Systems Management These questions are designed for you to have a general understanding of your IT service provider’s internal controls. 1. Do you have a Bring Your Own Device policy? a. How is company/client data managed on these devices? b. Do you have a compliance program for BYOD? 2. Are the devices under management by you and being used to support clients’ systems or storing clients’ data in a private and contained area that is restricted access? 3. Are any of your clients’ assets in comingled multi-tenant architecture within your environment or shared environments contracted for by you? 4. Do you maintain accurate as built documentation for your network infrastructure? 5. Are you operating with any unsupported hardware of software? a. If yes: please explain. b. What controls are in place to manage the increased risk? 6. Do you allow Wi-Fi access to corporate assets? If yes, please describe the security measures used to protect critical corporate assets that could impact operations, enable threat actors to gain a foothold or otherwise impact clients. 7. Can you quickly identify new devices attached to your network? 8. Do you have physical and digital controls to disallow the attaching of unapproved devices? 9. What physical measures are in place to protect your devices? 10. Are all physical and systems’ access events individually identi昀椀able and auditable? Questions To Ask Your MSP | 11
A CEO's Guide to Choosing an IT Service Provider Page 10 Page 12