Categories of Security Controls in Outsourcing

Posted May 25th, 2010 by

As I’m going through a wide variety of control frameworks in a managed services/cloud environment, I’m reminded of how controls work when you’re a service provider.  Mentally, I break them down into four “buckets”:

  • Controls that I provide to all customers as part of my baseline. In other words, these are things that I do for all of my customers because it’s either part of the way that I do business or it makes sense to do it once and scale it out to everybody.  Typically these are holistic information security program things (ISO 17799/27001/27002 or similar) matched up with my service-delivery architecture.
  • Controls that I provide as an add-on service. Not all of my customers need these but I want to offer them to my customers to help them with their security program.  Usually these are services and products supporting a regulatory framework specific to one industry:  PCI-DSS, FISMA, GLBA, etc fit in here if my market is not exclusive to customers governed by those regulations.  In order to keep the base cost for the other customers low, these aren’t included in the base service but are available for a price.
  • Controls that I am planning on building. I don’t have them yet but they’re on my roadmap.  Sometimes this is how I get into new markets by building the products and services that match up against the regulatory framework for that market, then build to that as a specification.
  • Controls that I will not provide. Maybe this control doesn’t apply to my products and service (The “We don’t actually own a Windows/HP-UX/AIX server” problem).  Maybe the controls framework didn’t scope my solutions into its assumptions.  Maybe the economics of this didn’t work out.  Maybe I don’t provide this because it’s dishonest for both myself and you as my customer for me to say I provide this–think along the lines of accepting risk on your behalf which puts me into a conflict of interest.  This is why any vendor who says they provide 100% compliancy against FooFramework is lying.

Transparency ties it all together.  The good providers will tell you upfront which controls belong in which buckets.

Tool Bucket photo by tornatore.



Similar Posts:

Posted in Outsourcing, What Works | 2 Comments »
Tags:

2 Responses

  1.  Tweets that mention Categories of Security Controls in Outsourcing | The Guerilla CISO -- Topsy.com Says:
    May 25th, 2010 at 2:15 pm

    […] This post was mentioned on Twitter by grecs, novainfosec. novainfosec said: #NOVABLOGGER: Categories of Security Controls in Outsourcing http://bit.ly/bujSFk http://j.mp/nispblog […]

  2.  Top 3 NoVA Infosec Blog Posts of the Week | NovaInfosecPortal.com Says:
    May 28th, 2010 at 10:45 pm

    […] any say anymore on this post as the title says everything for us. The only left for you to do is to click here to learn more about the categories of security controls in […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: