A study conducted by Deloitte in 2017 identified that organizations on average spend 3.28% of their annual budget on IT related services and products. The financial sector typically spends over 7% of their annual budget on IT services and products, while construction spends only 1.51%. Many companies have begun outsourcing IT services to maintain a fixed cost and have access to services and products that would normally be beyond the organization’s budget. A Managed Service Provider (MSP) can provide those services and products to clients thanks to economies of scale.
Once your organization has decided to engage external resources, it is important that proper due diligence is performed. Initially, you should identify at least three potential vendors for the process. This will help identify irregularities in pricing models and deficient services. In addition, here are ten questions to ask your potential third parties prior to entering a relationship.
1. What is their experience with your type of industry and organizational size?
If you are a small to a medium-sized credit union, working with an MSP that is familiar working with similar-sized institutions can oftentimes require less hand-holding and provide valuable insight for initiatives and projects. A third party that has experience with similarly situated clients can be direct and communicate products and services that they have seen work with those clients. They can also share stumbling blocks that have crop up and how to either resolve those issues or provide alternative solutions within the budget, time constraints, and other resource limitations. A third party that works with larger institutions and mega-banks may be great at what they do but will not necessarily understand the nuances of a smaller organization.
2. Can they meet the regulatory requirements for your organization?
If your organization is regulated, it is important that your selected third party can support regulatory compliance. You will be expected to show that you have performed due diligence on the third party and perform continuous monitoring, ensuring that they at least meet the minimum standards. Depending on the type of data the MSP will access, store, or process may require a more frequent review of security controls. Be prepared to demonstrate to your regulator that the third party is an extension of your compliance program. The third-party should permit you a right-to-audit if they are handling confidential or sensitive information. This should be included with your standard third party contracts.
3. Can they meet your organization’s information security requirements?
This is very similar to meeting regulatory requirements, but it is important to note that compliance does not equal security. You may have stricter controls than your regulator requires, or you may not have regulatory oversight, but want to follow best practices to protect data, and to limit potential liability, financial losses, and organizational reputation. You may be aligned to a specific framework or simply have a well-defined security management program. Once the potential MSP has signed a non-disclosure agreement (NDA), share the security management program to review and determine if they can meet your security requirements. As with compliance, perform regular assessments and reviews of their attested security controls to verify that the controls are in place and effective. You should convey to the MSP what your organization considers a security incident and inquire if they can follow that definition. You should also communicate what the expectations are for notification time and channels for communicating the incident.
4. Can the MSP provide proof of financial stability?
The MSP should be able to demonstrate that they are financially secure. This can be done through public financial disclosures like a 10k or through a third–party audit.
5. Can the MSP provide a Service Level Agreement (SLA) that meets your organization’s needs?
The third-party should be able to attest to the expected response and time for correction for support calls, project implementations, and system configuration changes or updates. The SLA should define when the time starts and what is considered an SLA related task. The MSP should provide a monthly SLA report and demonstrate the tracking mechanisms used to report the SLA fulfillment. They should also communicate the expected penalties for not meeting the SLA.
6. Does the MSP employ skilled, competent, and experienced staff?
Most MSPs are going to respond to the affirmative. However, competency and experience can be verified by requesting a list of staff certifications and relevant training. It may also include interviews with staff to determine competency. Part of the process may also involve performing reference checks with similar institutions that use that MSP. Think of this as performing a background check on a new employee. With that, inquire if the MSP performs employee criminal background checks, particularly if the MSP will be handling sensitive financial information. You should also ask about the annual staff turnover rate. A high rate of turnover could indicate a possible issue with the third party that will not be discovered through other means.
7. Will the MSP outsource or subcontract any work?
Initially, the third party may state that they will not subcontract or outsource work. As time progresses that may change due to simplicity or complexity of work, financial pressures, or temporary reduction of staff resources. Require that mechanisms are in place that require notification and official sign-off if your work is subcontracted or outsourced. Confirm the MSP will perform due diligence and continuous monitoring to ensure the subcontractor meets your security requirements.
8. Does the MSP have the scalability and capacity to meet fluctuating demands?
Your organization may have certain times of the year when you see a dramatic increase in demand of resources. In financial and retail, this is generally during the Christmas shopping season. This could include increased data processing, transmission, and storage. In some instances, it could be related to new infrastructure projects that require additional support services. The MSP should be able to provide information regarding how capacity and resources will be allocated, the timeframe or expected delay time, and the estimated cost of the change.
9. Do they have a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)?
The third-party should have a plan in place to continue supporting and providing services to you in the event of an interruption of power or communication services, system failures, or other service impacting events. The MSP should be willing to provide the BCP/DR upon request. They should also be able to provide the last test and the results of the test.
10. What is the process for terminating the relationship?
No one wants to go into a relationship discussing a possible break-up, but this is a critical part of the vendor process. The MSP should provide how contracts are renewed and what the requirements are for terminating the contract. You should require a decommissioning process to ensure that all data is removed or destroyed post-relationship. In the event data must be retained by the third party due to regulatory or business requirements, inquire if the third party can continue to provide storage and services post-relationship and also permit ongoing security monitoring to confirm that security controls are still in place to protect the data.
This list is not intended to be exhaustive or complete. It highlights areas sometimes missed when in search of third parties. Managed Service Providers are a great resource to control costs, provide new offerings to customers and employees, and leverage skill and experience your organization would otherwise not have. Performing due diligence can provide additional confidence in your selection. If you are ready to explore retaining a new MSP or if you would like to understand how Intrinium can assist your business with your MSP needs, reach out to us today.