GM, I agree with Lisa-Mae, always good to check on your vendor's VMP - they must demonstrate control and oversight over their material subcontractors
the one thing I would add, is to request their pen test report. be careful to check scope to be sure their service to you was included
happy to chat, [Email has been removed by the Community Manager for privacy reasons. Please reach out to the member directly by clicking on their name, which will redirect you to their profile and contact information.]
Original Message:
Sent: 03-14-2023 10:05 AM
From: Lisa-Mae Hill
Subject: DD items for MSP - beyond SOC2 report
This is a solid list. I would also just encourage you to ensure you have strong breach/incident notification language in your contracts or at least understand what their process and timelines are. Understanding their incident response times and procedures is also important. I would also want to look at their Vendor Management program and make sure you know what (if any) of their third parties have access to or process your data. I'd love for others to weigh in as well.
Original Message:
Sent: 03-01-2023 05:31 PM
From: Anonymous Member
Subject: DD items for MSP - beyond SOC2 report
This message was posted by a user wishing to remain anonymous
For those that use a Managed Services Provider, I'm wondering what additional documents are typically collected beyond the SOC2 report. Our standard DD checklist is pasted below but I don't know whether they are all relevant to an MSP or are already covered by the SOC2. What do others do?
Internal controls report (e.g., SOC report, internal audit)
|
Compliance Manual
|
Code of Ethics
|
HR policies, including hiring guidelines and leave policy
|
Financial statements
|
Insurance certificates or detailed overview
(general liability, D&O, E&O, cyber)
|
IT/Cybersecurity policy
|
Cyber Incident Response Plan
|
BCP policy
|
Disaster Recovery policy
|
BCP attestation
|
Outsourcing policy
|