Security Services And Products Acquisitions NIST SP 800 100

Information security products and services remain as the important elements of the enterprise information security program. The Organization chooses the security products and services available in the market and uses it in the entire program to handle the design, development & maintenance of its security infrastructure and to defend its mission-critical details.

In addition to the product-selection process, organizations are encouraged to use the cost-benefit analysis, to find the cost related to risk mitigation and life-cycle cost estimates. The acquisition of product and service bears some notable risks that organization needs to determine and mitigate. Those risks come with potential impacts, hence the organization should not underestimate the importance of handling the process of information security services and product acquisitions. In choosing this kind of services and products, the organization should enforce risk management processes in the setting of the security service life cycle.

Roles Involved In The Product-Selection Process

The process of choosing the security products and services involves the contribution of numerous information security personnel within the organization. They are as follows:

  • Contracting Officer

  • Chief Information Officer

  • Contracting Officer’s Technical Representative

  • Security Program Manager

  • Information Technology (IT) Investment Review Board (IRB)

  • Program Manager

  • Privacy Officer

Information Security Services Life Cycle

The lifecycle of the information security services provides the framework for the security decision makers.

information security services lifecycle

  1. Initiation: This phase recognizes need when to begin the service lifecycle. It includes security categorization, needs determinations and the initial risk assessment.

  2. Assessment: Includes creating an accurate description of the recent environment before the decision makers can apply a service & mount a service provider. It analyses opportunities and barriers. Determines options and risks.

  3. Solution: The decision makers select the proper solution from the available options determined during the assessment phase. It develops the business case.

  4. Implementation: At the phase, the service providers are implemented. This phase finalizes & execute the implementation plan.

  5. Operations: Service lifecycle becomes iterative. This phase monitors & measures the performance of the organization. It evaluates and evolve.

  6. Closeout: This phase chooses the proper exit strategy and implements the chosen exit strategy.

Selecting Information Security Services

The organization needs to review the status of their current security programs and the security controls before choosing the certain services. The organization should also apply the risk management process to determine an effective compilation of management, technical and operational security controls, which will mitigate the risk to the acceptable level. The type and number of the proper security controls & their associated information security service can vary throughout the service life cycle of a certain system.

The following table describes the categories of the information security services:

Selecting Information Security Services

Selecting Information Security Services Management Tools

Due to the potential harm sourced by the inadequate security, the security decision makers and program managers must use effective management tools to enhance the possibilities of the success of the obtained security services. The two essential tools are:

  1. Metrics: Facilitates the accountability and decision making via relevant data collection, data analysis, and practice performance data reporting.

  2. Service Agreement: Agreement between the organization, which requesting the security services and the service provider. It specifies the entire services the provider is to produce, the service duration, to what extent, etc.

Information Security Services Issues

Implementing a security service as well as service arrangement is a complex process; since, each security service includes its own associated risks and costs, similar to the service arrangement. Taking a decision according to an issue can include major implication on the other areas of the organization.

The following table lists the various types of issues and factors associated with the security services, which are divided into six categories:

Information Security Services Issues

General Considerations For Information Security Services

In order to identify the service provider, which best suits the needs of the organization, the decision makers will require getting answers for some valuable questions. The questions relating to these needs should become a part of the standard process of the organization for researching & evaluating the security providers and their services. The questions should at least cover the following six major issue categories:

  1. Strategic/ Mission

  2. Budgetary/ Funding

  3. Technical/ Architectural

  4. Organizational

  5. Personnel

  6. Policy/Process

Selecting Information Security Products

As similar to the security services, organization needs to review the status of their current security programs and the security controls before choosing the certain products.

The following table lists the examples of common issues to consider before choosing the products:

information security services

To enable the determination and review of such considerations, the security managers need to use a set of questions while considering a certain product for their program. Some instances of the products sorts include intrusion detection, access control, and other information security associated products. Prior to deciding to purchase any sort of security products, the security managers need to consider the capabilities of the product, compatibility with other product & considerations related to environments.

Organizational Conflict Of Interest

An OCI (Organizational Conflict of Interest) may happen when a party to a contract includes a past/present/future interest associated with the work to be performed or already performed that may reduce its ability to produce technically sound object service. The organization is suggested to do their best to avoid OCI before they arise. While handling the information service lifecycle, organizations should consider the following steps in terms of OCI:

  • Determining the availability of OCIs

  • Mitigating the OCI effect to an acceptable level

  • Waiving the OCI

Hope, the above details provides the organization a clear understanding of the process and consideration involved in selecting the information security services and products.


    All Comments (0)

    No one has commented yet.



Leave a comment