Risk Considerations for Managed Service Provider Customers:
Provided by: Cybersecurity & Infrastructure Security Agency (CISA) September 2, 2021
To aid organizations in making informed Information Technology (IT) service decisions, the National Risk Management Agency (CISA) developed this set of risk considerations for Managed Service Provider customers. This framework compiles information from CISA and IT and Communications Sector partners to provide organizations with a resource to make risk-informed decisions as they determine the best solution for their unique needs.
Strategic Priorities for Small and Medium-sized Businesses
Small and medium-sized businesses (SMBs) may not have the financial resources or technical expertise to develop and maintain a comprehensive enterprise risk management plan but will nonetheless face risk management decisions when weighing whether to outsource IT services to an MSP.
SMBs should catalog which assets are the most critical to operations and characterize the risk to those assets. This allows organizations to prioritize which assets should be included in or excluded from vendor agreements and to develop specific contingency plans for incidents affecting those assets.
SMB owners can then weigh risk management decisions by determining the following factors in potential vendor agreements:
• Which tasks and responsibilities will the MSP take on?
• Which will the SMB continue to execute?
• Which tasks and responsibilities will be shared?
Request the following from an MSP before signing a contract:
- Specific performance-related service level agreements
- Confirmation that the individual signing for the MSP is responsible for the product’s security or service and a requirement to notify the customer of any change of MSP ownership or leadership
- Detailed guidelines for incident management
- Remediation acceptance criteria that define the steps the MSP will take to mitigate known risks
- Statement from the vendor on how data from different clients will be segmented or separated on the vendor’s networks
- Detailed guidelines for log and records maintenance
- Documentation of vetting of employees to minimize risks of intellectual property theft, manipulations, or operational disruptions
- Transition plan to support a smooth integration of the MSP’s services
- Notification of any sub-contracts that would potentially expose the organization’s data to another external party
- Protocol for planned network outages or other maintenance activities that could interrupt business operations
- Documentation of MSP
Considerations for Tacticians
- Define the MSP’s expected privilege and access levels prior to the contract award
- Apply a Zero Trust security model, including the Principle of Least Privilege, to any MSP or affiliated sub-contractor and assign only the minimum necessary rights for the shortest necessary duration
- Review and verify connections between MSP and internal systems
- Restrict Virtual Private Network (VPN) traffic to and from an MSP to a dedicated VPN connection
- Implement strong operational controls, manage authentication, authorization, and accounting procedures, and ensure managed service providers’ accounts are not assigned to administrator groups and restrict those accounts to only systems they manage
- Maintain offsite backups of essential records and network activity logs
- Validate logs of MSP activity on the network and across the IT enterprise
- Include key suppliers in organizations’ incident response, business continuity, and other contingency planning
- Establish clear protocols for vulnerability disclosure, incident notification, and communication with any external stakeholders during an incident
- Include the MSP in after-action and lessons learned
For full CISA Insights report: https://www.cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf