Questions to ask
Managed Service Providers
JANUARY 2019
Introduction
This document provides simple yet practical questions to ask managed service providers regarding the cyber security of
their systems and the services they provide.
Are you implementing better practice cyber
security?
The Essential Eight from the Strategies to Mitigate Cyber Security Incidents 1 provides prioritised and practical advice
to manage a range of cyber threats to systems and the information that they process, store or communicate.
Managed service providers can demonstrate they are implementing better practice cyber security to protect
themselves and their customers by implementing the Essential Eight.
Are you securely administering your systems and
services?
As managed service providers often have privileged access to systems, it is important that they manage such systems in
a secure manner, especially when systems are managed remotely.
Managed service providers can demonstrate they are securely administering their systems and services by
implementing the guidance from the Secure Administration publication2.
Are you monitoring activity on your systems and
services?
Organisations often have poor visibility of activity occurring on their systems. Good visibility of what is happening is
important for both detecting and responding to targeted cyber intrusions and malicious insiders.
1
2
https://www.acsc.gov.au/publications/protect/Essential_Eight_Explained.pdf
https://www.acsc.gov.au/publications/protect/Secure_Administration.pdf
1
Managed service providers can demonstrate they are monitoring activity on their systems and services by
implementing the guidance from the Windows Event Logging and Forwarding publication3.
Are you regularly assessing your systems and
services?
In order to protect their systems, and that of their customers, it is important that managed service providers are aware
of, and appropriately risk manage, security vulnerabilities in their systems and services.
Managed service providers can demonstrate they are regularly assessing their systems and services by conducting
regular vulnerability assessment activities.
Are you prepared for, and able to respond to,
cyber security incidents?
Experiencing a cyber security incident is not a question of if but when. The effective preparation for, and response to, a
cyber security incident can greatly decrease its impact.
Depending on the extent of a cyber security incident, additional assistance by specialists may be required to contain the
incident and remediate any security vulnerabilities that were exploited. Actively reporting cyber security incidents can
assist in the early and effective management of cyber security incidents by specialists trained in this field.
Managed service providers can demonstrate they are prepared for, and able to respond to, cyber security incidents by
implementing the guidance from the Preparing for and Responding to Cyber Security Incidents publication4.
Are you a member of the Managed Service
Provider Partner Program?
To assist in raising the cyber security posture of managed service providers, and to provide confidence for their
customers, the Australian Cyber Security Centre (ACSC) has developed the Managed Service Provider Partner Program
(MSP3)5.
Customers of managed service providers should confirm whether their managed service providers are participating in
the program.
Further information
The Strategies to Mitigate Cyber Security Incidents and supporting publications can be found at
https://www.acsc.gov.au/infosec/mitigationstrategies.htm.
The Essential Eight Maturity Model complements the advice in the Strategies to Mitigate Cyber Security
Incidents. It can be found at https://www.acsc.gov.au/publications/protect/Essential_Eight_Maturity_Model.pdf.
3
https://www.acsc.gov.au/publications/protect/Windows_Event_Logging_Technical_Guidance.pdf
https://www.acsc.gov.au/publications/protect/Preparing_for_Responding_to_Cyber_Incidents.pdf
5
https://www.cyber.gov.au/msp-global-hack/msp-partner-program/
4
2
Contact details
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing
asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).
3
