Election Security Spotlight – What is a Managed Service Provider?
What is a Managed Service Provider?
A Managed Service Provider (MSP) is a vendor that offers IT management to ensure workstations, servers, and networks are operational. MSPs outsource some core services of internal IT departments. They can be hired to support specific projects, supplement existing IT staff, or as a comprehensive solution for multiple IT needs. An MSP will often create and implement high level IT strategy, fix technical issues, backup data, update systems, and set up security controls. To support these services, the MSP may install and update remote management software on your systems.
Why it matters
Election offices with resource constraints can especially benefit from using the MSP model. The cost and scalability of MSPs allow offices with a limited IT staff to access services that may be challenging to implement with a small IT team.
- An IT team can evolve from a reactive plan for technology problems, to implementing proactive strategy to prevent issues before they occur.
- An election office using on-site data backups may be able to maintain off-site backups.
- An election office reliant solely on anti-virus may be able to take advantage of a broader set of defense-in-depth tools to secure their network.
MSPs are widely used and often provide many layers of security to clients. However, there are security issues to consider when allowing an outside entity remote access to a system. As single MSPs may connect to multiple customer organizations, malicious cyber actors may consider MSPs to be high value targets. Malicious cyber actors can use the legitimate connection made between an MSP and your office, accessing your systems to corrupt data, install malware, and steal information. There have been multiple cases of malicious cyber activity against MSPs resulting in the compromise of their customers.
What you can do
- Check A Guide for Ensuring Security in Election Technology Procurements before purchasing any services from a third party vendor.
- Assess security risks from a vendor using Part 2 of the Guide.
- Perform cost-benefit analysis for security requirements.
- Conduct thorough review of the vendor’s security practices and responses to previous security risks.
- Define specific performance standards for your vendor within a Service Level Agreement (SLA), in accordance with best practice 18 of the guide. Continually evaluate and modify as needed.
- Review Managing Cybersecurity Supply Chain Risks in Election Technology: A Guide for Election Technology Providers
- Identify and document the business relationship you have with your MSP, using the Guide.
- Request information from your MSP about their security measures using the list in Appendix B.
- Continually assess the risk associated with using your MSP, focused on your critical systems.
- Apply the CIS controls to your IT management practices.
- Be prepared for any security risks associated with IT management, whether an internal department or third party vendor.
- Develop an incident response plan, as indicated in CIS Control 19.
- Follow recommendations for data recovery capabilities in CIS Control 10.
Spotlights provide election officials with an overview of common cybersecurity topics, and how they relate to election infrastructure security. Please reach out to [email protected] to request a topic.