Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guide to Information Technology Security Services



Timothy Grance, Joan Hash, Marc Stevens, K O'Neal, N Bartol


Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by a growing group of vendors. Organizations can benefit when choices among services and service providers stimulate competition and bring innovation to the marketplace. However, it is difficult and challenging to determine service provider capabilities, measure service reliability and navigate the many complexities involved in security service agreements. Individuals who are responsible for selecting, implementing, and managing IT security services for an organization must carefully evaluate their options before selecting resources that will be entrusted to meet their particular IT security program requirements. The factors to be considered when selecting, implementing, and managing IT security services include: the type of service arrangement; service provider qualifications, operational requirements and capabilities, experience, and viability; trustworthiness of service provider employees; and the service provider s capability to deliver adequate protection for the organization systems, applications, and information. These considerations will apply (to varying degrees) to every service depending on the size, type, complexity, cost, and criticality of the services being considered and the specific needs of the organization implementing or contracting for the services.
Special Publication (NIST SP) - 800-35
Report Number


Grance, T. , Hash, J. , Stevens, M. , O'Neal, K. and Bartol, N. (2003), Guide to Information Technology Security Services, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed April 20, 2024)
Created October 13, 2003, Updated February 19, 2017