The Unified Certification Standard (UCS) for Cloud & Managed Service Providers is based on 10 core principles of how a IT service organization should operate. These principles, or control objectives as they are called in the auditing world, provide the basis of the UCS and make it the best model for evaluating cloud and MSP companies. Each of the 10 control objectives in the UCS is supported by individual controls that are used when the company goes through the certification process. Furthermore, when the company successfully completes the certification process, they will receive a UCS audit report, that precisely details how the company implements those controls and control objectives. The following are the UCS control objectives:
UCS Control Objectives Summaries and Purpose
UCS Objective 1: Governance
UCS Objective Summary and Purpose: The goal of the Governance Objective is to provide assurance to the Customer that the MSP has established a corporate and organizational structure designed to maximize efficiency, minimize risk, provide sufficient oversight and accountability with regards to the services delivered. This objective also addresses vendor management protocols of the MSP.
UCS Objective 2: Policies and Procedures
UCS Objective Summary and Purpose: The goal of the Policies and Procedures Objective is to ensure the MSP has documented the necessary policies and procedures in order to maintain effective service delivery levels, as well as to minimize deviation from those established policies and procedures.
UCS Objective 3: Confidentiality and Privacy
UCS Objective Summary and Purpose: The goal of the Confidentiality and Privacy Objective is to ensure the MSP has sufficient policies and procedures related to the protection of Customer data, specifically protocols safeguarding confidentiality, privacy, and geolocation of managed data including third party managed data.
UCS Objective 4: Change Management
UCS Objective Summary and Purpose: The goal of the Change Management Objective is to ensure the MSP has change management procedures that are under formalized change controls. Such change management documentation may include, if applicable, capacity planning, modification to MSP and Customer configurations and programming code changes. Customer change management policies are documented based on the level of services delivered to the Customer by the MSP.
UCS Objective 5: Service Operations Management
UCS Objective Summary and Purpose: The goal of the Service Operations Management Objective deals with how the MSP identifies and responds to IT related events that could impact services delivered to the Customer. In this UCS objective, the examination covers the MSP’s Network Operations Center (“NOC”), Trouble Ticketing systems and Service Desk operations specifically related to event management policies and procedures.
UCS Objective 6: Information Security
UCS Objective Summary and Purpose: The goal of the Information Security Objective is to ensure the MSP has implemented necessary controls to effectively govern access to managed data, networks and systems that may compromise security of both the MSP and the Customer. This includes remote access policies, user account administration, authentication, wireless access, segregation of duties, network security scans and assessments, and the monitoring of access to Customer systems.
UCS Objective 7: Data Management
UCS Objective Summary and Purpose: The goal of the Data Management Objective is to confirm the MSP has sufficient policies and procedures to ensure the integrity and availability of managed Customer and MSP internal data in the event of natural disasters, cyber attacks (i.e., ransomware), and user error or malfeasance. This includes the implementation of data backup as well as encryption, security, retention, and restoration of managed Customer and MSP internal data.
UCS Objective 8: Physical Security
UCS Objective Summary and Purpose: The goal of the Physical Security Objective is to ensure the MSP has documented policies and procedures governing physical access and environmental security of the MSP’s assets. MSP must demonstrate sufficient physical security controls at each facility, including controls such as physical access administration, card key, CCTV, on-site security, visitor/guest logs and other effective security and environmental controls.
UCS Objective 9: Billing & Reporting
UCS Objective Summary and Purpose: The goal of the Billing & Reporting Objective is to ensure the MSP is accurately monitoring service delivery, reporting, and invoicing for Customers in accordance with SLAs signed by both parties.
UCS Objective 10: Corporate Health
UCS Objective Summary and Purpose: The goal of the Corporate Health Objective is to ensure sufficient corporate and financial health on the part of the MSP so that all of its Customers are adequately protected. Technical proficiency is only part of the MSP’s value to the Customer. The MSP must be on firm financial footing, as well as risk averse in a variety of areas unique to manage service and cloud in order to effectively deliver its services to the Customer.