Questions to ask Managed Service Providers
Download ACSC Protect: Questions to ask Managed Service Providers (PDF), January 2019
First published 2017; updated 2018 and January 2019
This document provides simple yet practical questions to ask managed service providers regarding the cyber security of their systems and the services they provide.
Are you implementing better practice cyber security guidance?
The Essential Eight from the Strategies to Mitigate Cyber Security Incidents provides prioritised and practical advice to manage a range of cyber threats to systems and the information that they process, store or communicate.
Managed service providers can demonstrate they are implementing better practice cyber security to protect themselves and their customers by implementing the Essential Eight.
Are you securely administering your systems and services?
As managed service providers often have privileged access to systems, it is important that they manage such systems in a secure manner, especially when systems are managed remotely.
Managed service providers can demonstrate they are securely administering their systems and services by implementing the guidance from Secure Administration.
Are you monitoring activity on your systems and services?
Organisations often have poor visibility of activity occurring on their systems. Good visibility of what is happening is important for both detecting and responding to targeted cyber intrusions and malicious insiders.
Managed service providers can demonstrate they are monitoring activity on their systems and services by implementing the guidance from Windows Event Logging and Forwarding.
Are you regularly assessing your systems and services?
In order to protect their systems, and that of their customers, it is important that managed service providers are aware of, and appropriately risk manage, security vulnerabilities in their systems and services.
Managed service providers can demonstrate they are regularly assessing their systems and services by conducting regular vulnerability assessment activities.
Are you prepared for, and able to respond to, cyber security incidents?
Experiencing a cyber security incident is not a question of if but when. The effective preparation for, and response to, a cyber security incident can greatly decrease its impact.
Depending on the extent of a cyber security incident, additional assistance by specialists may be required to contain the incident and remediate any security vulnerabilities that were exploited. Actively reporting cyber security incidents can assist in the early and effective management of cyber security incidents by specialists trained in this field.
Managed service providers can demonstrate they are prepared for, and able to respond to, cyber security incidents by implementing the guidance from Preparing for and Responding to Cyber Security Incidents.
Are you a member of the Managed Service Provider Partner Program?
To assist in raising the cyber security posture of managed service providers, and to provide confidence for their customers, the Australian Cyber Security Centre (ACSC) has developed the Managed Service Provider Partner Program (MSP3).
Customers of managed service providers should confirm whether their managed service providers are participating in the program.
The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).