Is Your Managed Security Services Provider an Integrated Part of Your Organization? 



Is Your Managed Security Services Provider an Integrated Part of Your Organization?

By Tyler Hardison, CISSP, PCI Qualified Security Assessor

The Nexus  |  11 September 2017

Tyler Hardison Given all the attention-grabbing headlines around cyber security and the strong desire to avoid becoming one of those headlines, it is tempting for many businesses and organizations to hand over responsibility for information security to an external managed security service provider (MSSP) and move on.

But such an approach often fails to consider that security programs consist of multiple areas of focus, only one of which is information security. Other programs include physical security and personnel security. Rather than setting up cyber security programs in isolation, organizations should look to integrate information security and the services provided by the MSSP within the context of a holistic security program that delivers the ultimate goal of “mission assurance.”

Under the umbrella of mission assurance are the 3 building blocks of safety, durability and resilience that are ideally supported by a security program, an incident response program and a business continuity program. The security program should provide the ability to avoid, deter, prevent, or rapidly detect and negate incidents before damage is realized. Should an incident occur despite the protection offered by the security program, the organization then initiates its incident response plan. MSSPs can fill this gap by becoming integrated with the enterprise’s risk management team as a partner and trusted advisor.

Incident response programs should incorporate a variety of different incident categories, including information security incidents. Other categories might involve criminal behavior, significant employee misconduct and other event types that may have significant consequences but do not actually disrupt business operations. Events severe enough to disrupt operations are when business continuity plans come into play. In the managed services model, the provider is included in the incident response cycle as an informed partner and, in some cases, the initiator of the incident response plan.

Incident response programs should incorporate a variety of different incident categories, including information security incidents.

A business continuity program provides a unified set of supporting plans that range from disaster recovery to crisis communications. The programs are mainly focused on restoring critical business functions (CBFs) to acceptable operating levels after a disruption. Information security should support business continuity planning by identifying where organizations’ CBFs depend on information and IT and providing the means to meet those needs quickly without sacrificing information security. The MSSP becomes critical in the planning and execution of testing the business continuity plan (BCP). The MSSP should have, at a minimum, a copy of the BCP to facilitate the testing and partner in the execution of your plan in the (hopefully) unlikely event of a disruption. Often times, the MSSP will have deep information and documentation of the network infrastructure to facilitate the expedient recovery during an actual event.

Figure 1 shows how each of these programs relates to the overall goal of mission assurance, and how and where information security fits within the larger scheme.

Figure 1—Mission Assurance Structure
Figure 1
Source: Redhawk Network Security. Reprinted with permission.

Information security is just one aspect of a comprehensive mission assurance program, but it should be woven throughout.

As shown, information security is a component within each of the security and continuity programs. It goes beyond most other program components, however, because of the ubiquity of information and information technology within modern organizations. Information security programs must include considerations for physical security, personnel security and other topics that go far beyond the scope of IT systems. An information security program may include a variety of issue-specific policies, including policies on:

  • Information security awareness training (touches personnel security and administration)
  • Information systems acceptable use (touches personnel security and administration)
  • Information systems user management (touches personnel security and administration)
  • Information systems configuration, change, and vulnerability management
  • Information systems access control
  • Information systems continuous monitoring
  • Information systems physical security (touches physical security)
  • Communications security
  • Data retention and disposal security (touches physical security)
  • Secure software development life cycle

Looking at this policy list, several are clearly concerned with other aspects of a robust security program, such as security facilities and personnel, which have their own policies and complexities. As such, cyber programs cannot supersede or override any policies developed for adjacent security programs. Instead, information security requirements must be coordinated and cross-referenced with other security programs wherever they cross into other programs’ domains. Figure 2 illustrates some examples of appropriate cross-referencing for certain policies. An MSSP should be a resource for basic policy frameworks to assist with the creation of these policies as needed.

Figure 2—Cross-References Between Policies and Other Documents


Where Referenced

Information systems acceptable use

Employee handbook

Information security awareness training

Employee training standards

Information systems user management

Employee hiring, transfer and termination procedures

Information systems physical security

Facility security plan

Data retention and disposal

Document handling policy

These relationships between programs illustrate how information security should be part of a larger, collaborative effort that involves multiple stakeholders. While it can be tempting for many organizations to bring in an MSSP and assign it a narrow focus to improve information security, the broader goal of mission assurance is much more likely to be achieved if the MSSP is integrated not only into the security program, but into incident response and business continuity programs as well.

Tyler Hardison, CISSP, PCI Qualified Security Assessor

Is director of solutions and innovation, Redhawk Network Security. He is responsible for developing solutions for clients with the Solutions Architect team. He is also responsible for leading Redhawk’s innovation and developing new service solutions. Hardison is also responsible for leading the development team on the CyberSecurity Portal. He is a 12-year veteran of technology management in the financial services industry. Rising from the help desk to become chief information officer of a US $3 billion credit union, he has been at the forefront of regulatory changes and the development of the tools necessary to keep up with them.



ISACA Knowledge Center

Share Knowledge about Cybersecurity with other members and discuss current issues. Collaborate, make connections and learn how to keep your enterprise safe

Knowledge Center