Level 3 Communications

Dale Drew

8 Critical Security Questions to Ask Your ISP

There’s no question that cybercrime dominates headlines these days. In today’s digital, hyper-connected business eco-system, there virtually isn’t an industry, organization or part of the world that’s safe from attack. So, it’s hardly surprising many organizations are looking outside their own walls and upstream to their Internet Service Providers (ISPs) for help protecting their critical infrastructure.

Given their unique access and insights into data traffic, ISPs are positioned to help cut off bad traffic before it has a chance to wreak havoc within your networks. But before you designate your ISP as the first line of defense protecting your information, it’s critical you ask the right questions to find out how they protect their infrastructure…and, ultimately, your data.

Critical questions for your ISP

1. How do you protect access to the management of your critical infrastructure?  

    a. It is imperative for service providers to separate their production systems and customer data from their employee desktops and data center environments.

2. How many separate security groups do you have protecting your systems and do they all use the same approach?

    a. Many organizations maintain multiple security functions internally. This can cause resource conflicts, as well as different approaches in protecting internal infrastructure – a method that is highly inefficient and fraught with opportunities for failure.

3. Do you use the same services you sell to protect your own systems?

    a. If your ISP doesn’t trust their own products and services to protect their infrastructure and data, why should you trust them to protect yours?

4. How do you protect your network from attacks, such as DDoS attacks?

    a. Make sure you understand and feel comfortable with how your provider can protect its network infrastructure from large distributed denial of service (DDoS) attacks.                            

5. Do you take active steps to identify “bad” traffic on your network? What actions, if any, do you take to notify victims of the attack?

    a. Find out if your ISP monitors bad actors and known bad activity on its network.

    b. Ask the ISP whether they proactively block bad traffic on their backbone.

    c. If they do notify victims, how do they do so and within what time frame?

6. Do you undergo regular audits and maintain certifications?

    a. Find out if your ISP maintains industry recognized certifications such as ISO 27001 or SSAE16.  

–          Be sure to ask for a copy of the audit scoping document. The scoping document describes what systems and controls are in scope. Often, scoping documents can be significantly reduced, undermining the effectiveness of a certification.

–          Third party audits may spot problems missed by the ISPs internal teams. An audit   can help ISPs identify risks to their platform by reviewing policies and procedures, as well as network and system configuration.

7. Do you encrypt data center communications that include customer data?

     a. Have your ISP spell out the processes for access to your data. Make certain your data is encrypted within and between your ISP’s data centers. And find out whether a range of encryption capabilities is offered to best suit your needs.

 8. How do you provide remote access to customer data for employees and vendors?

     a. Check for access monitoring and identity and password authentication best practices.

Don’t worry – asking these questions isn’t overstepping the boundaries of being a “good” customer. ISPs with your best interests in mind won’t mind being transparent about their security practices to help make sure you have found the right fit for your business needs. 


Read what Level 3’s Dale Drew has to say about the latest giant botnet threat, Hajime, here.