MSPs. Managed Service Providers. You have one, right? So, what are you doing to manage your MSP?
“But wait!” I can hear you say. “I have an MSP so that they can manage the service!”
You are right, of course. However, that is not the whole story. You also need to manage your MSP.
The Ties That Bind
Why is that? Because if bad things happen to your MSP, bad things may in turn happen to your organization. Think about the services provided by many MSPs.
- Voice communications
- Video conferencing
- Server hosting
- Backup and restore
- Device management
- Employee benefits
(Yes, cloud service providers are a special case of MSPs.)
Look at the services your MSP provides. Ask yourself how deeply these services are integrated with the rest of your information services? How would you be affected if your MSP suffered some kind of breach? This is why you must manage your MSP.
Consider these two analogies. One is a bit far-fetched. The other… not so much.
- You decide to fly home for the holidays so you can visit your parents. You buy a ticket on Southwest Airlines because the price is right and they have a good service record. A mega-storm hits. Southwest does not know where its flight crews actually are, because they have a system that presumes they are where their flight was destined. Also, Southwest saved some cash by not signing any interlining agreements with other airlines. Thus, they will not book you on another airline’s flight. The result? You are stuck inside of Mobile, with the Memphis blues again. (Apologies to Bob Dylan.)
- You contract with an MSP to manage the printers in your organization. The MSP has installed an agent on each printer that helps the MSP manage the devices. The agent contains Open Source code for NodeJS. The MSP missed the security alert about NodeJS vulnerability to hackers. You find out that your printers have all been compromised by a NodeJS hack.
Use Compliance Tools to Manage Your MSP
You may have been asked by auditors to demonstrate your compliance with NIST 800-171, CIS or another standard. Why not ask your MSP to describe their compliance with some of these same requirements? Here are some requirements from NIST 800-171 that are relevant for MSPs.
- Requirement 3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- Requirement 3.3.1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- Requirement 3.3.2: Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
- Requirement 3.3.8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
- Requirement 3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
I could go on. As with your own compliance with NIST, most or many of the requirements could be relevant for MSPs. Or not. You will not find a “requirements for MSPs” section in the standard. You can start by asking what standards you and your organization are being held to. It makes sense to manage your MSP by holding them accountable to the same standards. Right?