13 More Questions to Ask Managed Service Providers (Part 2 of 2)
Recently I shared with you a series of questions to ask managed service providers (MSPs) or managed security service providers (MSSPs) to ensure that they are meeting best practices and providing the best security for your organization. With the help of my colleagues, I ended up with more questions than we had room for so, we broke it into two parts. In part one of this blog (I suggest reading part one first), we focused on questions to ask managed service providers about their people and access. In this second installment, we’ll share questions to ask MSPs about their environment and tools. We also share what information you should be looking for in their response. Without further ado, here’s part two.
Questions to Ask Managed Service Providers About Their Environment & Tools
Q: Have you undergone a control assessment and control validation, and if so, who is responsible for managing these activities?
A: A control assessment ensures that policies and procedures provide the appropriate protections for both their environment and yours. A control validation ensures that they’ve actually been put in place, often through the use of technical configurations and so on. You should ask for a summary report and regular status updates on ongoing activities.
Q: Do you perform due diligence and security vetting of the vendors whose products you use to manage our networks?
A: Most vendors (e.g., Microsoft) now post their security practices, assessment and testing results, and compliance status on their websites, so your MSP should be ensuring that the information has been reviewed and the vendor’s security meets with their (and your) minimum requirements. Learn more by reading our blog on supply chain cybersecurity.
Q: Do you undergo security testing on your own network at least annually, and if so, can we see the results or a letter of attestation?
A: Security testing brings to light unknown vulnerabilities, outdated software, and unnecessary ports, much like automated scanning. However, security testing takes it a step further, by exploiting those and other weaknesses. Exploitation is usually performed through a combination of manual and automated means and allows your MSP to identify their most obvious security holes. Many criminals are targeting MSPs & MSSPs as a gateway to compromising many networks, so this is one of the most crucial questions to ask managed service providers.
Q: Are you compliant with the regulations that we are required to comply with?
A: If for example, you are required to be HIPAA compliant, your MSP should be well-versed in HIPAA requirements and prepared to protect your data with the appropriate safeguards.
Q: What is your patch policy and how often are patches applied?
A: Gone are the days when organizations can take a “wait and see” approach on security updates and patches. When those updates are released, the MSP should have a process developed for testing and deployment quickly since many of them now address potential zero-day vulnerabilities. Ideally, your MSP should employ a solution that will automatically deploy those patches to systems, and they should maintain a plan for responding if something “breaks” after installation. For more details, read our blog: 6 Patch Management Mistakes & How to Fix Them.
Q: Do you have a change management control process?
A: Ideally a strong management policy includes a review and approval process for major changes to system configurations. One employee should not be able to make the decision and implement a major policy change without communicating with you. A change management log should be kept as well so that all changes are documented and can be reversed if there are unexpected outcomes.
Q: Do you perform backups for us and if so, how often?
A: In the age of ransomware, backups are crucial. Of course, they are also necessary in case files are overwritten, accidentally deleted, or in the event of hardware failure and so on. Not all MSPs include data backups as part of their plan to manage your organization, so it’s important to ask if yours does. If they do provide a backup service, ask where the backups are stored (make sure at least one copy is not only off-site, but off-network) and how often files are backed up. It’s also important to understand if all files are backed up on that schedule or if they only back up files that have changed. In a perfect world, a full backup would be performed at least every night, however, at a minimum, a full backup should be done at least once per week, with incremental backups daily. As one mentor put it, only back up as often as you are willing to redo work. So – if you can recreate two hours’ worth of work, back up every two hours. If you can afford to create a day’s worth, a daily backup is fine – and so on.
Q: How often are the backups tested?
A: Too many organizations find out that their backup solution is not working in the midst of an incident – in other words, when they really need it. To avoid that situation, backups must be routinely tested. Testing should include both restores for a file or files and rebuilding a full system. Depending on an organization’s downtime tolerance, file-based backups should be tested at least one a month, and system rebuilds quarterly.
Q: How long would it take to restore our data (files, email, etc.) if it were lost or encrypted?
A: Assuming that your MSP is testing the backups, this question should be fairly easy to answer. Restoration time will depend on the amount of data that you have to restore of course, however, it’s important to set expectations before an incident happens. Organizations who experience ransomware may be looking at days to restore data, not hours and it’s best to know what to expect.
Q: Do you have an incident response plan?
A: All organizations will experience incidents. Hopefully most will be small and quickly resolved, however, your MSP should be prepared and have a documented plan in place if something goes wrong in their environment – or yours. One of the great vetting questions to ask managed service providers is if you can walk through a practice incident response scenario on your network. We facilitate table top exercises and we would be happy to help you and your MSP work through different scenarios. If you prefer to run these exercises internally, read our blog on common table top scenarios. Either way, practice in advance. Don’t wait until you are in the middle of an active incident to determine if your incident response plan is appropriate.
Q: Do you have capabilities to perform incident response and / or a relationship with a vendor who has that expertise?
A: Assuming that your MSP has an incident response plan, ask if they will be performing all steps of incident response (like forensic preservation, restoration, investigation, and recovery). If not, make sure that they have a pre-existing relationship with a vendor or vendors who will assist, so that the response will be timely.
Q: Do you keep logs related to access to our files and services?
A: Log files are critical for understanding what actions were taken when something goes wrong – whether due to an internal accident, misuse, or outsider threat. For example, log files may show which username was used to log in, from which IP, and what was accessed during that time. If your MSP is logging authentication, make sure they are logging both successful and failed authentication attempts. Watch our on-demand logging and monitoring video for more details on how proactive logging and monitoring enhance your security.
Q: What is the log retention period?
A: If possible, your MSP should retain two years’ worth of log files, however, if that is just not possible, they should keep one year at a minimum. Remember, most successful external compromises occur months before they are discovered, so longer log retention is necessary for a full investigation.
I hope these questions to ask managed service providers are helpful. Making use of an MSP and / or MSSP can be a terrific way to gain expertise, budget, and efficiency for many organizations. However, your organization must do some homework first to ensure that the MSP is not only the best fit, but also to identify the roles and responsibilities of all involved. With open communication, it’s a relationship that can take the organization far.