Purpose: The following MSPAlliance MSP/Cloud Verify Guidance Bulletin is written to provide analysis and suggestions for improved service delivery operations.

Subject: MSP Vendor Management and use of third party audits

Bulletin Highlights:

• Develop Vendor Management Policy
• Update your third party audit/examination report at least every 12 months
• Don’t exclusively rely on data center reports
• Vendor management reports are not an excuse for the MSP not to get its own examination/audit report

As part of the MSP/Cloud Verify program, MSPs are required to maintain and use an effective vendor management policy for all third party vendors and partners. This policy should be documented and under regular review and change control. Part of an effective vendor management policy is the review of new third party relationships, specifically the request and periodic review of third party audit reports.

Third party audit reports are useful both for minimizing risk to the MSP, as well as ensuring the third party has been properly vetted for the specific use of the MSP. When requesting a third party review from a vendor, the report should be examined in order to not only determine its relevance both to the third party, but also the effectiveness of the review when it comes to the relationship between the MSP and the third party.

Specifically, when requesting an independent review of the third party, the review should not only cover the data center, but also the third party itself. It is not sufficient to accept an audit report (for example, an SSAE 16) from the data center where the third party hosts its infrastructure. Beyond this physical and environmental review, the data center provider’s report will not address fundamental issues such as the vendor’s own internal practices, such as physical and logical security, data privacy, and geolocation of data and personnel.

Third party audit reports should also be evaluated to ensure that the information being reported on is current.  Third party reports older than 18 months should be considered stale and no longer relevant.  As part of an effective vendor management process, reports should be reviewed at least annually to ensure MSPs are up-to-date and aware of the operating effectiveness of the current controls in place at the third-party.

This practice of relying on third party reports focused solely on the data center is generally not accepted and should be considered an area of risk to the MSP. Especially when dealing with regulated or security sensitive customers, such a practice could be detrimental to the customer and consequently, to the MSP.