A Note from Joe
With the introduction of the cloud, many companies have moved their data centers off-premises, to decreases costs and allow for more flexibility. In addition, companies have looked to Managed Service Providers or MSPs for overseeing their data centers.
MSPs have helped companies cut costs, improve the efficiency of their IT services, and develop frameworks for protecting against cyberattacks. Despite the benefits, outsourcing data does not alleviate companies from their responsibility of overseeing their MSPs. Companies are responsible for ensuring the safe and efficient storage of their data.
For this reason, I highly recommend all to read “Risk Considerations for Managed Service Provider Customers” from the Cybersecurity and Infrastructure Security Agency (CISA). This article provides business leaders with a framework for managing their MSP and ensuring their data security.
While MSPs provide companies with significant advantages to their IT management, they also can bring unforeseen liabilities to an organization, calling for companies to be accountable for their MSP. Therefore, all companies should have practical guidelines for managing their MSP.
To help companies adopt this framework, CISA kindly divided their guidelines amongst three groups who are responsible for overseeing their MSP. This helpful guideline has been summarized below to gain an overall idea of how organizations should manage risk of MSPs.
Senior Executives and an organization’s Board of Directors are responsible for strategic decision-making.
These individuals are in charge of outsourcing their IT management to an MSP. In this process, CISA suggests forming a “Supply Chain Risk Council” made up of individuals across the company to discuss their concerns and requirements in this decision process. Additionally, C-suite executives should conduct a “cost-benefit analysis” examining the financial benefits and challenges of using an MSP.
After deciding to use an MSP, create a “vendor agreement” between the MSP and your organization detailing the roles and responsibilities of each party. In this agreement, it is beneficial to inform your MSP of their role in your company’s Incident Response Plan.
Additionally, part of an effective incident response plan is holding regular meetings, reporting on potential threats to your data, and deciding on what data is at most significant risk and of the highest value to your company.
The second group in managing potential risks of an MSP is your Procurement Professionals, who are responsible for operational decision-making.
Procurement Professionals are concerned with the efficiency and productivity of their team’s performance from the supply chain to their systems operations.
Procurement Professionals must be responsible for their team’s output to discuss the requirements and necessities managers need for the successful output of their IT services and business ventures.
Your operational decision-making team should communicate with their MSP before signing the contract award about the services and expectations they require the MSP to provide about their IT management services.
Finally, the third group apart of a company’s IT Risk Management are “network administrators, system administrators and front-line cybersecurity staff” who make tactical decisions.
Your technology administrators are responsible for the daily management of your MSP, as they must ensure the agreed-upon services are being provided from the MSP. This includes overseeing third-party vendors who might have access to your data.
Furthermore, these individuals should make duplicates of “essential records and network activity logs” in the case of a cybersecurity incident. CISA recommends that these duplicates be kept separate from the MSP and their company site.
Summarized from “Risk Considerations for a Financial Services Provider”.
Although this is a summarized version of their guidelines, the complete article includes a checklist at the end to help guide companies through developing their Incident Response Plan as they mitigate risks of MSPs.
As this article has discussed and the increase of cyberattacks, considering possible risks presented by an MSP and managing them are crucial to your business’s future as organizations have to be prepared in advance of a cyberattack to protect their customer’s data.
I hope this is article serves as a helpful guide in updating your company’s Incident Response Plan in 2022.