Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

CISA Reminds of Risks Connected to Managed Service Providers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new  guidelines for government and private organizations to take into consideration when looking to outsource services to a Managed Service Provider (MSP).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new  guidelines for government and private organizations to take into consideration when looking to outsource services to a Managed Service Provider (MSP).

Titled Risk Considerations for Managed Service Provider Customers, CISA’s new guidance is aimed at three decision-making groups: senior executives and boards of directors, procurement professionals, and network/system administrators and front-line cybersecurity staff.

The document includes best practices and considerations from various authoritative sources, such as the National Institute of Standards and Technology (NIST), for organizations to review their security practices and make sure they are prepared to prevent cyberattacks.

CISA explains that executives have their risk management responsibilities and should maintain awareness of the systems and technologies in use within their organizations. They should also understand the risks associated with the loss of systems, data, productivity and customer confidence, as well as of the costs associated with fines and regulatory costs.

Executives, along with staff involved in procurement, should analyze the benefits of outsourcing against enterprise risks, and should make sure that both the customer and the vendor share responsibilities when it comes to faults or failures that may impact operations and affect customers.

“In order to minimize such disruptions when outsourcing IT services, organizations can define roles and responsibilities in a vendor agreement using the Shared Responsibility Model, which articulates the vendor’s responsibilities, the customer’s responsibilities, and any responsibilities shared by both parties,” the agency notes.

Organizations should develop an enterprise cybersecurity risk management plan that takes into account the potential risks associated with using IT services provided by an MSP. Small and medium-sized businesses (SMBs) that may not be able to implement such a plan should still catalog critical assets and assess the risks to those assets, to prioritize their inclusion in vendor  agreements and develop contingency plans for incidents that affect them.

[ READ: CISA Issues Guidance on Protecting Data From Ransomware ]

Advertisement. Scroll to continue reading.

A requirements management process, CISA says, should coordinate across functional areas to ensure performance, reliability, and security. Individuals in procurement roles should create and maintain a list of requirements that should include “considerations for security, operational continuity, and other core business functions,” CISA notes. Organizations should vet potential MSPs based on these requirements.

The agency also recommends that organizations make specific demands from a MSP before signing an agreement that, among others, confirms that the individual signing for the MSP is responsible for the security of the service, details incident management and remediation capabilities, and explains how data from different customers is separated on the MSPs network.

Employees responsible for monitoring and managing a MSP’s activity should set policies on the access level that any third-party vendor enjoys and organizations are encouraged to continuously re-evaluate access requirements. When possible, privilege and access levels should be defined prior to signing a contract, to make sure the vendor can meet service requirements.

Furthermore, organizations are advised to maintain offsite backups of essential records and network logs, to help with recovery in the event of an incident at the MSP and to authenticate vendor activity. Per NIST’s recommendations, businesses should include vendors such as MSPs in their incident response plans and should regularly update those plans.

“NIST also recommends organizations and vendors establish clear protocols for vulnerability disclosure, incident notification, and communication with any external stakeholders during an incident. Organizations and vendors should also establish clear authorization protocols for threat hunting and incident response procedures on customer networks,” CISA notes.

SMBs that outsource IT services to an MSP, seeking increased efficiency and cost savings, should maintain full control of access to their systems, should be aware of vendor access, and should keep network logs, as well as offsite backups of all critical data, the Agency says.

Related: CISA Expands ‘Bad Practices’ List With Single-Factor Authentication

Related: CISA Issues Guidance on Protecting Data From Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...