An organization can become operationally dependent on a single service provider. One risk-mitigation approach is to outsource to multiple providers, but this comes with additional cost and management oversight responsibilities. An organization needs to carefully examine the provider’s proposal to understand whether it uses subcontractors and how they work.

A client retains ownership and responsibility for the secure operation of its infrastructure and the protection of its critical assets regardless of the scope of services provided by a service provider. Risk-mitigation approaches include making information security the primary responsibility for one or more staff members and managers, and conducting regular user-security awareness and training sessions.

The shared operational environment used by many service providers to service multiple clients poses more risks than an in-house environment. Sharing a data-transmission capability (such as a common network) or a processing environment (such as a general-purpose server) across multiple clients can increase the likelihood of one organization having access to the sensitive information of another.

Initiating a managed-security services relationship may require a complex transition of people, processes, hardware, software and other assets from the client to the provider or from one provider to another, all of which may introduce new risks. IT and business environments may require new interfaces, approaches and expectations for service delivery.

The CERT Coordination Center provides a list of best practices for engaging managed-security service providers. They are intended primarily for those responsible for the selection and day-to-day overview of outsourced managed-security services. This may include the chief information officer, chief financial officer, contracting/purchasing manager, information technology manager, chief security officer, and technical staff (system and network administrators).

A managed-security provider can offer an independent perspective on the security posture of an organization and help maintain a system of checks and balances with in-house personnel

To knowledgeably select, engage, manage and terminate service provider relationships and the services they provide, CERT recommends a three-step approach: Engaging an MSSP; managing the relationship with an MSSP; and terminating an MSSP. The first practice in engaging a service provider provides guidance for a Request for Proposal (RFP). The RFP establishes the client’s requirements that need to be addressed in a provider’s proposal. The second practice describes guidelines for evaluating a provider’s proposal beyond those implied by the RFP guidelines. The third practice provides content guidance for a Service-level Agreement (SLA). The SLA is one part of the contract between the client and provider. It addresses some of the RFP requirements.

SLA guidelines fall into two categories: Service-specific agreements and operational-security practice agreements. Service-specific agreements address characteristics and attributes of the service being provided. Operational-security practice agreements address the quality of the operational-security environment in which the services execute. This latter set of content guidance (titled Security Practices) does not typically appear in today’s SLAs but represents critical content upon which the client and provider agreement should occur.

Managing the relationship with a service provider includes guidelines for establishing a new provider relationship or transitioning from in-house services to provider-supplied services or transitioning from one provider to another. The second practice in this area addresses the ongoing client/provider relationship.

Finally, there are guidelines to consider using when an organization terminates a relationship with a service provider, whether at the end of a contract or for some other reason.