Establish Basic Cyber Hygiene Through a Managed Service Provider (MSP)
Small and medium organizations can face a variety of IT challenges: insufficient funding, constantly evolving technologies, growing legal and regulatory requirements, and a lack of skilled and trained IT employees. Oftentimes, these enterprises rely on third-parties like Managed Service Providers (MSPs) for portions, or in some cases, all of their IT infrastructure and services so that they can focus on other operations.
The Center for Internet Security (CIS) has released guidance to help enterprises with this challenge. The new guide, Establishing Basic Cyber Hygiene Controls Through a Managed Service Provider, can help small and medium enterprises ensure their basic cyber hygiene needs are met by their service provider.
The CIS Controls use Implementation Groups to prioritize where organizations should start in their basic cyber hygiene plan. By understanding which Implementation Group and CIS Controls meet your organization’s needs, you will be more prepared to incorporate an MSP into your strategy.
The CIS Controls are internationally recognized for bringing together expert insights about threats, business technologies, and defensive options into an effective, coherent, and simple way to manage an organization’s security improvement program. They are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are comprised of 20 Controls that are supported by 171 Sub-Controls, or Safeguards.
In CIS Controls V7.1, CIS introduced a new prioritization scheme called Implementation Groups (IGs):
- IG1 is the definition of basic cyber hygiene and represents an emerging minimum standard of information security for all enterprises.
- IG2 prescribes what has to be done for more sensitive components of an organization depending upon the services and information they handle.
- IG3 is the highest level of cyber hygiene. These are steps fully mature organizations should take to protect the most sensitive parts of their missions.
MSP Services and Solutions
MSPs, from a security perspective, can help enterprises reduce the risk of understaffed and underfunded in-house solutions. Due to their offerings, MSPs are highly attractive to potential clients. They offer a wide range of solutions and services that include, but are not limited to, those listed below:
- Anti-virus, anti-spam, anti-phishing, and anti-malware services
- Data backup services
- Network monitoring services
- Software configuration and provisioning services
- Cloud computing services (applications, services, resources, management)
- Hardware configuration and implementation services
- Network infrastructure configuration, implementation, and enhancement services
- Patch, repair, and update management services
- On-demand augmentation of incumbent staff/expertise
Ensuring Basic Cyber Hygiene with MSPs
How can small and medium enterprises protect themselves while taking advantages of some of the benefits of working with an MSP? Asking the right questions when shopping for a provider can help inform an enterprise’s decisions.
The new guide considers the issue from the perspective of the CIS Controls and provides a baseline of questions to ask MSPs. It is especially important to know:
- The types of controls that are implemented at the MSP for their own security
- Which CIS Controls are implemented by the MSP on behalf of its clients
The guide contains a questionnaire that can be modified to address an enterprise’s specific concerns before it is provided to the MSP.
The 43 Safeguards in CIS Controls IG1 provide a guideline for basic cyber hygiene for all enterprises. In particular, IG1 can be easily implemented by small and medium enterprises, potentially with support from an MSP. These Safeguards will help organizations protect their IT infrastructure, systems, and data from most cyber-attacks.
The new guide, Establishing Basic Cyber Hygiene Controls Through a Managed Service Provider, is an effective way for organizations to ensure their basic cyber hygiene needs are met when contracting with an MSP.