Welcome » IT Booklets » Outsourcing Technology Services » Appendix D: Managed Security Service Providers
A growing number of financial institutions (FIs) are partially or completely outsourcing the security management function to third parties, typically known as Managed Security Service Providers (MSSPs). FIs engage MSSPs due to increasingly sophisticated threats, cost pressures, and absence of internal expertise. The services that MSSPs provide present additional risks FIs are required to manage.
The purpose of this appendix is to identify the risks associated with the MSSP engagement and offer guidance to assist FIs in mitigating these risks. While the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) on Information Security Booklet provides related guidance, FIs should pay particular attention to risk management issues that are heightened when serviced by MSSPs. The loss of control that comes with the outsourced security function introduces an element of risk that FIs need to understand and appropriately manage. Appendix E covers numerous engagement criteria and related contract considerations institutions should consider when engaging an MSSP.
In addition to the normal vendor management responsibilities, a successful engagement with an MSSP should include:
o Regular communication between the FI and the MSSP on matters inncluding change control, problem resolution, threat assessments, and MIS reporting,
o Descriptions of processes for physical and logical controls over FI data; and,
Following are some of the many types of security-related services offered by MSSPs:
Managed security services arrangements can include the following four deployment models:
o Manage all network connections at customer premises;
o Manage network platforms;
o Update rules and thresholds over networking devices;
o Analyze data and necessary escalation responses; and
o Provide client reports or alerts on outcomes of the managed service.
o Typically involves client-owned network equipment on their premises;
o Includes common security event monitoring tools and data loss prevention solutions; and
o IDS/IPS events are reported to the MSSP and the FI consults with the MSSP providing primary services during off hours.
o Most commonly used with firewall and network devices where the
MSSP monitors log data, health and capacity with the FI pushing
system updates, rules changes, or configurations;
o Vulnerability assessment and analysis where the MSSP and FI
each test applications and platforms; and
o Sometimes used when multiple MSSPs are employed.
Effective governance is fundamental for understanding and managing the risks involved when outsourcing to MSSPs. Critical areas include availability, integrity, and confidentiality of FI data. The costs to procure, operate, and manage service delivery, including review for compliance with the SLAs, should be part of the overall contract.
A risk assessment must be performed as part of, or in conjunction with, the due diligence review when an FI is considering outsourcing security services. Concerns about vendors become especially important as security practices that were traditionally conducted in-house are outsourced to an MSSP. The MSSP risk assessment should guide the FI as it develops, implements, tests, and maintains the information systems security program.
Gathering necessary information internally and from the potential MSSP is necessary to identify potential threats, vulnerabilities, and controls. Documentation of the risk assessment is especially important to help ensure coordination, consistency, and standardization between the FI and the MSSP. The identification of information systems and the ranking of sensitive data and applications at the MSSP should be part of the risk assessment process. Coordination is also necessary to help ensure that vulnerabilities are identified and processes are validated through testing.
The reliance on MSSPs may significantly increase an FI's risk profile. Increased risk can arise from poor planning, lack of oversight and control, and/or poor MSSP performance or service. To control these risks, the FI should exercise appropriate due diligence prior to entering an MSSP relationship and maintain effective governance during the relationship.1
Below are risk elements that should be considered in an FI's MSSP risk assessment.2 The risks identified are relevant regardless of the type of MSSP arrangement.
o Decline in business reputation and customer confidence;
o Liability under business partnership agreements;
o False sense of security by FI management;
o Diverse offshore legal, geo-political, and cultural risk;
o Impact on competitive advantage when valuable intellectual property or proprietary information is stolen;
o Reputational damage should the MSSP fail to provide the
contracted service;
o Heightened legal and regulatory issues;
o Dependence on an outside organization for critical services;
o Loss of the FI experience, knowledge, and skill development; and
o Vendor financial condition decline.
To optimize service availability while mitigating risks, the following should be considered:
o Complexity of network infrastructure and deployment of agents;
o Information security breaches and data loss;
o Loss to the FI for failing to comply with applicable regulations and laws;
o Downtime due to lack of resilient MSSP infrastructure; and
o Loss of the FI's key control requirements due to MSSP's "one
size fits all" products.
o MSSP access of FI data;
o User access controls;
o Segregation of duties;
o Control and oversight of MSSP activity by the FI; and
o Attestations of MSSP access to FI systems and data.
o Current antivirus/malware protection;
o Strong patch and/or configuration management policies
and procedures;
o Timely identification of compromised devices; and
o Appropriate endpoint protection tools.
o Proper application configuration;
o Secure data storage and/or processing by MSSPs;
o Adequate access and integrity controls;
o Appropriate encryption;
o Adequate key management for encrypted data; and
o Sufficient data retention.
o Configuration specifications;
o Change management processes at the MSSP and/or at the FI;
o Logging and monitoring; and
o Recertification of software and permissions.
