Skip to main content

Resources

Choosing a Managed Service Provider

Choosing a Managed Service Provider

Hiring an Expert to Manage Your Technology

As the cost of technology and cloud computing have decreased in contrast with the cost of hiring talented technology professionals, more organizations are looking at outsourcing the management of their IT infrastructure today than ever before. The idea of hiring a third party whose expertise is IT management to handle all of your network-related technologies, devices, and issues is an appealing one. However, like any big decision, outsourcing the management of your network to a Managed Services Provider (MSP) should not be made quickly or without careful consideration.

 

Start with Vendor Management

Any time your organization chooses a new vendor, the vendor selection process should be considered carefully. This is especially true with a Managed Service Provider who will likely end up with full administrative access to your entire network. You should carefully review your vendor options and compare several vendors (a comparison of three vendors at minimum is recommended). Ideally, the vendor selection review process would involve a review of both due diligence documentation (for all vendors) and a contract (for the vendor you’re most likely to engage).


There are several important things to discuss and review as part of the due diligence process. Some examples might include a review of your potential vendor’s:

  • IT Risk Assessment process
  • Documented Information Security Program
  • Incident Response Plan and Notification Process
  • Any Audits or Exams the Vendor has undergone, such as a SOC2 Type 2 Report
  • Any certifications and education of the Vendor’s critical employees, such as a CISSP, CISM, or similar certification


SBS has written several posts related to the concept of Vendor Management. Please see the Resources section below for more detail and links regarding Vendor Management best practices. SecureTheVillage.org has also written an excellent article titled “Code of Basic IT Security Management Practices” which details numerous helpful considerations when looking for a Managed Service Provider.

 

Look for a Security-First Posture

When your organization begins interviewing Managed Service Providers, information security should be one of your top priorities. MSPs often have an information technology (IT) first mindset. An IT mindset tends to focus on convenience (make it easy to use) and availability (make sure it works when we need it to work). While convenience and availability are very important when outsourcing the management of your network to a third party, unfortunately, this mindset doesn’t always prioritize information security. An IT first mindset will often neglect strong information security controls because it’s more convenient for you (and ultimately the MSP). An information security (IS) first mindset focuses more about locking down the network (protection) and less about ease of use.


Make sure you discuss with each potential MSP their plans to secure your network. If the vendor is willing to have this discussion early and openly, that is generally a good sign. Vendors that are up-front and open to discussing good security practices tend to be better partners in the long run, especially when it comes to customer services, response time, and protecting your organization and data. Some MSPs may try to avoid this conversation altogether. This could mean two things. First, that the vendor simply lacks expert knowledge of strong information security controls or frameworks. Worse still is the possibility that the vendor has something to hide, such as a lack of response time to requests or the findings and recommendations you’re likely to receive as a result of your own IT-related assessments or exams.


Along with a willingness to talk security, your vendor should also be willing to have independent IT reviews or assessments. Strong, security-minded Managed Service Providers will have no problem with a third party coming in to test their security posture through assessments such as a Penetration Test, Vulnerability Assessment, or IT Audit. It’s even better if the MSP has already had such assessments performed, and they’re happy to share the results with you. Your organization may wish to include the ability to perform these assessments through an independent source in the contract.

 

Consider Regulatory Experience

If your organization operates in a regulated industry, such as banking or healthcare, experience and knowledge of regulation is a great asset. Managed Service Providers who have this kind of regulatory experience are going to be easier to work with, especially as regulation continues to be expanded year after year.


If a vendor does not have any expertise with your industry’s regulatory guidance, this wouldn’t necessarily exclude them from being a reliable vendor. However, your organization will want to perform extra due diligence and have discussions with the vendor to ensure their willingness to comply with all requirements.

 

Monitoring the MSP Going Forward

Finally, it is critical to make sure you perform strong vendor selection processes from the beginning, rather than try to complete the vendor selection documentation after the fact. Remember, you can outsource a process to a vendor, but you cannot outsource the risk to your organization. Your customers will not care if the MSP is the cause of a data breach; the blame will fall on your organization regardless.
 

It is critical to ensure any Managed Service Provider relationship includes regular reports and review procedures, such as:

  • Patch Management Reports – what is the MSP’s patch management process, what patches have been installed, what has been excluded, and what is their patching frequency?
  • Change Management Reports – what changes and updates has the MSP made to your organization’s hardware and software recently?
  • Security Incident Reports – what malware infections, intrusion attempts, and other security incidents have occured on your network or theirs?
  • Remote Access Reports – who is logging into your network remotely at what times and for what reason?
  • Backup Reports – are backups being completed successfully and as expected? Are backups being tested to ensure their integrity?


A proper decision and reporting structure is important. Your organization should not allow a Managed Service Provider to make changes to the network without discussing and approving those changes with you. The process should be defined and required by contract.


Additionally, your organization needs to retain some form of administrative access to your own network as a contingency. If something goes wrong or if the vendor becomes unavailable for whatever reason, be sure that you can still access your own hardware, devices, and information regardless of the MSP’s availability.

 

You Can’t Outsource Risk

Selecting any new vendor can be a difficult process, but extra care must be taken with an MSP. Remember, as mentioned above, you can outsource a process to a vendor, but you cannot outsource the risk to your organization. Therefore, it is very important you follow all the steps outlined above and carefully consider who you decide to partner with. 

 


Written by: Jeff Dice
Information Security Consultant - SBS CyberSecurity, LLC


 

SBS Resources:

  • {Blog} Vendor Management: How Should I Categorize my Vendors?: Maintaining an efficient vendor management program is a necessity for a responsible organization’s understanding of outsourcing risk. Your vendor management program can be a headache or an asset, depending on how effectively you manage it.
  • {Blog} SOC 2 VS. SOC For Cybersecurity Reports: There are a variety of different types of SOC reports, including SOC 1, SOC 2, and SOC 3, as well as the newest member of the team – the SOC for Cybersecurity. While each report has its own purpose, we’re going to dive into the difference between the SOC 2 and SOC for Cybersecurity reports.
  • {Blog} Technology Service Provider Contracts (FIL-19-2019): You might think you have vendor management and business continuity figured out, but don’t be so sure. The FDIC’s FIL-19-2019 highlights observations from recent examinations revealing that financial institutions may be unaware of the gaps that often exist between a technology service provider's contract and your expectations.
  • {Cyber Byte Video} Vendor Documentation Gathering: Are you collecting all the documentation you need to complete a proper vendor review? In looking at the Third Party Management Process we don't find much detail when it comes to the documentation gathering phase. However, it is a critical step when considering a third party relationship. This CyberByte video will cover the types of documentation and requirements you will want to include in your third party management process.
  • {Servcie} Full-Service Vendor Management: SBS security experts will get to work for you by taking on the daunting responsibility of Vendor Management. Your organization will be able to make better data-driven security decisions without having to do all the background work.

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Vendor Manager


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, September 27, 2019
Categories: Blog