Date Published: October 2003
Author(s)
Tim Grance (NIST), Joan Hash (NIST), Marc Stevens (BAH), Kristofor O'Neal (NIST), Nadya Bartol (NIST)
Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by a growing group of vendors. It is difficult and challenging to determine service provider capabilities, measure service reliability and navigate the many complexities involved in security service agreements.This guide provides assistance with the selection, implementation, and management of IT security services by guiding organizations through the various phases of the IT security services life cycle. This life cycle provides a framework that enables the IT security decision makers to organize their IT security effortsfrom initiation to closeout. The factors to be considered when selecting, implementing, and managing IT security services include: the type of service arrangement; service provider qualifications, operational requirements and capabilities, experience, and viability; trustworthiness of service provider employees; and the service provider's capability to deliver adequate protection for the organization systems, applications, and information.
Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from security policy development to intrusion detection...
See full abstract
Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by a growing group of vendors. It is difficult and challenging to determine service provider capabilities, measure service reliability and navigate the many complexities involved in security service agreements.This guide provides assistance with the selection, implementation, and management of IT security services by guiding organizations through the various phases of the IT security services life cycle. This life cycle provides a framework that enables the IT security decision makers to organize their IT security effortsfrom initiation to closeout. The factors to be considered when selecting, implementing, and managing IT security services include: the type of service arrangement; service provider qualifications, operational requirements and capabilities, experience, and viability; trustworthiness of service provider employees; and the service provider's capability to deliver adequate protection for the organization systems, applications, and information.
Hide full abstract
Keywords
Computer security; information security; life cycle; outsourcing business case; security service; service level agreement; service provider; total cost of ownership
Control Families
Security Assessment and Authorization;
Configuration Management;
System and Services Acquisition;