Does your business use a managed service provider (MSP) to provide support for your IT and network? If you do, you may or may not have thought about the benefits and associated risks of using an outside service. Although the benefits will often outweigh the risks, it is important to still consider the security in place at the MSP to help keep your business safe.
Over the years, outsourced IT has become a common theme with some smaller to mid-sized businesses. Managed service providers can assist with providing support and services to a business’s network, applications, infrastructure and security. MSPs can also assist with backup and disaster recovery. When working with an MSP, certain service level agreements are agreed to between both parties that often include commitments, such as uptime, response time and availability.
When looking at using an MSP, here are some topics and questions you may want to consider:
- Price Structure – What is the price structure for the services the MSP provides?
- Price Options – What are the price options the MSP provides?
- Security – What security does the MSP have in place?
- Hardware & Software – What does the MSP recommend for hardware and software?
- Service Level Agreement – Is there a service level agreement (SLA) for the MSP?
- Contract Renewal – What is the contract period and renewal?
- Accreditation – What accreditation or certifications does the MSP have?
SOC 2 Reports for an MSP
SOC 2 has become a common necessary accreditation for service organizations to provide reasonable assurance that controls are in place and are designed and operating effectively. Criteria for SOC 2 can include security, availability, confidentiality, privacy and processing integrity. Depending on the concerns of your business, requesting a SOC 2 report from a managed service provider can help you assess any security risks and confirm any of your responsibilities as a user of the service. A SOC 2 report from an MSP should be a very important criterion in selecting an MSP. Do you know if your current MSP has a SOC 2 report? You should be asking for a new SOC 2 report from your MSP every year and reviewing the report to make sure the security at the MSP aligns with your objectives. If your MSP currently does not get a SOC 2 report, consider asking the MSP to get a SOC 2 report.
If you would like more information regarding MSPs, McKonly & Asbury would be happy to help. We currently offer the full suite of SOC services to clients in a broad variety of industries and can assist with a SOC 2 readiness assessment and SOC 2 audit to help identify whether or not effective processes and controls are in place for your MSP; MSP recommendations can also be provided. Be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA regarding our services.