A Managed Service Provider (MSP) is a company that performs an assortment of IT services for customers, often for small to moderately sized businesses with limited in-house IT capabilities. Services provided by an MSP can vary and may include technical support, which keeps a customer’s infrastructure up and running, and security services like managing firewalls, antivirus and patching solutions. MSPs can also help customers recover from a security breach.
So should MSPs have a SOC report? While there are no established requirements to do so, it may in fact be beneficial. A SOC 2 report, for instance, would demonstrate that an MSP has appropriate controls in place relevant to the services provided to customers based on the applicable trust services criteria. That could provide a competitive advantage in the marketplace, since obtaining a SOC report makes a strong statement about the MSP’s principal service commitments and system requirements. Plus, providing the report may render customer onsite visits or periodic assessments unnecessary.
Here are a few example controls that would be expected to be in place at an MSP (this is not an all-inclusive or exhaustive list):
The Network Monitoring Center monitors alerts on a 24/7 basis
Access to client information is permitted only via multifactor authentication
The MSP can access client systems only through a VPN or other encrypted means
Monitoring tools (such as a SIEM) monitor the MSP and customer systems to automatically detect threats
Change requests from clients are evaluated to determine requirements and the potential effect
Client approval is required for all changes prior to commencement of changes
For clients where the MSP monitors the status of backup jobs, tickets are created and attempts are made to correct any detected backup failures
When needed, the MSP communicates backup failures to the client
Customers rely on their MSP to protect data and answer questions regarding IT issues. By obtaining a SOC 2 report, MSPs can alleviate many customers concerns and demonstrate their commitment to implementing and maintaining strong controls.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.