Going Beyond: Assessing Security Practices of IT Service Providers


By the National Risk Management Center

No business or organization wants to be the victim of a cybersecurity attack. Adversaries target organizations of all sizes and in every industry, so cyber security is not just a large business problem. Many times, they try to breach an organization’s systems through weak spots or entry points outside the direct control of organizations, such as via third-party vendors. Therefore, it’s no longer enough for organizations to focus on securing their own data and information systems; they must also encourage enhanced cybersecurity practices of their managed service providers (MSPs).

To help mitigate these risks, the Cybersecurity and Infrastructure Security Agency (CISA) released a new CISA Insights titled, Risk Considerations for Managed Service Provider Customers. This resource provides a framework that government and private sector organizations (to include small and medium-sized businesses) outsourcing some level of IT support to MSPs can use to better mitigate against third-party risk. The framework includes best practices and considerations from the National Institute of Standards and Technology and other authoritative sources with guidance geared to the three main organizational levels that play a role in reducing overall risk: 1) senior executives and boards of directors; 2) procurement professionals; and 3) network administrators, systems administrators, and front-line cybersecurity staff.

The bottom line is that outsourcing IT services provides both increased benefits and risk to an organization. Key responsible individuals should take a step back to look at the security practices in place across their enterprise to answer:

  • Who is responsible for security and operations when outsourcing IT services to an MSP?
  • What are the most critical assets that we must protect and how do we protect them?
  • What should an MSP provide to an organization in advance of a contract award to demonstrate security controls in place?
  • What network and system access levels are appropriate for third-party service providers?

It will require effort and time upfront for an organization to review their security practices and answer these types of questions. But, in the long run, it will help them spot pockets of risk from third-party vendors and improve their overall security and resilience.

To read/download this resource, visit:

For supply chain risk management information and resources, visit: