Service Recovery These questions are designed to ensure that your IT service provider are available when you need them. BACKUPS 1. Are your internal and external backups encrypted? 2. If backups are encrypted, how are the keys managed? a. Who has access? b. How is access audited? 3. Do system redundancies, backup, or other functions result in client data potentially leaving the United States? 4. Are backups stored o昀昀site and out of reach of threat actors? 5. Are backups protected by multifactor authentication and is there restricted access? 6. What speci昀椀c insider protections do you have in place to protect systems from both employees and potential threat actors? a. Could a domain administrator delete, corrupt, disable or otherwise interfere with or damage your backups? b. Is there insider protection and integrity monitoring for backups? RECOVERY PLANNING 1. Do you have a documented Business Continuity Plan? If yes: a. When was the last test? b. What was the result? 2. Do you have a documented Disaster Recovery Plan? a. If yes, when was the last test? b. What was the result? 3. What are the RPO and RTOs for your core services that support services we are receiving? Questions To Ask Your MSP | 15