Computer security services are an essential requirement for business nowadays. Every business in the developed world uses computers, and most of these are connected to the Internet. However, this technological revolution comes with its own set of problems concerning information security: there are threats from outside (hackers), from inside (accidental or deliberate misuse), and from natural hazards (fire, power cuts, etc). This means that many businesses are finding it necessary, for the first time, to consider using computer security services from specialist suppliers.
There are four general kinds of security service for computers and networks. Each business owner or manager should analyse their information security needs in terms of these four areas, in order to gain a clear idea of what kind of specialist service may be needed.
• Computer security consulting services: An information security consultancy will review your organisation’s existing security arrangements (if any), and offer advice and recommendations which you will then implement. The security firm will be engaged only for a short period, and the output will be a written report, possibly also an oral presentation of the findings.
• Security management: In a longer-term arrangement, the consulting firm may also implement and manage security systems on your behalf. This could be done in two ways: either the firm will supply an interim manager for a defined period, or else you can outsource the ongoing security management to them on a part-time basis for a much longer period. In either case, your firm will benefit from specialist expertise, while at the same time avoiding the considerable costs of a full-time permanent employee.
• Security testing: From time to time there will be a need for independent testing of your firm’s information security management system. This can be done by engaging external security testing services. There are various types of testing service, as follows:
a) Penetration testing of a computer network and network devices, including wireless networks.
b) Application testing of web-based or other applications (eg. mail servers, FTP servers, etc).
c) PCI DSS scanning by an Approved Scanning Vendor (ASV) to demonstrate compliance with the payment Card Industry Data Security Standard.
d) External auditing (possibly to the ISO 27001 standard for information security): this is especially important for firms that seek to be certified to an official standard.
• Vendor-specific security services: Most businesses use Microsoft Windows software, and some of these will be running Active Directory on their own servers. There are many computer security service providers who can help you get the most out of the existing security facilities in this software, in order to avoid the expense of buying other software for that purpose.
Clearly, there is a very wide range of computer security services available, and it is important to formulate your organisation’s needs clearly in terms of one or more of these service types. A larger company will be able to cover at least some of these areas with its own staff, but smaller firms may need to outsource their requirements for computer security services to specialist organisations. In either case, the person responsible for your firm’s information security should ensure that all IT security services follow industry best practice and, where applicable, current international standards.