Managed Service Providers (MSP) are a critical component for managing networks for many organizations. Due to lack of personnel or expertise, institutions are looking to off-load some services to third parties. This can be a number of different resources. Cloud storage and hosting, back up services, total network controls, data retention or destruction, utilizing a SOC, configurations and database management. No matter what tasks you decide to hand off to an MSP, it is still your responsibility to assure that the job is done correctly.
How can you ensure that an MSP is doing what they say they are doing? There are a number of steps that should be taken prior to contracting with the MSP and then follow up on the progress.
Vetting the vendor:
Ensure that you are choosing a reputable vendor and solution by doing a bit of research. Check with peers and reviews. Include a risk assessment to determine what could go wrong and what the outcome of that would look like. Run a background check on the vendor. Additionally, you may want to present your vendor with a questionnaire in order to determine if they will be able to meet your needs.
Is this vendor capable of meeting your needs in terms of size and financial stability?
What is the reputation of this vendor?
Can they provide financial statements or audit reports?
Do they have certifications to prove they are compliant with regulations and laws?
Can they provide references?
Vendor risk assessment:
When you have narrowed in on the vendor(s) you may use, a risk assessment should be considered. What types of risks could your organization face when contracting with this vendor? Conflict of interest? Loss of data or services? Loss of reputation? Financial loss? If your vendor fails to comply with regulations, what legal ramifications do you face? Evaluate the types of risks, implications and resolutions you may encounter. Risks involving financial, compliance, reputation, technical, operational and resources should be considered.
Monitoring the vendor:
Once you enter into a contract with a vendor it is important to assure that they are doing what they said they will do for you. Regular reporting should be part of the process. If they are providing a back up service, are they scheduling a test of the restore process? How would you know if the back up is successful without then implementing a restore? Systematic reporting of the services the MSP provides will help to verify that operations are being conducted as promised.
Handing over your operations or services to a third party does not alleviate your organization from risks. Entering into a contract with an MSP without proper vetting can lead to adverse ramifications. Continuous monitoring of the MSP is crucial to protecting your business.