Information Technology Reference
In-Depth Information
and their implications to professional conduct. Raising awareness is certainly an
excellent step toward broader acceptance of and compliance with ethical precepts.
Is all this the responsibility of the IA architect? It is, in the sense that IA
2
does provide insight into ethical considerations and challenges of policy adherence
and compliance management. Too often IA and security measures are viewed as
invasive, snooping, and big brother incarnate. IA can, however, be presented as an
ethical approach to conducting business. Ethics creates a standard for behavior. If a
person believes he has a right to do as he wishes, steal what he wants, and generally
use others to get ahead, this creates a difficult environment for the organization
to operate securely and poses extreme challenges for the IA professional. Insider
threats are real threats; they can be far more insidious than a direct outside attack.
An ethics program is part of preempting the insider threat.
5.9.5
Vendor Relations
5.9.5.1
Vendor Roles in the IA
One of the first questions in implementing IA is buy versus build and in-house ver-
sus outsource. Is the right talent available? Can that talent be hired? Is that talent
affordable? Is it worth diverting focus from core competencies to run IA in-house?
These are just a few of the pertinent questions in the buy versus build scenario.
here are many excellent IA COTS products, a far less expensive and complex
option than building.
When decomposing the IA implementation process, consider the following
needs: IA architecture, design, installation, configuration, compliance verification,
training, and operations and maintenance (O&M). Further, consider the in-house
talent and tolerance to handle any or all these tasks. Outsourcing to a managed
security service provider (MSSP) may produce a better IA outcome.
5.9.5.2
Vendor and Product Selection
Vendor and product selection evaluates both the technology (the product as a viable
solution) and the organization (the vendor as a viable company). Organization con-
siderations include sales and service; local, regional, national, and international
presence; number of people; years in business; long-term viability that includes
appropriate financing; and more. Evaluating the organization determines if it is able
to provide the level of service necessary for implementation, maintenance, patches,
upgrades, and new releases. Technical considerations include product features,
both breadth and depth. Looking at product feature breadth (horizontal features)
examines the number of features and the relative importance of those features to
Common-off-the-shelf solutions (COTS).