o Incompatible continuity plans and unrealistic disaster recovery
planning;
o Insufficient distance between datacenter and backup datacenter
(or recovery cite) for disaster recovery;
o Inadequate disaster recovery testing and postmortem report
(Disaster recovery is not in line with disaster recovery needs.);
o Poor communication between the FI and MSSP during
a disaster; and
o Inadequate capacity of the MSSP to service all clients during an
outage.
o Undefined roles and responsibilities between the FI and the
MSSP;
o Untimely reporting of incidents and/or data breaches;
o Failure to take appropriate steps to contain and control the
incident;
o Failure to notify the FI's customers or regulators on FI's behalf
per contract agreement;
o Failure to perform joint incident response table-top testing with
MSSPs;
o Overdependence on the MSSP for incident response; and
o Legal issues arising from a security incident involving both
parties.
o Insufficient training or expertise at either the MSSP or FI; and
o Inadequate MSSP personnel screening practices.
Request for Information (RFI) and Request for Proposal (RFP) are part of a deliberate and intentional process associated with engaging an MSSP. This type of evaluation should be completed in accordance with the FI's strategic plan and tactical approach to security. For example, the strategic plan should determine what security functions to maintain in-house, whether to contract a sole provider, or split services between providers. The RFI, the initial formal step in selection, must define FI objectives for the service needed. These objectives primarily are to be based on the FI's configuration (OS, security, network, and servers) and security policies. The FI should also consider the MSSP's staffing, certifications, training, transition process, and incident response methodology.
It is essential for the FI to coordinate with the MSSP regarding configuration and staff resources. This will be important not only to initial selection through the RFI/RFP and contracting process, but as the relationship evolves. It is important that the MSSP be a cultural fit with the FI. 3 MSSP specific contract language will require modification to RFIs and RFPs based on the FI and vendor configuration. Appendix E outlines RFI/RFP examples specific to MSSPs.4
An FI considering an MSSP engagement must perform adequate due diligence to validate that the vendor is capable of managing security services that are aligned with their risk profile. Management should consider performing an onsite visitation to determine if the servicer has the appropriate experience and control environment to meet the FI's needs, how long the MSSP has been in business, the MSSP's staffing, the MSSP's incident response methodology, etc.
When performing an onsite visitation, the FI should determine if the MSSP can ensure the security of their data. Pertinent entity and operating information should be obtained to facilitate the vendor selection process. Discussions with management should focus on the risk elements noted in the risk assessment section with emphasis on determining that the MSSP has the necessary expertise and experience to service the FI and will provide sufficient metrics for the FI to assess compliance with the contract.
The time the MSSP has been operating and if there are any expected changes (e.g., merger, acquisitions, expansion/growth, etc.), that could impact contracted services should be determined. The number of clients the MSSP services and number of FI clients also should be identified. If the MSSP does not have FI clients, it may indicate the vendor is seeking to enter into an unfamiliar business area. Before accepting this risk, the MSSP's familiarity with pertinent regulatory requirements such as GLBA, SOX, and FFIEC guidance must be validated.
When evaluating the MSSP's expertise, the following should be considered:
o Generate timely MIS reporting and incident notification;
o Maintain confidentiality, integrity, and availability of FI data; and
If the MSSP does not perform all services in-house, FIs should determine which services are to be outsourced, the quality of vendor management exercised by the MSSP, and whether the service provider(s) is/are offshore.
To fulfill its duties, an MSSP may be required to install software and/or hardware in an FI's data center. What data will be collected, reviewed, stored, and secured by the MSSP should be defined with established SLAs based on business requirements. The dialog between the MSSP and the FI should focus on identifying services that preserve security.
The initial due diligence process is a key method to determine if an MSSP can provide the necessary services to an FI. Each of the above recommendations should be considered in deciding if the MSSP is viable and has the ability to fulfill the terms of the engagement.
In any MSSP arrangement, the contractual expectations and obligations of each party should be clearly defined, understood, monitored, and enforced. FI managers who have a strong understanding of MSSP risks and mitigating controls should be involved in contract development. Legal representatives with the expertise to assess the enforceability and legitimacy of MSSP contract terms should review contract provisions and be included in contract negotiations. The alignment of contract provisions with FI security policies and procedures creates a strong foundation for the development of comprehensive MSSP agreements.
Although most contract requirements for MSSPs are similar to those of other outsourcing arrangements, FIs should consider the following provisions when developing a formal contract with an MSSP.
Scope of Service
Contract discussion should include:
Service Level Agreements
Well defined SLAs provide the framework for establishing the expectations and metrics for the effective delivery of service such as levels of availability, performance, or support. When working with MSSPs, attention should be given to the engagement criteria in Appendix A.
Contract Term and Renewal
The role of the MSSP relationship and how the length of the contract integrates with the FI's overall business strategy and objectives should be defined. Long-term contracts may limit flexibility and consideration should be given to whether to accept automatic contract renewal provisions.
