ROLE-BASED ACCESS CONTROL (RBAC) 1. Are you enforcing least privilege for all systems? 2. How do you manage additions, moves and changes of users and their rights? 3. Do you require di昀昀erent credentials for every client? 4. How are credentials changed when employees who may have had access leave your 昀椀rm? 5. How often do you review user rights to insure against access creep? AUTHENTICATION MANAGEMENT 1. Are you using multifactor authentication for all network access and privileged/admin functions? 2. Do you validate the identity of individuals inquiring about client systems and/or/ requesting support? PASSWORD MANAGEMENT 1. Are you using complex passwords with at least 12-characters? 2. How often are password changes required? 3. Do you use password library and past password validations? 4. Do you require that no passwords for any user be set to never expire? 5. How often are privileged/admin or other management accounts’ passwords changed? SESSION MANAGEMENT 1. Do you use account lockout functions for failed access attempts? a. How many attempts? b. How long? c. What is the reset function? d. How is this process audited for potential nefarious activity? 2. Do you have idle account lockout con昀椀gured? a. If yes, how long before lockout? Questions To Ask Your MSP | 10
A cio guide to choosing an it service provider (1) Page 9 Page 11