CISA Reminds of Risks Connected to Managed Service Providers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new  guidelines for government and private organizations to take into consideration when looking to outsource services to a Managed Service Provider (MSP).

Titled Risk Considerations for Managed Service Provider Customers, CISA’s new guidance is aimed at three decision-making groups: senior executives and boards of directors, procurement professionals, and network/system administrators and front-line cybersecurity staff.

The document includes best practices and considerations from various authoritative sources, such as the National Institute of Standards and Technology (NIST), for organizations to review their security practices and make sure they are prepared to prevent cyberattacks.

CISA explains that executives have their risk management responsibilities and should maintain awareness of the systems and technologies in use within their organizations. They should also understand the risks associated with the loss of systems, data, productivity and customer confidence, as well as of the costs associated with fines and regulatory costs.

Executives, along with staff involved in procurement, should analyze the benefits of outsourcing against enterprise risks, and should make sure that both the customer and the vendor share responsibilities when it comes to faults or failures that may impact operations and affect customers.

“In order to minimize such disruptions when outsourcing IT services, organizations can define roles and responsibilities in a vendor agreement using the Shared Responsibility Model, which articulates the vendor’s responsibilities, the customer’s responsibilities, and any responsibilities shared by both parties,” the agency notes.

Organizations should develop an enterprise cybersecurity risk management plan that takes into account the potential risks associated with using IT services provided by an MSP. Small and medium-sized businesses (SMBs) that may not be able to implement such a plan should still catalog critical assets and assess the risks to those assets, to prioritize their inclusion in vendor  agreements and develop contingency plans for incidents that affect them.

[ READ: CISA Issues Guidance on Protecting Data From Ransomware ]

A requirements management process, CISA says, should coordinate across functional areas to ensure performance, reliability, and security. Individuals in procurement roles should create and maintain a list of requirements that should include “considerations for security, operational continuity, and other core business functions,” CISA notes. Organizations should vet potential MSPs based on these requirements.

The agency also recommends that organizations make specific demands from a MSP before signing an agreement that, among others, confirms that the individual signing for the MSP is responsible for the security of the service, details incident management and remediation capabilities, and explains how data from different customers is separated on the MSPs network.

Employees responsible for monitoring and managing a MSP’s activity should set policies on the access level that any third-party vendor enjoys and organizations are encouraged to continuously re-evaluate access requirements. When possible, privilege and access levels should be defined prior to signing a contract, to make sure the vendor can meet service requirements.

Furthermore, organizations are advised to maintain offsite backups of essential records and network logs, to help with recovery in the event of an incident at the MSP and to authenticate vendor activity. Per NIST’s recommendations, businesses should include vendors such as MSPs in their incident response plans and should regularly update those plans.

“NIST also recommends organizations and vendors establish clear protocols for vulnerability disclosure, incident notification, and communication with any external stakeholders during an incident. Organizations and vendors should also establish clear authorization protocols for threat hunting and incident response procedures on customer networks,” CISA notes.

SMBs that outsource IT services to an MSP, seeking increased efficiency and cost savings, should maintain full control of access to their systems, should be aware of vendor access, and should keep network logs, as well as offsite backups of all critical data, the Agency says.

Related: CISA Expands ‘Bad Practices’ List With Single-Factor Authentication

Related: CISA Issues Guidance on Protecting Data From Ransomware