You are only as strong as your weakest link. In today’s uncertain times, it’s importantto check whether your Managed Services Provider’s (MSP) security standards areup to scratch, or risk them being your weak link.
Your MSP can be a back door entry to any threats if they are not following the strictestsecurity protocols. That’s why we have compiled a list of questions you can ask them about their security credentials. If you don’t have an MSP but areconsidering using one, this is also a good list to have to hand to check theyare addressing their security issues properly.
1. What security frameworks are you using?There are quite a few, but the main ones include:
· ISO 27001 – this is a widely known standard providing requirements for an information security management system (ISMS)which enables organisations of any type to manage the security of assets suchas financial information, intellectual property, employee details orinformation entrusted by third parties.
· The Australian Signals Directorate Information Security Registered Assessor Program (IRAP) – these support standards forcyber security assessment and training.
· National Institute of Standards and Technology (NIST) Cybersecurity Framework.
· ACSC Essential Eight – this is a series of base line mitigation strategies recommended for organisations.
2. What measures do you take to prioritise cyber security?
· Are security measures implemented during all stages of ICT system and network development, deployment, and maintenance?
· After implementing recommended risk mitigations,how do you assess cyber security risks before moving to production environments?
· Do you have a method to record,review and approve all changes to ICT systems before implementation? Whoreviews them? What are their cyber qualifications?
· How do you ensure cyber security isa core requirement for procuring and acquisition of any software, hardware, andservices, including cloud services?
3. How do you keep data safe?
· This can include segregating networks logically and physically from other customers and from the MSP’s own network.
· Do you use multi-factor authentication (MFA) for customer systems?
· How upfront and transparent are you with you about cyber security? Have you raised this proactively?
· What is your security patching timelines?
· What is your policy of reporting confirmed cyber security incidents and data breaches to impacted customers andother parties?
4. How do you educate your staff about cyber security?
· What cyber security awareness training do you provide for new and existing staff?
· How frequently do you run your cyber awareness training courses for staff?
· Do you provide tailored cybersecurity awareness training for staff including senior managers, system administrators, finance and HR personnel?
5. How do you practice secure administration with your systems, and your customer's systems?
· Do you restrict administrative privileges using role-based access and MFA?
· Do you use hardened jump boxes and dedicated privileged user workstations exclusively for privileged tasks?
· What is your password policy? How do you store passwords?
· How do you log usage, including access and modifications to data and systems. Who reviews those logs and what aretheir cyber security qualifications?
6. How do you prepare for cyber security incidents?
· Do you have an Incident Response Plan? How often do you exercise it?
· How do you log security events?
· How long do you retain event logs?(Note the minimum should be 7 years).
· How often do you review event logs for unusual activity?
· What is your training plan to prepare staff to respond to a cyber security incident?
7. What steps do you take to regularly review and improve your cyber security?
· How regularly do you assess the cyber security of ICT systems, services and networks?
· How often do you monitor your cybersecurity risks and posture?
· Is there someone responsible for this and what are their cyber security qualifications?
What to do next
During your conversations with your MSP, you may not hear all these areas being addressed to your satisfaction. If you don’t get the answers you need, maybe it’s time to pick up the phone to us!
Byte is certified to ISO 27001 and is a Microsoft Gold Security Partner as well as Innovative Platinum Partner with Palo Alto. Byte is a security focused organisation and runs one of the most secure MSPs in the country, tailored for SMBs.
Dive behind the scenes and keep up to date on the latest people centred tech.