Page 120 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 120

throughout their deployment life span. Minimizing inherent threats in
               acquired elements will reduce security management costs and likely

               reduce security violations.

               It is important to evaluate the risks associated with hardware,
               software, and services. Products and solutions that have resilient
               integrated security are often more expensive than those that fail to
               have a security foundation. However, this additional initial expense is
               often a much more cost-effective expenditure than addressing security

               needs over the life of a poorly designed product. Thus, when
               considering the cost of a merger/acquisition, it is important to
               consider the total cost of ownership over the life of the product’s
               deployment rather than just initial purchase and implementation.

               Acquisition does not relate exclusively to hardware and software.
               Outsourcing, contracting with suppliers, and engaging consultants are
               also elements of acquisition. Integrating security assessments when

               working with external entities is just as important as ensuring a
               product was designed with security in mind.

               In many cases, ongoing security monitoring, management, and
               assessment may be required. This could be an industry best practice or
               a regulation. Such assessment and monitoring might be performed by
               the organization internally or may require the use of external auditors.
               When engaging third-party assessment and monitoring services, keep

               in mind that the external entity needs to show security-mindedness in
               their business operations. If an external organization is unable to
               manage their own internal operations on a secure basis, how can they
               provide reliable security management functions for yours?

               When evaluating a third party for your security integration, consider
               the following processes:

               On-Site Assessment Visit the site of the organization to interview
               personnel and observe their operating habits.


               Document Exchange and Review Investigate the means by which
               datasets and documentation are exchanged as well as the formal
               processes by which they perform assessments and reviews.

               Process/Policy Review Request copies of their security policies,
   115   116   117   118   119   120   121   122   123   124   125