Safety Summary
Protecting the customer and ASP's data from malicious attacks (intentional or unintentional) is the entire content of security management. A clear understanding of what security management is and how the ASP and its customers can take it is critical, including what security policies are and what level of security needs to be achieved. You need to determine the SLA itself and the level of security it provides, and you need to take appropriate security measures. Security measures include people, processes, and technology. Processes involve communication, upgrades, and processes and procedures around security management. Personnel need to be trained and able to understand and implement all the security measures and the evolving technologies that accompany them.
All aspects should be considered comprehensively to ensure that the level of security meets the requirements of the ASP's customers.
Other information
Acronyms
AD:
Active Directory
Asp:
Application Service Provider
CCTA:
Central Computer and Telecommunications Agency (UK)
Ci:
Configuring the Project
CMDB:
Configuration Management Database
CRAMM:
CCTA risk analysis and management methods
Crm:
Customer Relationship Management
Efs:
Encrypting File System
ESf:
Enterprise Services Framework
Itil:
IT Infrastructure Library
Ldap:
Lightweight Directory Access Protocol
Mof:
Microsoft Operational Framework
MRF:
Microsoft Preparation Work Framework
Msf:
Microsoft Solution Framework
Ntfs:
NT File System
Ntlm:
NT LAN Management
Pki:
Public key basic structure
Sla:
Service-level agreements
Ssl:
Cryptographic Socket Protocol Layer
Upn:
User principal Name
Vpn:
Virtual Private Network
Bibliographic
The following books are bibliographies or recommended readings for this white paper, helping to further understand the concepts included here:
Security Management,it Service Management FORUM/CCTA,ITIMF Ltd.,
ISBN 0 330014 X.
Contingency planning,it Service Management FORUM/CCTA,ITIMF Ltd.,
ISBN 0 11 330524 9.
Capacity management,it Service Management forum/ccta,itimf Ltd.,
ISBN 0 11 330544 3.
Service level Management,it Service Management FORUM/CCTA,ITIMF Ltd.,
ISBN 0 11 330521 4.
Availability management,it Service Management FORUM/CCTA,ITIMF Ltd.,
ISBN 0 11 330551 6.
Security Management Reference
This section concentrates on all references in the main body of this article, listed in alphabetical order by topic.
Active Directory
Http://www.microsoft.com/windows2000/guide/server/features/activedirectory.asp
ASP Industry Consortium
http://www.aspindustry.org/
Top practices (best Practices)
Http://www.aspindustry.org/members/BestPractices/DeliveryModel.cfm
Http://www.microsoft.com/ISN/downloads/Best Practices documentation for ASPs.zip
CCTA Risk Analysis and Management methods (CCTA risk analyses and management method)
http://www.crammusergroup.org.uk
Forum for Incident Response and security teams (incident Response and Safety Group Forum, I)
Http://www.first.org/about/first-description.html
Gartner Group, J.pescatore, "Critical security Questions to as a ASP", df-10-0972, February 2000
http://www.gartner.com/
International Information Systems Security certification Consortium
Http://www.sans.org/snap.htm
IT infrastructure Library.
http://www.itil.co.uk/
Microsoft Operations Framework (Microsoft Operations Architecture)
Http://www.microsoft.com/enterpriseservices/MOF.htm
Microsoft telecommunications Consulting Practice, Steve Riley, "Network Security Best Practices", 7 August 2000
Http://www.microsoft.com/technet/
Microsoft Terminal Services Scaling (Microsoft Terminal Service scaling)
Http://www.microsoft.com/windows2000/library/technologies/terminal/tscaling.asp
Http://www.microsoft.com/WINDOWS2000/library/resources/reskit/tools/hotfixes/tscpt-o.asp
Microsoft Windows Performance Tuning (Microsoft Windows 2000 Performance Tuning)
Http://www.microsoft.com/WINDOWS2000/guide/platform/performance/reports/perftune.asp
Microsoft. NET
http://www.microsoft.com/net/
Microsoft Windows Management Instrumentation (Microsoft Windows Management Specification)
Http://www.microsoft.com/ISN/downloads/Operations for ASPs.zip
Microsoft Enterprise Services Frameworks (ESF) publications (Microsoft Enterprise Services architecture publication)
http://www.microsoft.com/enterpriseservices/
Writer
Unisys Corporation:jeroen Bom, Joe Helm, Hilda Willems, Tom Wu
Microsoft Corporation:kathryn Rupchock, Kent Sarff
Appendix A:sla in the Security Section
The following topics need to be discussed in the Security section of the SLA:
General strategy of Information security
Allowed access methods and user identification (ID) and password management and use
ASP's obligation to keep the list of authorized persons
Protocols on auditing and logging
The obligation to record the ASP's security-related management activities
Time and date when the solution is valid (take back equipment into account if necessary)
Obligations of customers, vendors, and ASPs (in accordance with the responsibilities of ASP, customers and vendors)
Steps to protect ASP and customer assets (including information)
Responsibility for the Legal affairs
The right to supervise the activities of customers and manufacturers (and the right to revoke the right)
Responsibility for installation and maintenance of equipment and software
Right to check contractual liability
Restrictions on the replication and disclosure of information
Methods used to ensure that information or goods are destroyed or returned at the time of SLA termination
Any physical security measures that are required
The management process of information security in ASP
Steps to ensure that security measures are faithfully and effectively
Training of users (both internal and external) in security policies, methods, and procedures
Measures to ensure non-proliferation of computer viruses and other attacks
Authorization steps to access permissions for a user
