Objectives and Underlying Requirements
The following UCS Objectives and underlying Requirements will be used by the independent auditor to perform the necessary verification procedures to issue a report on the MSP/Cloud MSP seeking certification. In addition to being used by the independent auditor, these requirements can be used by the MSP to anticipate specific documentation and verification requirements that will likely arise during the examination process.
This version of the UCS became effective on July 16, 2020
UCS Objective Summary and Purpose: The goal of the Governance Objective is to provide assurance to the Customer that the MSP has established a corporate and organizational structure designed to maximize efficiency, minimize risk, provide sufficient oversight and accountability with regard to the services delivered. This objective also addresses external service provider management protocols of the MSP.
01.01 Organizational Structure – The MSP has a formal management structure, with an executive steering committee / board of directors responsible for the management and supervision of the company.
01.02 Strategic Planning – Strategic plans and priorities have been developed and communicated to the management of the company.
01.03 Risk Assessments – Risk assessments are conducted regularly to identify risks. Risks are logged and communicated to upper management to ensure the adequate and timely analysis / addressing of identified risks.
01.04 Software Licensing – For infrastructure, platform, or software as a service is being delivered, the MSP has a process for determining their legal and financial risk of software audits or third-party intellectual property claims.
01.05 External Service Provider Management – External service providers (contractors, third-parties, vendors) utilized by the MSP for delivery of cloud and/or managed services are evaluated and approved by a designated employee.
UCS Objective Summary and Purpose: The goal of the Policies and Procedures Objective is to ensure the MSP has documented the necessary policies and procedures in order to maintain effective service delivery levels, as well as to minimize deviation from those established policies and procedures.
02.01 Documentation of Policies and Procedures – Policies and procedures have been formally documented to guide the daily operations of the MSP.
02.02 Data Breach and Cyber-Attack Policies and Procedures – Policies and procedures have been formally documented to address data breaches, ransomware payments, and cyber-attacks impacting the daily operations of the MSP and, if applicable, its Customer.
02.03 Periodic Review and Approval – Policies and procedures are reviewed and updated at least annually to ensure any modifications are approved and implemented.
02.04 Employee Acceptance – Employees are required to sign and attest to their understanding and adherence to MSP’s policies and procedures.
02.05 Training and Orientation – New employee orientation / training and continuing education programs for existing employees are implemented to address the ethical, integrity, confidentiality, privacy, security and acceptable use standards developed by the MSP.
UCS Objective Summary and Purpose: The goal of the Confidentiality and Privacy Objective is to ensure the MSP has sufficient policies and procedures related to the protection and disclosure of Customer data, specifically protocols safeguarding confidentiality, privacy, geolocation of managed data (including external service provider managed data) and identification of applications utilized to deliver services.
03.01 Employee Background Checks – Background checks are conducted on personnel in accordance with MSP policies and procedures.
03.02 Employee Confidentiality and Privacy Acceptance – Employees are required to sign and attest to their understanding and adherence to MSP’s confidentiality and privacy policies.
03.03 Data Classification and Encryption – Customer data classified as confidential or private is encrypted in accordance with applicable industry best practices or regulations.
03.04 MSP Data Geolocation Disclosure– Policies and procedures are implemented to govern the identification and disclosure of the geolocation of managed data.
03.05 External Service Provider Access Management – Access to the MSP’s and Customer’s information systems by an external service provider is granted on an as-needed basis. When granted, access is monitored, logged and reviewed in accordance with operational policies and procedures.
03.06 External Service Provider Access Disclosure – Policies and procedures have been implemented to govern the communication and disclosure of external service provider access to Customer information systems and data.
03.07 External Service Provider Geolocation Disclosure – Policies and procedures have been implemented to govern the identification and geolocation disclosure of external service provider managed data.
UCS Objective Summary and Purpose: The goal of the Change Management Objective is to ensure the MSP has formalized change management policies and procedures that may include, if applicable, the modification of MSP and Customer configurations, capacity planning and patch management. Customer change management policies are documented based on the level of services delivered to the Customer by the MSP.
