Unified Certification Standard for Cloud and Managed Service Providers

Unified Certification Standard for Cloud and Managed Service Providers v.21

Objectives and Underlying Requirements

Overview

The following UCS Objectives and underlying Requirements will be used by the independent auditor to perform the necessary verification procedures to issue a report on the MSP/Cloud MSP seeking certification. In addition to being used by the independent auditor, these requirements can be used by the MSP to anticipate specific documentation and verification requirements that will likely arise during the examination process.

This version of the UCS became effective May, 2021

UCS Objective 1: Governance

UCS Objective Summary and Purpose:  The goal of the Governance Objective is to provide assurance to the Customer that the MSP has established a corporate and organizational structure designed to maximize efficiency, minimize risk, provide sufficient oversight and accountability with regard to the services delivered. This objective also addresses external service provider management protocols of the MSP. 

01.01 Organizational Structure – The MSP has a formal management structure, with an executive steering committee/board of directors responsible for the management and supervision of the company. 

01.02 Strategic Planning – Strategic plans and priorities have been developed and communicated to the management of the company.

01.03 Risk Assessments – Risk assessments are conducted regularly to identify risks.  Risks are logged and communicated to upper management to ensure the adequate and timely analysis/addressing of identified risks.

01.04 Software Licensing – For infrastructure, platform, or software as a service is being delivered, the MSP has a process for determining their legal and financial risk of software audits or third-party intellectual property claims.

01.05 External Service Provider Management – External service providers (contractors, third-parties, vendors) utilized by the MSP for delivery of cloud and/or managed services are evaluated and approved by a designated employee.

UCS Objective 2: Policies and Procedures

UCS Objective Summary and Purpose:  The goal of the Policies and Procedures Objective is to ensure the MSP has documented the necessary policies and procedures in order to maintain effective service delivery levels, as well as to minimize deviation from those established policies and procedures.

02.01 Documentation of Policies and Procedures – Policies and procedures have been formally documented to guide the daily operations of the MSP.

02.02 Data Breach and Cyber-Attack Policies and Procedures – Policies and procedures have been formally documented to address data breaches, ransomware payments, and cyber-attacks impacting the daily operations of the MSP and, if applicable, its Customer.

02.03 Periodic Review and Approval – Policies and procedures are reviewed and updated at least annually to ensure any modifications are approved and implemented.

02.04 Internal Audit – The MSP shall conduct internal audits at planned intervals to provide information on whether their internal systems are meeting their control criteria.

02.05 Employee Acceptance – Employees are required to sign and attest to their understanding and adherence to MSP’s policies and procedures.

02.06 Training and Orientation – New employee orientation/training and continuing education programs for existing employees are implemented to address the ethical, integrity, confidentiality, privacy, security, and acceptable use standards developed by the MSP.

UCS Objective 3: Confidentiality, Privacy and Service Transparency

UCS Objective Summary and Purpose:  The goal of the Confidentiality and Privacy Objective is to ensure the MSP has sufficient policies and procedures related to the protection and disclosure of Customer data, specifically protocols safeguarding confidentiality, privacy, geolocation of managed data (including external service provider managed data) and identification of applications utilized to deliver services. 

03.01 Employee Background Checks – Background checks are conducted on personnel following MSP policies and procedures.

03.02 Employee Confidentiality and Privacy Acceptance – Employees are required to sign and attest to their understanding and adherence to MSP’s confidentiality and privacy policies.

03.03 Data Classification and Encryption – Customer data classified as confidential or private is encrypted following applicable industry best practices or regulations.

03.04 MSP Data Geolocation Disclosure– Policies and procedures are implemented to govern the identification and disclosure of the geolocation of managed data.

03.05 External Service Provider Geolocation Disclosure – Policies and procedures are implemented to govern the identification and geolocation disclosure of external service provider managed data.

03.06  External Service Provider Access Management – Access to the MSPs and Customers’ information systems by an external service provider is granted on an as-needed basis. When granted, access is monitored, logged, and reviewed following operational policies and procedures.

03.07 External Service Provider Access Disclosure – Policies and procedures have been implemented to govern the communication and disclosure of external service provider access to Customer information systems and data.

UCS Objective 4: Change Management

UCS Objective Summary and Purpose:  The goal of the Change Management Objective is to ensure the MSP has formalized change management policies and procedures that may include, if applicable, the modification of MSP and Customer configurations, capacity planning and patch management.  Customer change management policies are documented based on the level of services delivered to the Customer by the MSP.

