The following summarizes the Guide of Basic IT Security Management Practices. These are written from the perspective of an outside IT vendor or MSP, but the concepts easily transfer to an in-house IT Organization.
Information Security Management: The IT Service Provider manages its own information security by means of a formal documented Information Security Management Program designed to protect the confidentiality, integrity and availability of its information and the information of its clients in accordance with commercially reasonable information security management standards appropriate for a company with its security-risk profile and the security-risk profiles of its clients.
Information Security Subject Matter Expertise: The IT Service Provider has access to appropriate information security subject matter expertise.
Security Management of the IT Interface: All access by the IT Service Provider to a client’s network is protected in accordance with documented procedures, based upon the Center for Internet Security (CIS) Critical Security Controls (See Mapping of CIS Controls to STV Basic Guide).
Security Management of the IT Network: The IT Service Provider formally manages the security of its clients’ IT networks in accordance with documented standards based upon the Center for Internet Security (CIS) Critical Security Controls (See Mapping of CIS Controls to STV Basic Guide).
3rd-Party Security Assurance: The IT Service Provider follows a formal documented process — in accordance with documented standards based upon the Center for Internet Security (CIS) Critical Security Controls (See below) — to ensure the security of 3rd-parties having access to customer information or information systems, including solution providers, cloud service providers, backup/recovery systems, etc.
Information Security Review with Clients: The IT Service Provider meets periodically with each client, at least quarterly, to review the client’s information security profile.