04.01 Configuration Documentation – Configuration data for objects managed or monitored is documented based on level of service prior to management of the object.
04.02 Customer Categorization – Customers are adequately categorized and identified within the MSP’s systems.
04.03 Change Tracking – Modifications to Customer object configurations are documented to ensure changes are evaluated and approved by the Customer prior to implementation. Configuration data is updated following implementation to reflect the current Customer configuration.
04.04 Capacity Planning – The MSP monitors the capacity of managed objects and environments. If applicable, the MSP manages and proactively plans (both internally or with the Customer) and prioritizes capacity requirements.
04.05 Patch Management – Vendor supplied software and hardware patches are applied to managed objects and environments following standardized procedures. When applicable, patches are tested in a test environment and applied during planned or accepted maintenance windows.
UCS Objective Summary and Purpose: The goal of the Service Operations Management Objective deals with how the MSP identifies and responds to IT related events that could impact services delivered to the Customer. In this UCS objective, the examination covers the MSP’s Network Operations Center (“NOC”), Trouble Ticketing systems and Service Desk operations specifically related to event management policies and procedures.
05.01 Centralized Operations Center – A Managed Service/Network/Secure Operation Center (MSOC/NOC/SOC) is used to provide effective and secure monitoring and management of MSP and Customer managed environments.
05.02 Support and Problem Logging – A problem management system (help desk / ticketing system) has been implemented to ensure that operational events that are not part of the MSP’s standard operations are recorded, analyzed and resolved in a timely manner.
05.03 Categorization and Correlation – Problem / incident tickets are categorized to allow for event correlation and the elimination of false positives.
05.04 Support and Problem Resolution – Problems and/or incidents identified in the Customer’s environment are properly resolved and such resolution is documented and reported to both MSP and Customer management.
05.05 Operations Monitoring – MSP management performs a periodic internal review of tickets and operational events.
UCS Objective Summary and Purpose: The goal of the Information Security Objective is to ensure the MSP has implemented necessary controls to effectively govern access to managed data, networks and systems that may compromise security of both the MSP and the Customer. This includes remote access policies, user account administration, authentication, wireless access, segregation of duties, network security scans and assessments, and the monitoring of access to Customer systems.
06.01 Access to Applications and Environments – Access to Customer systems and configuration data is restricted to authorized personnel.
06.02 Super-User and Administrator Access Security – Administrator IDs to information systems (network and in-scope critical systems) are restricted to a limited number of approved personnel.
06.03 Revocation of Access – Logical access to the MSP’s information systems (MSP LAN and web portals) and Customer systems and data is revoked and reviewed for terminated and departing employees.
06.04 Unique Users and Passwords – Users authenticate to the MSP’s information systems and the underlying Customer data using unique user account IDs and passwords.
06.05 Strong Passwords – User authentication password mechanisms are implemented and require minimum standards for password length, complexity, expiration, re-use and account lockout for failed attempts.
06.06 Segregation of Access – Access to information systems (including Customer systems and data) is separated by functional area to ensure segregation of duties.
06.07 Periodic Review of Access Rights – Access to information systems and the underlying Customer systems and data is reviewed by the MSP’s upper management on a periodic basis to ensure access to resources is appropriately restricted to approved personnel.
06.08 Secure Remote Access – Remote access to the MSP and Customer information systems is restricted to authorized personnel. Remote access is monitored, logged and reviewed by MSP management.
06.09 Network Security Management and Monitoring – Local and wide area networks are secured through the use of managed firewalls and other devices and software. Where applicable, intrusion detection/prevention controls and security information and event management (SIEM) systems are utilized to monitor and secure the MSP’s network.
06.10 Email Security – MSP has implemented applications and/or systems to scan and protect email and environments from email attacks and malware or viruses.
06.11 Antivirus – MSP has implemented an antivirus system on network connected devices and traffic (web and email) to scan and protect its environment.
06.12 Wireless Network Security – MSP’s wireless network is segregated from its guest wireless network. The guest wireless network’s internet access is provisioned through a demilitarized zone.
06.13 Network Security Assessments – Network security assessments of the MSP’s network are conducted on a periodic basis.