Termination
FIs should consider including termination rights for a variety of conditions including material breach, critical performance failure, and material non-performance. Grounds for termination should be clearly defined and agreed on by the FI and service provider. If the contract is terminated for cause, the MSSP should cover damages. The FI's exit strategy should consider post-termination rights including:
Managing the Relationship
While the initial due diligence is critical to managing the MSSP relationship, ongoing monitoring and oversight is equally important. Risks of the MSSP relationships are generally similar to risks of other outsourcing arrangements that need to be addressed within the FI's vendor management program, but the MSSP relationship has some attributes that may call for a heightened level of (or more targeted) education and training.
Education and Awareness
Effective MSSP oversight requires an FI to maintain adequate in-house technical expertise. This enables the FI to monitor and maintain acceptable risk exposure and confirm the MSSP is fulfilling contractual obligations. Education and awareness for FI employees is necessary to help ensure:
o What data the MSSP is collecting and who has access to the
data;
o Information in audit reports and security testing of the MSSP;
and
o How to measure a successful relationship.
Given the high risk and trust of the relationship, the FI should verify that the MSSP is appropriately managing the contracted security services on its behalf. The following should be addressed in the FIs education and awareness program:
Contract Performance
FI management should have a monitoring process to attest to the MSSP meeting its contractual obligations. This typically entails reviewing items such as SLAs, Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), security event notification, incident response, and any other metrics relative to performance. These items should be included in MSSP reports, and FIs should perform supplemental monitoring as necessary to evaluate contractual performance.
The critical services provided by MSSPs require a high level of FI oversight throughout the lifecycle of the contracting relationship. Processes should include maintenance of controls established as part of the initial due diligence, including:
o MSSP provided MIS reports,
o MSSP audit reports, including SSAE 16 and other independent
assessment reports, and
o Penetration testing and vulnerability assessment test results;
Business Continuity Planning
To avoid a gap in service in the event of an MSSP outage, the FI should:
Incident Response
To assess that the FI is fully prepared to respond to incidents, the FI should:
Alternative Providers
To prevent gaps in service associated with MSSP failure, the FI should:
Demarcation of Responsibility
Along with general monitoring and oversight of the MSSP, FIs should have involvement in the operational and policy activities associated with the MSSP. Examples include:
Policy and Procedures
Outsourcing certain security activities does not diminish the need for adequate security polices at the FI. They should coordinate their information security program with the policies, standards, guidelines, and procedures of the MSSP.
The incident response function needs to be coordinated and clearly defined between the FI and MSSP. Notification and escalation requirements regarding incident response should be clearly documented and aligned between the FI and MSSP. The definition of a reportable event should be clear and unambiguous.
Access Controls
Assess controls/methods and audit trails related to the FI's systems, devices, and data being managed by the MSSP.
Physical Security
Typically the MSSP will place devices within the FI (e.g., firewall, IDS, etc.) which the MSSP may own and/or control. FIs should consider appropriate physical security of such devices regardless of ownership and/or control.
Change Control
There should be a clear process to communicate changes implemented by either the FI or MSSP. Changes can have a material impact on the security environment, and both parties should undergo an adequate change control review. Advanced notification of any changes should be provided whenever possible.
Data Collection/Logging
The FI should maintain awareness of data the MSSP is collecting, how it is stored, and how it is used. The FI should maintain its data or logs separate from other MSSP clients. The MSSP's data collection and security event classification processes should be defined and understood to help in corroborating the integrity of the FI's data and in establishing a more effective log review process.
Metrics and Reporting
The MSSP should provide regular reporting on agreed on performance metrics to the client FI. It is important that qualified FI personnel review these reports to attest that the security controls of MSSPs are operating as expected. Metrics and reporting should include security:
Cloud computing is an emerging trend in which some of the IT industry's biggest players are investing significant resources. Cloud computing in general is a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers via the Internet "cloud." In cloud environments, a client or customer will relocate their resources such as data, applications, and services to computing facilities outside the corporate firewall, which the end user then accesses via the Internet.
Cloud-based MSSP services may be implemented as part of Internet access services. Examples of "in-the-cloud" services include carrier-based denial of service protection, virtual firewall services, and carrier-provided URL blocking.
When an MSSP offers services that use a cloud computing architecture, the same risks that are specific to non-cloud-based security services apply. However, there are a few additional risk considerations that should be assessed when moving to a cloud computing environment. Areas for FIs to consider when an MSSP uses cloud computing in their managed security services environment include:
Financial institutions' challenges in dealing with high profile network security breaches, changing technology, malware, system maintenance costs, complexity, and uncertainty surrounding network security have resulted in an increased use of MSSPs. While FIs can leverage the expertise of the MSSP, managing this relationship can be an additional challenge, particularly when MSSPs have access to confidential or sensitive information that requires increased protection. In addition, FIs can have high levels of risk exposure in the event that an MSSP cannot comply with service level agreements.
As with all outsourcing arrangements FI management can outsource the daily responsibilities and expertise; however, they cannot outsource accountability.