How To Assess the Cybersecurity Preparedness of IT Service Providers and MSPs

Improperly evaluating the cybersecurity capabilities of prospective IT service providers and managed service providers (MSPs) can put your organization's data and systems at risk. A new guide from CompTIA can help you ask the right questions.

Your cyber attack surface isn’t limited to your owned assets. It also includes all the third parties – such as vendors, suppliers and contractors – that your systems are digitally intertwined with. If one of these partners gets breached, the attackers could find a pathway to also hack your systems.

In this broad and complex realm of managing third-party cyber risk, it’s particularly critical for organizations to closely, methodically and precisely assess the cybersecurity preparedness of IT service providers and managed service providers (MSPs).

That’s the focus of a new guide published recently by the non-profit Computing Technology Industry Association (CompTIA). Although “A CEO’s Guide to Choosing an IT Service Provider” is aimed at business leaders, it can also help IT and cybersecurity leaders ask the right questions while choosing ITSPs and MSPs.

The 18-page document, created by CompTIA’s Cybersecurity Advisory Council, consists of detailed questionnaires covering areas including:

• Frameworks and compliance
• Policies
• Privilege account management
• Systems management
• Incident response
• Patch and vulnerability management
• Detection and prevention

For example, the section titled “Critical Patch and Vulnerability Management” seeks to answer – among other things – whether the service provider in question:

• has a documented VM program
• conducts regular VM assessments of its systems
• remediates and patches vulnerabilities in a timely manner

In the “Frameworks / Compliance” section, MSPs and IT service providers must say whether they:

• use a cybersecurity framework for managing their systems
• document and audit their compliance
• support governance requirements or cyber insurance obligations

Meanwhile, the “Detection / Prevention” section looks into a respondent’s ability to continuously monitor, detect and respond to cyber incidents. Specific questions address topics like:

• the use of infrastructure monitoring tools
• log management processes and policies
• data encryption use

“The goal is to provide more clarity about how MSPs treat their own systems so that customers might better understand where their information is stored, how access will occur, and what happens in the event of a cyber incident,” reads a CompTIA blog about the guide.

Of course, organizations can also use the document to periodically evaluate IT service providers and MSPs they’re already working with to ensure that their cybersecurity preparedness hasn’t degraded.

The guide can also be used by MSPs and IT service providers to self-assess and identify potential weaknesses in their cybersecurity policies, strategies, processes and capabilities that could put them and their customers at an increased risk for cyberattacks.

For more information about third-party vendor risk management:

• “Risk Considerations for Managed Service Provider Customers” (CISA)
• “How to find a security-savvy MSP” (CSO Magazine)
• “Why Is Third Party Risk Management Important?” (CIO Insight)
• “Third Party Cyber Risk is Your Cyber Risk” (American Hospital Association)
• “Key Practices in Cyber Supply Chain Risk Management” (U.S. National Institute of Standards and Technology)

VIDEOS

How SMBs should select a security-savvy managed service provider (IDG Tech Talk)

Rethinking Efficient Third-Party Risk Management (RSA Conference)

A CISO Developed Third Party Risk Management Framework (Cybersecurity Collaborative)

Third-Party Risk Management: Preventing the Next Stuxnet (RSA Conference)