UCS Objective Summary and Purpose: The goal of the Data Management Objective is to confirm the MSP has sufficient policies and procedures to ensure the integrity and availability of managed Customer and MSP internal data in the event of natural disasters, cyber-attacks (i.e., ransomware), and user error or malfeasance. This includes the implementation of data backup as well as encryption, security, retention, and restoration of managed Customer and MSP internal data.
07.01 Customer Data Backup and Replication – Where applicable, Customer data backup schedules are documented and followed in accordance with contractual service agreements, with backups being monitored, with any errors being handled in accordance with operations management policies and procedures. Customer backup and/or replicated data is encrypted in accordance with contractual requirements.
07.02 MSP Data Backup and Replication – MSP data backups are being completed and monitored in accordance to backup schedules, with any errors being handled in accordance with operations management policies and procedures. Backup and/or replicated data is encrypted in accordance with MSP policies and procedures.
07.03 Data Recovery Testing – Backup data restoration and recovery testing procedures are conducted on a periodic basis, with the results of tests being logged and monitored by the MSP’.
07.04 Disaster and Business Continuity Planning – Business continuity plans are documented and tested on a periodic basis to ensure the integrity of MSP and, if applicable, Customer data.
07.05 Data Destruction – Objects containing Customer data are handled and destroyed in accordance with end of life policies.
UCS Objective Summary and Purpose: The goal of the Physical Security Objective is to ensure the MSP has documented policies and procedures governing physical access and environmental security of the MSP’s assets. MSP must demonstrate sufficient physical security controls at each facility, including controls such as physical access administration, card key, CCTV, on-site security, visitor/guest logs and other effective security and environmental controls.
08.01 Office Security – Sufficient physical security controls are implemented at each facility utilized by the MSP.
08.02 Logging of Visitors/Guests – Visitor / guest logs are maintained at each facility by the MSP. Visitors / guests are required to sign the log upon entering the building and are required to present photo ID to MSP personnel prior to gaining access to the premises.
08.03 Sensitive Area Security – Physical access to the NOC and data center is restricted to authorized personnel. Access rights of personnel are reviewed and approved by MSP upper management on a periodic basis.
08.04 Revocation of Physical Access – Upon termination, employee access to the MSP’s facilities is revoked.
UCS Objective Summary and Purpose: The goal of the Billing & Reporting Objective is to ensure the MSP is accurately monitoring service delivery, reporting, and invoicing for Customers in accordance with SLAs signed by both parties.
09.01 Signed Contracts and Agreements – Signed service contracts are in place between the MSP and Customers.
09.02 Accuracy of Service Invoices – MSP invoices are generated in accordance with signed service contracts.
09.03 Report Availability – Performance reports are available to Customers in accordance with signed service contracts.
UCS Objective Summary and Purpose: The goal of the Corporate Health Objective is to ensure sufficient corporate and financial health on the part of the MSP so that all of its Customers are adequately protected. Technical proficiency is only part of the MSP’s value to the Customer. The MSP must be on firm financial footing, as well as risk averse in a variety of areas unique to managed services and cloud in order to effectively deliver its services to the Customer.
10.01 Operational Sustainability – Financial reports demonstrate profitability of a minimum of 6 of the previous 12 months, or sufficient access to funds necessary to keep the MSP operational for a 12-month period of time
10.02 Significant Customer Risk – The MSP demonstrates sufficient managed services revenue distribution so that the largest Customer does not represent more than 20% of total managed services revenue and the five largest Customers do not represent more than 50% of total managed services revenue.
10.03 Gross Profit Margin on Services – The MSP demonstrates that 30% gross profit margin is realized on its managed service/cloud offerings.
10.04 Customer Commitments – The MSP demonstrates that the majority of its customer base and revenues are not from month-to-month service contracts.
10.05 Insurance – The MSP maintains errors and omissions, professional liability, cyber security and any other applicable insurance policies necessary to mitigating against MSP business disruption.
10.06 Customer and Employee Retention Tracking – The MSP maintains records to track the retention of customers (both voluntary and involuntary) and employees (both voluntary and voluntary) to ensure business continuity.