04.01 Configuration Documentation – Configuration data for objects managed or monitored is documented based on level of service before management of the object.

04.02 Service Level Categorization – Service levels are adequately categorized and identified within the MSP’s systems.

04.03 Internal Change Tracking – Modifications to internal object configurations are documented to ensure changes are requested, reviewed, and approved following a consistent process.

04.04 Customer Change Tracking– Modifications to Customer object configurations are documented to ensure changes are evaluated and approved by the Customer before implementation.  Configuration data is updated following implementation to reflect the current Customer configuration.

04.05 Capacity Planning – The MSP monitors the capacity of managed objects and environments.  If applicable, the MSP manages and proactively plans (both internally or with the Customer) and prioritizes capacity requirements.

04.06 Patch Management – Vendor-supplied software and hardware patches are applied to managed objects and environments following standardized procedures. Critical patches are evaluated for issues before release, and applied during planned or accepted maintenance windows. Critical patches are applied as soon as possible to both Customer and internal environments.

UCS Objective 5: Service Operations Management

UCS Objective Summary and Purpose:  The goal of the Service Operations Management Objective deals with how the MSP identifies and responds to IT related events that could impact services delivered to the Customer.  In this UCS objective, the examination covers the MSP’s Network Operations Center (“NOC”), Trouble Ticketing systems and Service Desk operations specifically related to event management policies and procedures.

05.01 Centralized Operations Center – A Managed service/Network/Secure Operation Center (MSOC/NOC/NOC) is used to provide effective and secure monitoring and management of MSP and Customer managed environments.

05.02 Support and Problem Logging – A problem management system (help desk/ticketing system) has been implemented to ensure that operational events that are not part of the MSP’s standard operations are recorded, analyzed, and resolved in a timely manner.

05.03 Categorization and Correlation – Problem/incident tickets are categorized to allow for event correlation and the elimination of false positives.

05.04 Support and Problem Resolution – Problems and/or incidents identified in the Customer’s environment are properly resolved and such resolution is documented and reported to both MSP and Customer management.

05.05 Operations Monitoring – MSP management performs a periodic internal review of tickets and operational events.

UCS Objective 6: Information Security

UCS Objective Summary and Purpose:  The goal of the Information Security Objective is to ensure the MSP has implemented necessary controls to effectively govern access to managed data, networks and systems that may compromise security of both the MSP and the Customer. This includes remote access policies, user account administration, authentication, wireless access, segregation of duties, network security scans and assessments, and the monitoring of access to Customer systems. 

06.01 Access to Applications and Environments – Access to MSP and Customer systems and configuration data is restricted to authorized personnel following a documented Access Control Policy. All service delivery and internal applications have authentication security mechanisms implemented. 

06.02 Super-User and Administrator Access Security – Administrator IDs to information systems (network and in-scope critical systems) are restricted to a limited number of approved personnel.

06.03 Unique Users and Passwords – Users authenticate to the MSP’s information systems and the underlying Customer data using unique user account IDs and passwords.

06.04 Revocation of Access – Logical access to the MSP’s information systems (MSP LAN and web portals) and Customer systems and data is revoked and reviewed for terminated and departing employees.

06.05 Strong Passwords – User authentication password mechanisms are implemented and require minimum standards for password length, complexity, expiration, reuse, and account lockout for failed attempts. MSP passwords are stored in a secure password repository.

06.06 Segregation of Access – Access to information systems (including Customer systems and data) is separated by functional area to ensure segregation of duties.

06.07 Periodic Review of Access Rights – Access to information systems and the underlying Customer systems and data is reviewed by the MSP’s upper management periodically to ensure access to resources is appropriately restricted to approved personnel.

06.08 Secure Remote Access – Remote access to the MSP and Customer information systems is restricted to authorized personnel following a remote access policy. Remote access is monitored, logged, and reviewed by MSP management.

06.09 Network and Endpoint Security Management and Monitoring – Local and wide area networks are secured through the use of managed firewalls and other devices and software. Where applicable, MDR/EDR/XDR controls and security information and event management (SIEM) systems are utilized to monitor and secure the MSP’s network.

06.10 Email Security – MSP has implemented applications and/or systems to scan and protect email and environments from email attacks and malware/viruses.

06.11 Antivirus – MSP has implemented an antivirus system on the network’s connected devices and traffic (web and email) to scan and protect its environment.

06.12 Wireless Network Security – MSP’s wireless network is segregated from its guest wireless network.

06.13 Network Security Review – Network security reviews (including security assessments, scans, penetration tests, etc.) of the MSP’s network are conducted periodically.

