What insurance does the vendor have in the event of an IT security breach?
Question No. 7: What insurance coverage does the vendor have in the event of an IT security breach, and what is its incident response plan and process?
No security vendor assumes the risk of a full-out security breach. They do, however, provide SLAs and other services to mitigate risks. If enough time goes by, the likelihood of a security breach increases in probability of occurrence. Any outsourcing negotiation should include protocol and set guidelines on who assumes the risk in these situations. Shared risk with your provider in the event that they did not meet SLAs contributing to the breach is the shared model.
Putting security controls in place to mitigate risk is important. The next question is, "What is the incident response and process to immediately close the vulnerability and work with research, forensics and broader law enforcement entities?"
Question No. 8: What cyber-forensics capabilities are there?
Security response and business process is just as important as the ability to effectively manage security policies and estates. The threat today has changed from a decade ago. It is not about fame and bringing down the stock exchange. It is about getting in, stealing your data and then leaving no trace behind. The threat knows how to spot and exploit vulnerabilities-and especially how to weave in cleverly blended attacks.
The ability to stop thieves mandates top industry expertise to not only correlate events between security controls, but to know their tricks and how to head them off at the pass before they happen.
Part of any engagement should include vulnerability and penetration testing, and even ethical hacking from the best tools and best security engineers.