A Managed Service Provider (MSP) is a company that performs an assortment of IT services for customers, often for small to moderately sized businesses with limited in-house IT capabilities. Services provided by an MSP can vary and may include technical support, which keeps a customer’s infrastructure up and running, and security services like managing firewalls, antivirus and patching solutions. MSPs can also help customers recover from a security breach.
So should MSPs have a SOC report? While there are no established requirements to do so, it may in fact be beneficial. A SOC 2 report, for instance, would demonstrate that an MSP has appropriate controls in place relevant to the services provided to customers based on the applicable trust services criteria. That could provide a competitive advantage in the marketplace, since obtaining a SOC report makes a strong statement about the MSP’s principal service commitments and system requirements. Plus, providing the report may render customer onsite visits or periodic assessments unnecessary.
Here are a few example controls that would be expected to be in place at an MSP (this is not an all-inclusive or exhaustive list):
- The Network Monitoring Center monitors alerts on a 24/7 basis
- Access to client information is permitted only via multifactor authentication
- The MSP can access client systems only through a VPN or other encrypted means
- Monitoring tools (such as a SIEM) monitor the MSP and customer systems to automatically detect threats
- Change requests from clients are evaluated to determine requirements and the potential effect
- Client approval is required for all changes prior to commencement of changes
- For clients where the MSP monitors the status of backup jobs, tickets are created and attempts are made to correct any detected backup failures
- When needed, the MSP communicates backup failures to the client
Customers rely on their MSP to protect data and answer questions regarding IT issues. By obtaining a SOC 2 report, MSPs can alleviate many customers concerns and demonstrate their commitment to implementing and maintaining strong controls.