A contest to evaluate IT security services management

Abstract

This article discusses a project that used a multi-team competition to define, test and validate the added value and costs of a premium level of ‘managed security services’. The services were intended for a limited number of servers used to store and process extremely sensitive information on a large IT infrastructure. They were defined by a specialist third party managed security services (MSS) provider. They included recommended server configuration and intrusion detection software, as well as monitoring services. The project contest was structured to benchmark the risks and controls related to the existing level of service, and to then determine the added value, effectiveness, and cost alternatives for an increased level of service. The company’s infrastructure group and a MSS provider were to be defenders of specific servers for a sensitive application. Prior to the contest, the protected application servers were hardened by each defender. The servers and the application were then attacked by an independent third party professional hacker team. The overall conclusion was that the study approach provided a good way to evaluate information risks, control requirements, and the cost(s) of alternative solutions to meet those requirements by using a combination of company resources and an external supplier(s). It also provided a very effective means to stimulate staff interest and obtain senior management attention and support.