?
Fire the vendor and explain that the need to fulfill legal and
regulatory requirements is absolutely necessary and their
confidentiality is less important then you keeping your CEO out of jail.
What is an appropriate way to leverage SAS70 reviews on the vendor?
Whatever they cover you should use, however, this is not adequate
from a controls point of view in my view.
2. What are appropriate metrics to use to "monitor" the
performance of the service provider (if they are providing facility
and internet connectivity)?
Business metrics - always. I have a book called "Security Metrics"
that provides a whole set of metrics that go with the governance
structures described in "the Governance Guidebook". But which ones
are good for you requires customization to the model you use and your
specific needs.
Up-time, power outages, environmental parameters, incidents, etc.
Sure - these are 4 out of 4,000 you likely should choose from. The
question drives back to the fundamental question of how your business
depends on them.
Thanks!
-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
Security Management Partners policygeeks.com Livermore, CA 94550
