Managed Service Provider Oversight - WST

Many financial institutions outsource some or all of their Information Technology operations and management to third-party organizations, commonly known as a Managed Service Provider (MSP). The relationship between the institution and the MSP is critical to the overall viability and stability of the organization’s infrastructure; however, we often find that oversight functions are not clearly defined, or absent altogether.

The FFIEC booklet “Outsourcing Technology Services” (https://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx) contains valuable guidance regarding how the institution should manage and monitor each MSP. Some things to consider:

• Business Continuity/Disaster Recovery testing: The MSPs involved in any recovery process should be contractually obligated to meet the Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Maximum Allowable Downtime (MAD) targets as defined in the institution’s Business Impact Analysis (BIA) document. The BIA sets expectations to the institution regarding recovery and continuance of operational functions, and institutions should work with the MSP to determine whether existing recovery solutions are capable of meeting recovery targets, or if changes are needed to meet the institution’s needs. If the MSP is not contractually obligated to meet these expectations, they may only provide “best effort.” Subsequently, if they don’t meet the objective, the MSP can only apologize for not meeting an expectation set by the institution for which the MSP is not contractually obligated. It’s the old “You can outsource the work, but not the risk.”
• Service Level Agreements (SLA): MSPs should include service level commitments in contracts. Those specific SLAs should be monitorable and MSPs should provide performance metric reporting on a regular basis. In addition, the contract should contain recourse should the MSP not meet their obligations as defined by the SLAs. Here are a few things that should be documented in the contract:
• Time to Respond to a service request
• Availability metrics for hosted solutions
• MSP Audit information: Each MSP should provide the institution all necessary documentation regarding the MSP’s internal and external audits. Keep in mind that smaller MSPs may not have the resources to have performed a more complex audit such as SSAE 18.
• Information Confidentiality: The MSP should agree to comply with the institution’s data security practices and certify that all MSP employees will comply with the institution’s data security policy and procedures, in compliance with GLBA rules.
• The financial state of the MSP: The financial health of the MSP could dramatically affect the level of performance provided to the institution. The MSP should be willing to provide enough financial information to assist in the periodic vendor review process for each MSP. Some smaller firms may not wish to share financials, which should be considered during your vendor management process.
• Operational security (OPSEC): The MSP should utilize multi-factor authentication widely in their practices, particularly if they have 24x7 access to your network. The MSP should be able to provide a detailed time-stamped log of all system access, preferably generated automatically. This log can be used to compare access activities to tickets and work orders.

Authored by: Bill Wallen, Security+, August 19th, 2021