UCS Objective 7: Data and Device Management

UCS Objective Summary and Purpose:  The goal of the Data Management Objective is to confirm the MSP has sufficient policies and procedures to ensure the integrity and availability of managed Customer and MSP internal data in the event of natural disasters, cyber-attacks (i.e., ransomware), and user error or malfeasance. This includes the implementation of data backup as well as encryption, security, retention, and restoration of managed Customer and MSP internal data. 

07.01 Customer Data Backup and Replication – Where applicable, Customer data backup schedules are documented and followed following contractual service agreements, with backups being monitored, with any errors being handled following operations management policies and procedures. Customer backup and/or replicated data is encrypted following contractual requirements.

07.02 MSP Data Backup and Replication – MSP data backups are being completed and monitored following backup schedules, with any errors being handled following operations management policies and procedures. Backup and/or replicated data is encrypted following MSP policies and procedures.

07.03 Data Recovery Testing – Backup data restoration and recovery testing procedures are conducted periodically, with the results of tests being logged and monitored by the MSP.

07.04 Disaster and Business Continuity Planning – Business continuity plans are documented and tested periodically to ensure the integrity of MSP and, if applicable, Customer data.

07.05 Internal Data Destruction – Objects containing internal data are handled and destroyed following end-of-life policies.

07.06 Customer Data Destruction – If data destruction services are delivered to Customers, objects containing Customer data are handled and destroyed following end-of-life policies.

07.07 Device and Asset Management -Devices and assets are maintained in a centralized inventory list. A policy and supporting security measures shall be adopted to manage the risks of all devices and assets.

UCS Objective 8: Physical Security

UCS Objective Summary and Purpose:  The goal of the Physical Security Objective is to ensure the MSP has documented policies and procedures governing physical access and environmental security of the MSP’s assets.  MSP must demonstrate sufficient physical security controls at each facility, including controls such as physical access administration, card key, CCTV, on-site security, visitor/guest logs and other effective security and environmental controls.  

08.01 Office Security – Sufficient physical security controls are implemented at each facility utilized by the MSP. Access rights of personnel are reviewed and approved by MSP upper management on a periodic basis.

08.02 Logging of Visitors – Visitor logs are maintained at each facility by the MSP. Visitors are required to sign the log upon entering the building.

08.03 Sensitive Area Security – Physical access to the sensitive areas (including operations centers, data centers, and server rooms) is restricted to authorized personnel.  

08.04 Revocation of Physical Access –  Upon termination, employee access to the MSP’s facilities is revoked.

UCS Objective 9: Billing and Reporting

UCS Objective Summary and Purpose: the goal of the Billing & Reporting Objective is to ensure the MSP is accurately monitoring service delivery, reporting, and invoicing for Customers following SLAs signed by both parties.

09.01 Signed Contracts and Agreements – Signed service level agreements are in place between the MSP and Customers.

09.02 Accuracy of Service Invoices – MSP invoices are generated following signed service contracts.

09.03 Report Availability – Performance reports are available to Customers following signed contracts.

UCS Objective 10: Corporate Health

UCS Objective Summary and Purpose:  The goal of the Corporate Health Objective is to ensure sufficient corporate and financial health on the part of the MSP so that all of its Customers are adequately protected.  Technical proficiency is only part of the MSP’s value to the Customer.  The MSP must be on firm financial footing, as well as risk averse in a variety of areas unique to managed services and cloud in order to effectively deliver its services to the Customer.

10.01 Operational Sustainability – Financial reports demonstrate profitability of a minimum of 6 of the previous 12 months, or sufficient access to funds necessary to keep the MSP operational for a 12-month period of time

10.02 Significant Customer Risk – The MSP demonstrates sufficient managed services revenue distribution so that the largest Customer does not represent more than 20% of total managed services revenue and the five largest Customers do not represent more than 50% of total managed services revenue.

10.03 Gross Profit Margin on Services – The MSP demonstrates that 30% gross profit margin is realized on its managed service/cloud offerings.

10.04 Customer Commitments – The MSP demonstrates that the majority of its customer base and revenues are not from month-to-month service contracts.

10.05 Insurance – The MSP maintains errors and omissions, professional liability, cyber security and any other applicable insurance policies necessary to mitigating against MSP business disruption. 

10.06 Customer and Employee Retention Tracking – The MSP maintains records to track the retention of customers (both voluntary and involuntary) and employees (both voluntary and voluntary) to ensure business continuity.

Copyright 2000 – 2021 MSPAlliance® – All Rights Reserved