A cio guide to choosing an it service provider (1)
Questions IT Leaders to ask potential MSP partners
How to choose the right IT service provider
Cybersecurity questions for business leaders to ask potential MSP Partners.
A CEO’s Guide to Choosing an IT Service Provider Cybersecurity questions for business leaders to ask potential MSP partners
Table of Contents Overview........................................................................................ 3 Company Background.................................................................4 More Advanced Vetting..................................................... 5 Training................................................................................ 6 Frameworks / Compliance......................................................... 7 Policies.......................................................................................... 8 Privilege Account Management................................................ 9 General................................................................................. 9 Role-Based Access Control (RBAC).............................. 10 Authentication Management......................................... 10 Password Management.................................................. 10 Session Management ..................................................... 10 Systems Management.............................................................. 11 Incident Response..................................................................... 12 Critical Patch and Vulnerability Management....................... 13 Detection / Prevention.............................................................. 14 Service Recovery....................................................................... 15 Backups............................................................................. 15 Recovery Planning........................................................... 15 Security Assessments.............................................................. 16 Insurance.................................................................................... 17 About the CompTIA Cybersecurity Advisory Council.......... 18
Overview The decision to select an IT service provider or managed service provider (MSP) is critical to any organization. As a business or technology leader, you need to be prepared to ask the tough, important questions to ensure that your IT provider is quali昀椀ed to meet your needs. Along with legal and accounting, there are few service categories that require a trusted partner to handle and manage sensitive information as your technology provider. Choosing an IT partner requires someone who can be trusted to design, access, administer and secure your computer networks and data. The CompTIA Cybersecurity Advisory Council developed this guide to help you ask the right questions—and solicit the right answers—regarding the support, stability, and security related to your systems. In addition, it will help you get clarity around how a service provider treats its own systems where your sensitive information may be stored and how remote access will occur. An IT service provider’s weak security practices could result in a cyber incident that in turn compromises its clients’ information too. Below are recommended questions to consider asking your IT service provider or MSP. The questions should serve as a guideline but can be adjusted to 昀椀t your speci昀椀c needs and complexity. Use this guide as a pre-selection tool to help select a new IT provider, or to help evaluate the partner that you already leverage for technology support. Have your IT provider 昀椀ll out this form or answer these questions to get the insights needed to help choose the right partner for your company. Questions To Ask Your MSP | 3
Company Background – Pre-Sales These are pre-relationship questions a business should ask a prospective information technology service provider. The goal is to help you determine if they are quali昀椀ed. 1. Do you operate your 昀椀rm with at least the same level of security as you recommend to your clients? If no, please explain in detail why not and what is di昀昀erent. 2. Do you have quali昀椀ed security resources who are speci昀椀cally assigned to keeping your network safe? If no, please explain in detail. 3. If you do not have inhouse security experts, do you leverage the expertise of quali昀椀ed security professionals outside your organization that are responsible for the security and assessment of your systems? If no, please explain in detail why not and what compensating controls / solutions are in place: 4. Have your systems, policies and procedures been independently assessed by independent, quali昀椀ed professionals outside your organization for security e昀昀ectiveness and enforcement? If no, please explain in detail what validation processes are used to ensure the above. 5. Has your 昀椀rm had any core services or systems outages that impacted your ability to operate, support clients’ systems or client services in the last 12 months? If yes, please explain. 6. Has your 昀椀rm had any signi昀椀cant network (or other system) security incidents in the last 36 months? If yes, please explain. 7. Has your 昀椀rm ever had a cyber incident determined to be reportable to law enforcement or federal or state regulatory bodies? If yes, please explain. Questions To Ask Your MSP | 4
8. Have you ever made a claim against your cyber liability or breach coverage? If yes, please explain. 9. Is your 昀椀rm, or has your 昀椀rm or any organization it relies upon for client services, ever 昀椀led for bankruptcy or receivership? 10. Is your 昀椀rm currently subject to any civil or criminal investigation? If yes, please explain. 11. Do you subcontract your infrastructure or the services you provide to clients? If yes: a. For what areas? b. How are these subcontractors vetted? c. How are they monitored while working within or at your client’s environment? d. Do you require subcontractors to have similar terms and conditions in your mutual agreements as those signed with your clients? e. What kinds of agreements are contractors required to sign when providing services for you or your clients? f. Are employees and contractors limited to minimum access necessary to systems and information? Questions To Ask Your MSP | 5
MORE ADVANCED VETTING 1. Do you run criminal and other personal and professional integrity checks on employees before they are hired? 2. Within legal constraints of what is allowed, do you limit who may be hired based on criminal history? 3. Do you drug test employees for illicit drug use before hiring and/or randomly? 4. Do you verify references for all employees and vendors? 5. Do you require attestation of compliance with agreements and cyber hygiene? 6. Do you contact comparable references? TRAINING 1. Do you provide cyber security technical and social awareness training to your employees? a. How often? b. Are they tested? i. How? Questions To Ask Your MSP | 6
Frameworks/Compliance These questions are designed to ensure your provider can meet your data security and regulatory obligations and that they are compliant themselves. 1. Do you manage your systems following a cybersecurity framework? If the answer is yes, which framework? 2. Do you document your compliance? 3. Is your compliance audited? 4. Are your systems audited for compliance with policies? 5. Can you support governance requirements or cyber insurance obligations? Questions To Ask Your MSP | 7
Policies These questions are designed to ensure that your IT provider has documented processes and appropriate policies. 1. Please describe your change management process. 2. What is your documentation policy about ensuring that we have all of the documentation we need to operate without your involvement? 3. Please list and describe (by name only) what policies you have in around use, privacy, and data retention, etc. 4. Do you have a well-de昀椀ned employee and vendor sanction policy that guides your response to policy violations? 5. Do you have a privacy policy that relates speci昀椀cally to the creation, use and destruction of client data? Questions To Ask Your MSP | 8
Privilege Account Management These questions are designed to ensure that your IT provider understands appropriate access policies. GENERAL 1. Please described privileged access to clients’ systems. a. How is access assigned? b. How is it limited? c. How is it monitored? d. Are controls in place to limit access to the needs of their roles? 2. Are users restricted to non-admin accounts for anything that does not require admin rights? 3. Are privileged and/or admin or other management level accounts shared and if yes: a. Why? b. Which accounts? c. What are the mitigating controls? d. How do you ensure accountability? 4. What tools and access methods are used for network administration and client support functions? 5. Do you have account creation or rights level change alerts con昀椀gured? Questions To Ask Your MSP | 9
ROLE-BASED ACCESS CONTROL (RBAC) 1. Are you enforcing least privilege for all systems? 2. How do you manage additions, moves and changes of users and their rights? 3. Do you require di昀昀erent credentials for every client? 4. How are credentials changed when employees who may have had access leave your 昀椀rm? 5. How often do you review user rights to insure against access creep? AUTHENTICATION MANAGEMENT 1. Are you using multifactor authentication for all network access and privileged/admin functions? 2. Do you validate the identity of individuals inquiring about client systems and/or/ requesting support? PASSWORD MANAGEMENT 1. Are you using complex passwords with at least 12-characters? 2. How often are password changes required? 3. Do you use password library and past password validations? 4. Do you require that no passwords for any user be set to never expire? 5. How often are privileged/admin or other management accounts’ passwords changed? SESSION MANAGEMENT 1. Do you use account lockout functions for failed access attempts? a. How many attempts? b. How long? c. What is the reset function? d. How is this process audited for potential nefarious activity? 2. Do you have idle account lockout con昀椀gured? a. If yes, how long before lockout? Questions To Ask Your MSP | 10
Systems Management These questions are designed for you to have a general understanding of your IT service provider’s internal controls. 1. Do you have a Bring Your Own Device policy? a. How is company/client data managed on these devices? b. Do you have a compliance program for BYOD? 2. Are the devices under management by you and being used to support clients’ systems or storing clients’ data in a private and contained area that is restricted access? 3. Are any of your clients’ assets in comingled multi-tenant architecture within your environment or shared environments contracted for by you? 4. Do you maintain accurate as built documentation for your network infrastructure? 5. Are you operating with any unsupported hardware of software? a. If yes: please explain. b. What controls are in place to manage the increased risk? 6. Do you allow Wi-Fi access to corporate assets? If yes, please describe the security measures used to protect critical corporate assets that could impact operations, enable threat actors to gain a foothold or otherwise impact clients. 7. Can you quickly identify new devices attached to your network? 8. Do you have physical and digital controls to disallow the attaching of unapproved devices? 9. What physical measures are in place to protect your devices? 10. Are all physical and systems’ access events individually identi昀椀able and auditable? Questions To Ask Your MSP | 11
Incident Response These questions are designed to determine if your IT service provider has a documented plan in preparation for a cyber or other incident. 1. Do you have documented incident response plans? a. How often are they updated? b. How often are they tested? c. Have you had any signi昀椀cant incidents in the past 12 months? i. Please explain 2. If you were to be hit by a ransomware attack, please describe (on a high level) the recovery process you would follow and how the attack could impact customers? a. What are the recovery time objectives? b. What is the continuity plan? 3. If you su昀昀ered a general cybersecurity incident, do you have clearly de昀椀ned and documented response steps in written form, not stored on your potentially impacted corporate assets? 4. Who owns the responsibility for the plan, response and is there a succession plan? 5. Do you have a quali昀椀ed crisis manager? Questions To Ask Your MSP | 12
Critical Patch and Vulnerability Management These questions are designed to ensure your service provider maintains patch and vulnerability management for themselves and for customers. 1. Do you have a documented vulnerability management program? 2. Do you conduct regular vulnerability assessments of your systems and how often? 3. What is the remediation time expected for vulnerabilities identi昀椀ed in your environment? a. Critical b. High 4. Systems patching against critical vulnerability: a. Please describe your device 昀椀rmware and software updating process. b. How often are patches applied and how are patches selected and vetted? c. What is the normal security patch schedule for desktops and servers used to support clients’ services and store clients’ information? d. What kind of maintenance notices are provided when downtime may be required? e. Do you require system restart as needed (post patch application)? f. Do you do post patch validation and smoke testing to ensure functionality and patch application was successful? Questions To Ask Your MSP | 13
Detection / Prevention These questions are designed to ensure continuous monitoring, detecting and responding to events. 1. Do you have an MDR, SIEM and/or other solutions monitoring your infrastructure and or shared infrastructure being used to support client services? Please explain in detail. 2. Log management: a. Please describe your log capture, storage and retention process. b. Are logs stored o昀昀site and protected from threat actors? c. Please describe your log collection and veri昀椀cation process. d. Please describe access replay functionality. e. Are there insider protections in place against the deletion or modi昀椀cation of logs? 3. Do you require logon banners declaring that the systems contain con昀椀dential and proprietary information, and warning of employment action and potential criminal prosecution for any unauthorized access or use of the systems? 4. Are all devices (servers, desktops, laptops, phones, portable USB/Flash drives, etc.) that contain client data encrypted? a. If yes, using what encryption mechanisms, key management, access rules and policies? b. If no, what compensating controls are in place? 5. Do you block access to known malicious websites? 6. Are you using enterprise level, centrally managed end-point protection against malware? 7. Do you use DNS / URL reputation services? Questions To Ask Your MSP | 14
Service Recovery These questions are designed to ensure that your IT service provider are available when you need them. BACKUPS 1. Are your internal and external backups encrypted? 2. If backups are encrypted, how are the keys managed? a. Who has access? b. How is access audited? 3. Do system redundancies, backup, or other functions result in client data potentially leaving the United States? 4. Are backups stored o昀昀site and out of reach of threat actors? 5. Are backups protected by multifactor authentication and is there restricted access? 6. What speci昀椀c insider protections do you have in place to protect systems from both employees and potential threat actors? a. Could a domain administrator delete, corrupt, disable or otherwise interfere with or damage your backups? b. Is there insider protection and integrity monitoring for backups? RECOVERY PLANNING 1. Do you have a documented Business Continuity Plan? If yes: a. When was the last test? b. What was the result? 2. Do you have a documented Disaster Recovery Plan? a. If yes, when was the last test? b. What was the result? 3. What are the RPO and RTOs for your core services that support services we are receiving? Questions To Ask Your MSP | 15
Security Assessments These questions are designed to ensure that your organization identi昀椀es and hardens attack surfaces. 1. When was your last risk assessment performed and who completed this task? a. Were there critical 昀椀ndings? b. If yes: i. Were those 昀椀ndings remediated? ii. Were those remediations validated? 2. Do you regularly conduct internal and external penetration test? If yes: a. How often? b. What kind? c. When was the last test? d. Were all adverse 昀椀ndings remediated? e. Who conducts your internal and external vulnerability testing? 3. Is the penetration tester independent of your current IT team? Questions To Ask Your MSP | 16
Insurance These questions are designed to ensure that appropriate coverages are in place. 1. Do you carry general liability insurance? a. What coverages? b. How much? c. Are there sub limits or exclusions? 2. Do you carry errors and omissions insurance? a. What coverages? b. How much? c. Are there sub limits or exclusions? 3. Do you carry cyber breach and ransomware insurance? a. What coverages? b. How much? c. Are there sub limits? d. Are there any exclusions for ransomware? Questions To Ask Your MSP | 17
About the Cybersecurity Advisory Council The CompTIA Cybersecurity Advisory Council brings together thought leaders and innovators from a multitude of disciplines, working together to educate technology solution providers on the latest and greatest cybersecurity practices and protocols for business. What We Stand For Cybersecurity is a critical component for every business and any technology solution today, but one that requires constant vigilance, collaboration, and communication. We strive to address some of today’s most pressing issues and threats, providing guidance for businesses of all sizes on how to 昀椀nd and work with the right technology service provider. How We’re Making an Impact The pressure from hackers and other bad actors isn’t abating. It’s critical for all companies to establish e昀昀ective and vigilant cybersecurity protocols as well as develop the next generation of resources that will be required to protect assets The Cybersecurity Advisory Council’s roster of industry experts and thought leaders o昀昀ers the guidance and tools necessary to help tech businesses stay ahead of the curve. Questions To Ask Your MSP | 18