Issue link: http://read.uberflip.com/i/45522
DEVELOPING STRONG NETWORK SECURITY WITH A SERVICES-INTEGRATOR APPROACH • In-House Security Model: Retain the responsibility for all security services • Security Services-Integrator: Establish contract terms and conditions; determine and track all performance metrics required to monitor and supervise contractors • All Security Services Outsourced: Obtain greater expertise and a greater range of services, and possibly decrease costs; the institution retains the same responsibilities for security as if the services were performed in-house At Nexsen Pruet, a regional law firm with over 180 attorneys in the Carolinas, we have a team of two (and one person who devotes 50 percent of their time) responsible for network infrastructure and security for eight offices and over 400 employees. No one on the team is a full-time security professional, which is why we have adopted a security services-integrator approach by making strategic alliances with our security vendors to help us build a strong security team and, most important, an information security program that aligns with the firm's business objectives around risk management. Along with our security services-integrator approach, we retain some of the responsibilities in-house, and we're also responsible for security as if all services were performed in-house. Or, as Jeff Ward of Fulbright & Jaworski wisely said in a session we participated in at ILTA's 2011 conference, "You are outsourcing the service, but the problem is still yours, and it is your responsibility to address it." This is important to note because many seem to confuse "outsourcing a service" with "transferring liability." A relevant example of this concept would be outsourcing credit card processing to a third party; while the service is outsourced, the firm is still liable and must ensure that their vendor complies with regulations, or else both could fail an audit. EXTENDING NEXSEN PRUET'S NETWORK SECURITY PRACTICE For years we have partnered with Dell SecureWorks, one of the world's strongest security MSPs. Although all of us are very good security engineers with security certifications and strong skills, we just don't have the manpower to dedicate someone to watch firewall and IDS/ IPS logs and alert us to possible incidents. The superior work that our MSP vendor does led me to grow our relationship by also outsourcing IDS/IPS and log retention — two areas that are important to any security program, especially when regulations (e.g., HIPAA) are part of the conversation. They add value to our team by tackling the biggest challenges that these technologies present: keeping up with the logs, sending immediate alerts when suspicious behavior is detected and working with us through the resolution of the problem. We still do our part by reacting to alerts and mitigating threats, but we have been able to react and pull machines out of the network or close a hole within minutes due to our MSP support. Even if we had a dedicated internal resource for this area, I don't think that we would be able to react and take action that quickly. We've also hired SaaS companies to help us secure other areas of our network perimeter, specifically email spam and www.iltanet.org Risky Business 47