NIST: Guide to Information Technology Security Services

Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by a growing group of vendors. Organizations can benefit when choices among services and service providers stimulate competition and bring innovation to the marketplace. However, it is difficult and challenging to determine service provider capabilities, measure service reliability and navigate the many complexities involved in security service agreements. Individuals who are responsible for selecting, implementing, and managing IT security services for an organization must carefully evaluate their options before selecting resources that will be entrusted to meet their particular IT security program requirements.