In our weekly Library Card Series we highlight a selection from our resource library to help introduce the content to our industry partners.

In this week’s Library Card Series Post we will be looking at the Cybersecurity and Infrastructure Security Agency’s (CISA) post on Managed Service Provider Customers. The guide provides risk management planning to help organizational leaders who may out-source some information technology (IT) capabilities of their business. The goal of this guide is to help organizations make informed decisions by preparing for critical breakdowns when outsourcing cybersecurity work to managed service providers (MSPs). Attackers often focus on dismantling trusted relationships and network access granted by IT vendors, so it is crucial that the security of these business relationship is considered. The recent Kaseya attack in Florida, which potentially impacted as many as 1,500 customers shows the impact event a single security breach can have.

Strategic Decision Making:

CISA says that senior executives must balance cost effectiveness and efficiency with reliability and security when considering whether to outsource IT services to an MSP. The following are questions senior executives should ask themselves when outsourcing IT services to an MSP-

  • Who should have input on the decision of whether to outsource IT services to an MSP? 
  • Is outsourcing cost-effective when accounting for security requirements and organizational risk thresholds? 
  • Who is responsible for security and operations when outsourcing IT services to an MSP? 
  • What are the most critical assets that we must protect and how do we protect them? 

By answering these questions, executives can make informed decisions on developing response plans, maintaining current protocols, and initiating exercises to prepare for an attack. Executives should also brief their employees on what a third party cyber attack might look like and how to protect against it. Small businesses should also ask themselves what responsibilities an MSP may take on and what responsibilities may be shared between the business and MSP.

Operational Decision Making:

Coordinated operations will reduce supply chain risk and improve system performance. Business executives should lead in coordinating risk management operations and educate employees on the process. An MSP should provide the following examples cited from CISA-

  • Specific performance-related service level agreements, including a clear delineation of operational IT services and security services 
  • Confirmation that the individual signing for the MSP is responsible for the product’s security or service and a requirement to notify the customer of any change of MSP ownership or leadership and internal MSP measures to ensure the security of the organization’s data 
  • Detailed guidelines for incident management, including the MSP’s incident response responsibilities, warranty information, compensation for service outages, and plan to provide continuous support during a service outage 
  • Remediation acceptance criteria that define the steps the MSP will take to mitigate known risks 
  • Statement from the MSP on how data from different clients will be segmented or separated on the MSP’s networks 

Tactical Decision Making:

Control over networks, logs, and all IT functions should be mandated by a given business even when outsourcing IT work to MSPs. By setting clear standards for third party services, businesses should retain authority over all sensitive applications, knowing what is being changed and seen. CISA says businesses should apply a “Zero Trust” policy toward all third party vendors and should maintain the following objectives-

  • Manage supply chain risks 
  • Implement strong operational controls 
  • Manage architecture risks 
  • Manage authentication, authorization, and accounting procedure risks 
  • Review contractual relationships with all service providers

CISA also recommends backing up all important information and data in case of a loss. Also, keeping backup data logs prevents losing all knowledge of where information may be.

To find more valuable resources covering a wide variety of topics, visit the resource section of our website, and check back to our blog every Tuesday for our Library Card Series where we highlight different resources from the library.

On