I would also recommend that you periodically "test" them. Something as simple as a remote Nessus scan, or a outbound clear text shell.
See if they catch it. If they do not, be sure to give them hell. John On Fri, Feb 11, 2011 at 8:31 PM, Jack Daniel <[email protected]> wrote: > Like most things, "it depends". As Josh said, if the outsourced > vendor does a great job, it can be very good. Big honking "if" there, > though. > > A few questions off the top of my head: > What are the SLAs, and how are they enforced? > How long does it take to get changes applied? > Do you retain ownership of the hardware on premises? > Do you "own" the configs, or can they flatten the box when terminated? > Do you have audit rights to the systems? > What kind of reporting and documentation do they offer? > Do they guarantee configurations compliant with your regulatory > requirements? > What about patching/updating, do they provide a guaranteed update > window after patches/fixes are released? > Is it all in writing? > > Jack > > > On Fri, Feb 11, 2011 at 7:12 PM, Matthew Perry <[email protected]> wrote: > > All, > > > > We have been acquired by another company that is use to outsourcing > > their management and monitoring of firewalls to another company. I > > have always been against this especially since they would have the > > keys for any point to point connections. How does everyone else in > > the pauldotcom community feel about this and is it a standard > > practice? > > > > -- > > Matthew Perry > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > > > -- > ______________________________________ > Jack Daniel, Reluctant CISSP > http://twitter.com/jack_daniel > http://www.linkedin.com/in/jackadaniel > http://blog.uncommonsensesecurity.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- John Strand Office: (605) 550-0742 Cell: (303) 710-1171
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
