Many organizations have outsourced all or part of their security to a third-party contractor. While outsourcing continues to be a hotly debated topic in the IT industry, this practice can offer several benefits. One such advantage is security vendors' exceptionally well-trained and experienced staff, which means your company doesn't have to incur the costs of building and maintaining information security skill sets.

However, while outsourcing contracts are generally specific about duties and responsibilities, they're much vaguer when it comes to measuring success. Regardless of whether your security vendor receives incentives for service performance, your company needs to be able to quantify its efforts and determine if it's getting the best bang for its buck.

If you're having a hard time coming up with a list of areas to use for judging vendor performance, I suggest looking to U.S. government standards. Although they tend to be lengthy, they do provide measurable areas for your organization to use when writing and reviewing service-level agreements (SLAs).

One of the most widely used federal standards is the Federal Information Processing Standards (FIPS) Publication 200. This document specifies minimum security requirements that your company can use to judge performance in a wide variety of security functions.

The publication details 17 specific security-related areas that encompass an information security program. Depending up the scope of your security vendor's duties, you can use these areas to better judge vendor performance. Let's take a closer look.

-Access control--limiting information system access to authorized users.
-Audit and accountability--creating, protecting, and retaining information system audit records.

-Awareness and training--ensuring users are aware of security risks, and properly educating personnel assigned security-related duties.

-Certification, accreditation, and security assessments--assessing, implementing, and monitoring security controls.

- Configuration management--establishing baseline configurations, and maintaining security configurations.
-Contingency planning--establishing and implementing plans for emergency response.
-Identification and authentication--identifying and validating the identities of users and devices that operate on the network.

-Incident response--establishing and maintaining incident handling, documenting, and reporting capabilities.

-Maintenance--conducting periodic maintenance and upgrades on information security systems.

-Media protection--safeguarding system information (both paper and digital), and sanitizing systems before disposal or reuse.

-Personnel security--ensuring personnel meets established security criteria and complies with security policies and procedures.
-Physical and environmental protection--limiting physical access to information systems to authorized personnel, and protecting information security systems from environmental hazards

-Planning--developing, documenting, and updating security plans.

-Risk assessment--conducting regular assessments of security risks to the organization's information systems.
-System and services acquisition--maintaining life cycle replacements, and ensuring protection from outsourced equipment, applications, and services.

-System and communications protection--monitoring communications at key boundaries, and using security best practices.
-System and information integrity--identifying, reporting, and correcting system flaws, as well as protecting against malicious code and monitoring alerts and advisories.

Vendor Selection: Ease of Ordering:

-Can you order online?
-Do you need to pay in advance?
-Is it easy to do œtax exempt status?
-Are rush orders possible?

Vendor Selection: Customer Service

-Is there a toll-free number?
Are there convenient hours to contact?
Are returns easy?

Vendor Evaluation: How

Pilot project
- 3 months ¦6 months ¦1 year
Ongoing
- Every 6 months¦ Once a year
Nearing end of contract (if you have a signed contract)
Vendor Evaluation: Data Needed
Fulfillment
-How many of the orders were filled?
-How many were cancelled?
-Delivery
-How quickly did orders arrive?
- 1 day? 1 week? 30 days?
Discount
-Were the quoted discounts on the invoices?

Shipping
Did the materials arrive appropriately marked?
Were the invoices present?
Were any materials damaged?
Were there short shipments?
Customer service
Were staff available to answer questions?
Were returns accepted and/or credit memos issued?

Vendor Evaluation: Data Collection
Library automation system reports
o Orders placed
o Invoices paid
o Cancellation reports
o Vendor performance reports