Taking reasonable care with your third party engagements
In our February newsletter we talked about the need to ensure that any third parties engaged to do work for your organisation preserve the confidentiality, integrity, and availability of your information. One of the steps you can take to make improvements in this third-party risk area, is the level of due diligence you should consider applying upfront and ongoing to each of your third party engagements.
What are some of the due diligence considerations to take into account when selecting an IT service provider or managed service provider (MSP)?
A major component of your checks should be to understand how they access and look after their customer’s systems and data, plus how they secure their own systems and data. Any shortcomings in a provider’s security processes, procedures and practices could result in a security incident which has the potential to compromise your organisation and data.
What should the focus of your attention be?
A high-level list of topics and questions we recommend you include as part of a vetting exercise are –
- Do they have a documented Incident Response plan in place? – leading to further questioning about how the plan is tested and updated.
- What security incidents have they had in the last 12 months? – leading to further questions about how the provider managed and recovered from any incidents they experienced.
- Have they implemented a Business Continuity plan? - leading to further questioning on how the plan is tested and updated.
- When was the last time they conducted a disaster recovery test? – leading to questions on metrics for RPO and RTO.
- Back-ups – where are they stored, are they encrypted, what are the key management specifics, and access arrangements for back-ups and the encryption keys?
- What internal controls are in place to manage their own systems?
- Details on their patching and vulnerability management arrangements – leading to questions about the frequency of vulnerability assessments and testing, vulnerability remediation times, patching procedures.
- How do they monitor, detect and respond to events? – questions to determine what solutions are in place for the provider to monitor their own infrastructure or the shared infrastructure to support customers.
The 8 examples above certainly don’t cover the full extent of the in depth questioning you should apply when conducting a thorough check of an IT service provider or MSP. Other key topics to cover are - company and personnel background, compliance considerations, documentation – policies, process and procedures, risk assessment and penetration testing arrangements, insurance cover.
Contact Mike to discuss how we can assist your organisation conduct due diligence on your IT service provider or MSP.
Click Here to find out about our Third Party Information Security Risk Review
“There was almost a sigh of relief”
Wellington Shire Council deployed Policy Management as a Service to it’s team of 300+ people. Read about some of the policy challenges they previously faced and how the new service has assisted the organisation and Max Horvath (Coordinator of ICT Operations) to implement a comprehensive suite of new policies within a short timeframe.
Read the Wellington Shire Council Case Study
Security is on Harbour Software’s agenda
Harbour Software provide fully integrated cloud-based agenda and minutes solutions to optimise business processes and elevate efficiencies in the Local Government sector. The company understands that their existing and potential clients rely upon them to have, and to be able to demonstrate that they have, good security practices in place. They recognise their responsibility to have good foundational policy guidance in place to assist them to achieve this. Read about how their Policy Management as a Service project helped them to meet that requirement.
Read the Harbour Software Case Study
Contact Steve to discuss our Policy Management as Service.
Working with third party suppliers >