How To Assess the Cybersecurity Preparedness of IT Service Providers and MSPs
Improperly evaluating the cybersecurity capabilities of prospective IT service providers and managed service providers (MSPs) can put your organization's data and systems at risk. A new guide from CompTIA can help you ask the right questions.
Your cyber attack surface isn’t limited to your owned assets. It also includes all the third parties – such as vendors, suppliers and contractors – that your systems are digitally intertwined with. If one of these partners gets breached, the attackers could find a pathway to also hack your systems.
In this broad and complex realm of managing third-party cyber risk, it’s particularly critical for organizations to closely, methodically and precisely assess the cybersecurity preparedness of IT service providers and managed service providers (MSPs).
That’s the focus of a new guide published recently by the non-profit Computing Technology Industry Association (CompTIA). Although “A CEO’s Guide to Choosing an IT Service Provider” is aimed at business leaders, it can also help IT and cybersecurity leaders ask the right questions while choosing ITSPs and MSPs.
The 18-page document, created by CompTIA’s Cybersecurity Advisory Council, consists of detailed questionnaires covering areas including:
- Frameworks and compliance
- Policies
- Privilege account management
- Systems management
- Incident response
- Patch and vulnerability management
- Detection and prevention
For example, the section titled “Critical Patch and Vulnerability Management” seeks to answer – among other things – whether the service provider in question:
- has a documented VM program
- conducts regular VM assessments of its systems
- remediates and patches vulnerabilities in a timely manner
In the “Frameworks / Compliance” section, MSPs and IT service providers must say whether they:
- use a cybersecurity framework for managing their systems
- document and audit their compliance
- support governance requirements or cyber insurance obligations
Meanwhile, the “Detection / Prevention” section looks into a respondent’s ability to continuously monitor, detect and respond to cyber incidents. Specific questions address topics like:
- the use of infrastructure monitoring tools
- log management processes and policies
- data encryption use
“The goal is to provide more clarity about how MSPs treat their own systems so that customers might better understand where their information is stored, how access will occur, and what happens in the event of a cyber incident,” reads a CompTIA blog about the guide.
Of course, organizations can also use the document to periodically evaluate IT service providers and MSPs they’re already working with to ensure that their cybersecurity preparedness hasn’t degraded.
The guide can also be used by MSPs and IT service providers to self-assess and identify potential weaknesses in their cybersecurity policies, strategies, processes and capabilities that could put them and their customers at an increased risk for cyberattacks.
For more information about third-party vendor risk management:
- “Risk Considerations for Managed Service Provider Customers” (CISA)
- “How to find a security-savvy MSP” (CSO Magazine)
- “Why Is Third Party Risk Management Important?” (CIO Insight)
- “Third Party Cyber Risk is Your Cyber Risk” (American Hospital Association)
- “Key Practices in Cyber Supply Chain Risk Management” (U.S. National Institute of Standards and Technology)
VIDEOS
How SMBs should select a security-savvy managed service provider (IDG Tech Talk)
Rethinking Efficient Third-Party Risk Management (RSA Conference)
A CISO Developed Third Party Risk Management Framework (Cybersecurity Collaborative)
Third-Party Risk Management: Preventing the Next Stuxnet (RSA Conference)
Related Articles
Cybersecurity Snapshot: 6 Things That Matter Right Now
October 14, 2022Topics that are top of mind for the week ending Oct. 14 | DevOps team culture is key for supply chain security | SecOps gets more challenging as attack surface expands | Weak credentials hurt cloud security | Incident responders grapple with stress | Security spending grows | And much more!
A Holiday Story, Internet Edition: The Impact Of Assessing And Addressing Log4j Installations Proactively
December 30, 2021A look at our log4j data.
Apache Log4j Flaw: A Fukushima Moment for the Cybersecurity Industry
December 13, 2021Organizations around the world will be dealing with the long-tail consequences of this vulnerability, known as Log4Shell, for years to come.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- Incident Response
- Log Analysis
- Vulnerability Management