米CISAが MSP を利用する組織向けにリスクへの対応指針を公開
This resource focuses guidance to the three main organizational groups that play a role in reducing overall risk: (1) senior executives and boards of directors (strategic decision-making); (2) procurement professionals (operational decision-making); and (3) network administrators, systems administrators, and front-line cybersecurity staff (tactical decision-making).
The bottom line is that outsourcing IT services provides both increased benefits and risk to an organization. Key responsible individuals should take a step back to look at the security practices in place across their enterprise to answer:
Who is responsible for security and operations when outsourcing IT services to an MSP?
What are the most critical assets that we must protect and how do we protect them?
What should an MSP provide to an organization in advance of a contract award to demonstrate security controls in place?
What network and system access levels are appropriate for third-party service providers?
It will require effort and time upfront for an organization to review their security practices and answer these types of questions. But, in the long run, it will help them spot pockets of risk from third-party vendors and improve their overall security and resilience.