Introduction #

This publication provides simple yet practical questions to ask managed service providers regarding the cyber security of their systems and the services they provide.

Questions to ask Managed Service Providers #

Are you implementing better practice cyber security?

The Essential Eight from the Strategies to Mitigate Cyber Security Incidents provides prioritised and practical advice to manage a range of cyber threats to systems and the information that they process, store or communicate.

Managed service providers can demonstrate they are implementing better practice cyber security to protect themselves and their customers by implementing the Essential Eight.

Are you securely administering your systems and services?

As managed service providers often have privileged access to systems, it is important that they manage such systems in a secure manner, especially when systems are managed remotely.

Managed service providers can demonstrate they are securely administering their systems and services by implementing the guidance from the Secure Administration publication.

Are you monitoring activity on your systems and services?

Organisations often have poor visibility of activity occurring on their systems. Good visibility of what is happening is important for both detecting and responding to targeted cyber intrusions and malicious insiders.

Managed service providers can demonstrate they are monitoring activity on their systems and services by implementing the guidance from the Windows Event Logging and Forwarding publication.

Are you regularly assessing your systems and services?

In order to protect their systems, and that of their customers, it is important that managed service providers are aware of, and appropriately risk manage, security vulnerabilities in their systems and services.

Managed service providers can demonstrate they are regularly assessing their systems and services by conducting regular vulnerability assessment activities.

Are you prepared for, and able to respond to, cyber security incidents?

Experiencing a cyber security incident is not a question of if but when. The effective preparation for, and response to, a cyber security incident can greatly decrease its impact.

Depending on the extent of a cyber security incident, additional assistance by specialists may be required to contain the incident and remediate any security vulnerabilities that were exploited. Actively reporting cyber security incidents can assist in the early and effective management of cyber security incidents by specialists trained in this field.

Managed service providers can demonstrate they are prepared for, and able to respond to, cyber security incidents by implementing the guidance from the Preparing for and Responding to Cyber Security Incidents publication.

Further information #

The Information Security Manual is a cyber security framework that organisations can apply to protect their systems and data from cyber threats. The advice in the Strategies to Mitigate Cyber Security Incidents, along with its Essential Eight, complements this framework.