Information Security Governance Papers
| Paper Title | Security Services and Products Acquisition |
|---|---|
| The Abstract of The Paper |
Information security services and products are essential elements of an organization’s information security program. Many products and services to support an agency’s information security program for information systems are widely available in the marketplace today, and are frequently used by federal agencies. Security products and services should be selected and used within the organization’s overall program to manage the design, development, and maintenance of its information security infrastructure, and to protect its mission-critical information. In the acquisition of both, agencies should apply risk management principles to aide in the identification and mitigation of risks associated with the acquisition.
In the acquisition of information security products, agencies are encouraged to conduct a cost-benefit analysis as part of the product-selection process – one that also includes the costs associated with risk mitigation. This cost-benefit analysis should include a life cycle cost (LCC) estimate for the status quo and one for each identified alternative while highlighting the benefits associated with each alternative. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-36, Guide to Selecting Information Technology (IT) Security Products, first defines broad security product categories and specifies product types, product characteristics, and environment considerations within those categories. The guide then provides a list of pertinent questions that agencies should ask when selecting products. As with the acquisition of products, the acquisition of services bears considerable risks that federal agencies must identify and mitigate. The importance of systematically managing the process for acquisition of information security services cannot be underestimated because of the potential impact associated with those risks. In selecting this type of services, agencies should employ risk management processes in the context of information security services life cycle, which provides an organizational framework for information security decision makers. NIST SP 800-35, Guide to Information Technology Security Services, provides assistance with the selection, implementation, and management of information security services by guiding the reader through the various phases of the information security services life cycle. Information security decision makers must consider the costs involved, the underlying security requirements, and the impact of their decisions on the organizational mission, operations, strategic functions, personnel, and service-provider arrangements. The process of selecting information security products and services involves numerous people throughout an organization. Each person involved in the process, whether on an individual or group level, should understand the importance of security in the organization’s information infrastructure and the security impacts of their decisions. Depending on its needs, an organization may include all of the personnel listed below or a combination of particular positions relevant to information security needs. • Chief Information Officer; • Contracting Officer; • Contracting Officer’s Technical Representative; • Information Technology (IT) Investment Review Board (IRB) or its equivalent; • Security Program Manager; • Information System Security Officer; • Program Manager (Owner of Data)/Acquisition Initiator; and • Privacy Officer. |
| Web Link | http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf |