This document provides simple yet practical questions to ask managed service providers regarding the cyber security of their systems and the services they provide.
Questions to ask Managed Service Providers
Are you implementing better practice cyber security?
The Essential Eight from the Strategies to Mitigate Cyber Security Incidents  provides prioritised and practical advice to manage a range of cyber threats to systems and the information that they process, store or communicate.
Managed service providers can demonstrate they are implementing better practice cyber security to protect themselves and their customers by implementing the Essential Eight.
Are you securely administering your systems and services?
As managed service providers often have privileged access to systems, it is important that they manage such systems in a secure manner, especially when systems are managed remotely.
Managed service providers can demonstrate they are securely administering their systems and services by implementing the guidance from the Secure Administration publication .
Are you monitoring activity on your systems and services?
Organisations often have poor visibility of activity occurring on their systems. Good visibility of what is happening is important for both detecting and responding to targeted cyber intrusions and malicious insiders.
Managed service providers can demonstrate they are monitoring activity on their systems and services by implementing the guidance from the Windows Event Logging and Forwarding publication .
Are you regularly assessing your systems and services?
In order to protect their systems, and that of their customers, it is important that managed service providers are aware of, and appropriately risk manage, security vulnerabilities in their systems and services.
Managed service providers can demonstrate they are regularly assessing their systems and services by conducting regular vulnerability assessment activities.
Are you prepared for, and able to respond to, cyber security incidents?
Experiencing a cyber security incident is not a question of if but when. The effective preparation for, and response to, a cyber security incident can greatly decrease its impact.
Depending on the extent of a cyber security incident, additional assistance by specialists may be required to contain the incident and remediate any security vulnerabilities that were exploited. Actively reporting cyber security incidents can assist in the early and effective management of cyber security incidents by specialists trained in this field.
Managed service providers can demonstrate they are prepared for, and able to respond to, cyber security incidents by implementing the guidance from the Preparing for and Responding to Cyber Security Incidents publication .
Are you a member of the Managed Service Provider Partner Program?
To assist in raising the cyber security posture of managed service providers, and to provide confidence for their customers, the Australian Cyber Security Centre has developed the Managed Service Provider Partner Program .
Customers of managed service providers should confirm whether their managed service providers are participating in the program.
The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations’ systems. It can be found at https://www.cyber.gov.au/acsc/view-all-content/ism.
The Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM. The complete list of strategies can be found at https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents.
If you have any questions regarding this guidance you can contact us via 1300 CYBER1 (1300 292 371) or https://www.cyber.gov.au/acsc/contact.