Risk Considerations for Managed Service Provider Customers

This CISA Insights provides a framework that government and private sector organizations (to include small and medium-sized businesses) outsourcing some level of IT support to MSPs can use to better mitigate against third-party risk.

This resource focuses guidance to the three main organizational groups that play a role in reducing overall risk: (1) senior executives and boards of directors (strategic decision-making); (2) procurement professionals (operational decision-making); and (3) network administrators, systems administrators, and front-line cybersecurity staff (tactical decision-making).

Strategic Decision-Making

Senior executives must balance cost effectiveness and efficiency with reliability and security when considering whether to outsource IT services to an MSP. Outsourcing IT services does not absolve executives of risk management responsibilities. In order to balance these priorities, executives must maintain awareness of the technologies and systems supporting their operations. Executives must also understand the risks from potential loss of core organizational systems and services, loss of confidentiality, integrity, and availability of data, loss of consumer and market confidence, loss of productivity due to operational disruption, and fines, legal fees, or other regulatory costs, and other adverse financial impacts. Organizations must also account for risks to the vendors themselves, as vendors’ financial health and other attributes can serve as indicators of potential future service disruptions.

Operational Decision Making

Coordinated procurement, operations, continuity, and security requirements will decrease enterprise supply chain risk and improve system performance. Organizations with separate staff dedicated to each of those functions should coordinate IT requirements across organizational silos. For smaller organizations or those without staff dedicated specifically to these functions, an enterprise risk management plan should account for each of these requirements as part of an integrated approach to risk management at whatever scale is appropriate for the organization.

Tactical Decision Making

Policies and controls on network access, controls, and logs, remain the organization’s responsibility while outsourcing IT services to an MSP. Organizations should identify personnel responsible for monitoring and managing the day-to-day activity of MSPs and must set careful policies on the access given to any third-party vendors. Common examples of such policies include establishing clear requirements for authentication or verification and maintaining controls and logs separate from the vendor’s records. Organizational policies and practices relating to the authentication of vendor logs and activities across the IT enterprise helps ensure appropriate and authorized activities by MSPs while protecting the client’s interests from unauthorized activities.

Download this CISA Insights for considerations and best practices for each of the organizational groups mentioned above. For additional supply chain resources, visit the ICT Supply Chain Resource Library.

Attachment Media