Security Oversight with Managed Service Providers

CJ Hurd
Jul 9, 2020 1:00:00 PM

The outsourcing of information technology (IT) functions has become incredibly common with businesses, especially among small and medium sized companies. There are many benefits to outsourcing IT. For one, the cost is normally much lower than hiring even a single employee to manage IT for you. The tools and technology available such as 24-hour monitoring, offsite backups, and the use of a ticketing system are usually included in the services being provided. You also will be gaining a team of experienced IT personnel that require very little training.

As a Virtual Chief Information Security Officer (vCISO) for multiple organizations, I have had the privilege of working with numerous managed service providers (MSP). Some experiences good and some on the not so good side. One of the biggest drawbacks I have seen is from a security perspective. I am going to share some of that perspective in the hopes that you will be better prepared when the time comes to work with or manage your MSP.

1. Set Expectations from the Beginning
What you expect from your MSP should be discussed and included in the contract. A service-level agreement (SLA) should be in place that clearly sets response times and includes the systems and tasks that the MSP is responsible for. Willy-nilly is not the right approach here. You need to know exactly what you are getting from your MSP!

2. Reporting
Monthly reports should be provided by the MSP that include but are not limited to:

  • Ticket summary
  • Patching summary
  • Anti-virus status and report
  • Backup report
  • Software inventory
  • Remote access logs
When you go through any kind of audit or risk assessment (which should be annually), these reports will be the backbone of the evidence provided to the auditor. Without these reports, not only will you not know the status of these services, but it will be very difficult to prove to your stakeholders, third party vendors, or an auditor that they are being completed.

3. Security
Honestly, security is the most important piece and really was intended to be the focus of this blog post. Security should encompass everything we have covered up to this point. Security needs should be approached from the very beginning of the engagement. The MSP will be an extension of your company during any assessment or audit. When an MSP onboards or offboards an employee who will have access to your system, you should know about it. If an employee is terminated from your MSP, you should be notified, and all passwords should be changed. A vendor questionnaire should be completed by the MSP

before even entering into a contract. This allows you to gather information around the security controls that they have in place and lets them know that security is going to be important in this relationship! An example question: Do you complete a background check on all employees? If the answer is no, and you are a company that has PII, PHI, or sensitive company information that this employee will have access to, are you comfortable giving this person access to it? I know I would not be!

The management and oversight of any third-party or contractor is a necessary responsibility that no organization can take lightly. Make that third-party an MSP and multiply that necessary responsibility by ten! Be sure you have attached the appropriate level of due diligence around vetting and managing your MSP both before onboarding one and during your time with them as a part of your team. Contact us today to learn more and discuss your unique situation!

You May Also Like

These Stories on Vendor Management

Subscribe by Email

No Comments Yet

Let us know what you think