Elsevier

Computers & Security

Volume 22, Issue 3, April 2003, Pages 204-206
Computers & Security

A contest to evaluate IT security services management

https://doi.org/10.1016/S0167-4048(03)00306-7Get rights and content

Abstract

This article discusses a project that used a multi-team competition to define, test and validate the added value and costs of a premium level of ‘managed security services’. The services were intended for a limited number of servers used to store and process extremely sensitive information on a large IT infrastructure. They were defined by a specialist third party managed security services (MSS) provider. They included recommended server configuration and intrusion detection software, as well as monitoring services.

The project contest was structured to benchmark the risks and controls related to the existing level of service, and to then determine the added value, effectiveness, and cost alternatives for an increased level of service. The company’s infrastructure group and a MSS provider were to be defenders of specific servers for a sensitive application. Prior to the contest, the protected application servers were hardened by each defender. The servers and the application were then attacked by an independent third party professional hacker team.

The overall conclusion was that the study approach provided a good way to evaluate information risks, control requirements, and the cost(s) of alternative solutions to meet those requirements by using a combination of company resources and an external supplier(s). It also provided a very effective means to stimulate staff interest and obtain senior management attention and support.

Section snippets

Background

Unilever is a large multinational fast moving consumer goods company. Its Global Infrastructure Organisation manages a shared infrastructure that has more than 6000 servers located throughout the world. These servers are used for a wide variety of applications to meet the strategic and the operational needs of the company.

The company wanted to evaluate the adequacy of existing infrastructure security measures that were applied to information that was very sensitive to unauthorized access and/or

The contest

The ‘contest’ was structured to specifically address risks that could be managed effectively by the infrastructure security group. It was also intended to be ‘fun’ for the participants.

The premium level of service was to be provided by a MSS supplier. It was to include a recommended server configuration for increased security, monitoring for server uptime and availability (to detect denial-of-service attacks as well as routine service disruption), intrusion detection using both host-based and

Conclusions

Unilever management gained very useful insights into the value, use and costs related to managed security services during this project including:

  • 1.

    Risks, controls and the cost(s) of alternative solutions were much easier to understand and evaluate after both the existing and premium services were defined, tested and validated.

  • 2.

    While the existing controls provided an adequate level of security for the very sensitive information in the protected servers, adding the premium level security services

Rolf Moulton, CISSP, CISA

Rolf Moulton provides risk management and security consulting services to clients. He serves on the International Board of Referees of Computers & Security, and is also a member of the Board of (ISC). He was formerly Head of IT Risk Management, and responsible for information security at Unilever; as well as a member of BDD2 — the UK committee responsible for the development of BS7799.

References (0)

Cited by (0)

Rolf Moulton, CISSP, CISA

Rolf Moulton provides risk management and security consulting services to clients. He serves on the International Board of Referees of Computers & Security, and is also a member of the Board of (ISC). He was formerly Head of IT Risk Management, and responsible for information security at Unilever; as well as a member of BDD2 — the UK committee responsible for the development of BS7799.

Robert S. Coles MBA, MBCS, CISM

Robert is the Security Service Leader for KPMG LLP in the UK. He is responsible for the development and delivery of a wide range of security services from strategy and architecture to managed security services, implementation and testing and certification services. Robert is also a member of the Certified Information Security Manager exam board and BDD2 and Panel 3 — the UK committees responsible for the development of BS7799.

View full text
Copyright © 2003 Elsevier Science Ltd. All rights reserved.