Trust but Verify: Managing your Managed Security Service Provider

Perhaps you outsourced your security monitoring and incident response to a reputable firm years ago, or are considering a change to outsource for the first time, or you're considering switching firms. Whatever the situation, you know that the institution is ultimately accountable for the outcome of their services–good or bad. 

It’s never too late to rethink past decisions, terms, and relationships.

Questions to consider here include: 

1. How can you ensure their services are effective? 

2. Do they have visibility into all they need to protect your data and systems? 

3. How can you hold them accountable for the outcome of their services?

4. What are your responsibilities for managing the service?

5. What happens when the worst happens, a breach?

Here are five things to do and consider in this scenario:

1. Start with the contract; review your contract, whether it’s new or old.  If it’s new, this is the perfect time and probably the most leverage you will have. They really want you to sign, especially if its quarter end, to meet their numbers. If it’s an old contract, it’s not too late. An appendix can be added, or aim for a renewal timeframe to add what’s needed. Does it specifically spell out:
   
   
   1. Responsibilities should be spelled out in as much detail as possible. What are you responsible to do? What are they to do? What services are they providing and to what extent. Make sure it’s measurable and monitorable, what specific metric and what reports will you receive to show whether they are meeting that level?
   2. What penalties or recourse do you have if they do not meet that level? If not, what refunds, service credits, etc., will be offered to make it right?
   If not, push them to do this. If they cannot or refuse, it’s probably a blessing in disguise and time to move on. There are plenty of players out there you can move to, and perhaps a peek into how the relationship will go.
2.  Iron out what happens in an incident scenario and include this in the contract. Whose insurance will be used? What cooperation will be needed in an incident, and will the firm do this? What is their process, and how will it work with ours? How often will updates be provided? Ensure they are included in all incident response exercises and tabletops.
3. Once you’re past the contract, ensure you monitor their services as much as needed to get performance feedback. Designate a single person to manage this relationship. This person should ensure the firm has all the information and contacts needed to be successful. Likewise, this manager should gather feedback for the firm on services and ensure that this is fixed. This person should also monitor or work with others to oversee services and hold them to the standard promised.
4. At the setup of services, ensure that all applicable monitoring reports and alerts are set up. My experience is they tend to do this on their own, however I’ve seen multiple incidents where alerting was not set up to fire when appropriate, timely (e.g., a week later), or just wasn’t even fed into the monitoring system at all (e.g., cloud system logs).
5. Include them in the scope of your penetration test. This will give you visibility into the effectiveness of their service. Give them as little notice and involvement as possible to ensure that they respond as you would expect them to do in a real incident:
   1. Did monitoring work as expected and alert to the intrusion?
   2. Did they call the institution to investigate?
   3. Did they identify the root cause of the incident and take appropriate steps?
      
      

In Conclusion

If you find yourself struggling with your Managed Security Service Provider or you're looking to start on the right foot with a new one, we are here to help! Fill out our contact us form to get the conversation started!