This is part two in a series from Christie Fisher, ZAG’s VP Service Delivery, about the process we undertook to achieve the MSPAlliance® MSP Verify™ certification. Read part one here.
ZAG’s journey toward our MSP Verify certification spanned several months, and our first blog of this series outlined the steps we took from a high level. But we need to take a more in-depth look at some of the control objectives that were reviewed and audited during the process, especially those focusing on corporate policies and how ZAG conducts business.
This objective aims to review the business’s corporate and organizational structure and risk management, oversight, and accountability.
- Organizational Structure – This covered everything from the organizational chart and how it is maintained to the Executive Team and Board of Directors’ structure, how often they meet, and how we document those meetings. We provided job description samples to verify they contained clearly defined roles and responsibilities, including skills and experience requirements.
- Strategic Planning – Short- and long-term plans were examined to ensure operational alignment, along with the process of developing, updating, and approving strategic plans.
- Software Licensing – Tracking licenses, calculating, and reporting were the focus in this area.
- Vendor Management – ZAG provided its Vendor Management policy and Risk Matrix for review and provided evidence of annual vendor risk assessments and vendor due diligence.
Policies and Procedures
The MSPAlliance® examined ZAG’s Policies and Procedures to ensure that proper documentation and adherence were present in the following categories:
- Documentation of Policies and Procedures – As part of its onboarding process, ZAG provides each employee with the Employee Handbook, which contains all employee policies and procedures. Employees acknowledge the receipt of the handbook both when they join ZAG and each year after that.
- Data Breach and Cyber-Attack – In the event of a breach, we confirmed documented communication procedures in the Information Sharing Approval Procedure and the Data Breach policy.
- Periodic Review and Approval – ZAG reviews its policies and procedures annually and updates these throughout the year as changes are needed.
- Employee Acceptance – Publishing the policies are important, but it is also crucial to ensure that employees have received and acknowledged them. ZAG obtains this acknowledgment in the onboarding process and annually after that.
- Training and Orientation – Human Resources meets with new hires on their first day to provide a company overview, benefits overview, process onboarding forms, and assign required training.
Confidentiality and Privacy
Protecting customer data is essential, and one of the ways to ensure that protection is by implementing proper confidentiality and privacy policies and procedures including, but not limited to, the following:
- Employee Background Checks – ZAG utilizes a third-party to conduct one-time criminal, SSN, and MVR background checks for all new hires, and the results are kept confidential.
- Upon joining ZAG, employees sign a Confidentiality Agreement included in the Employee Handbook and is acknowledged annually after that.
- Data Classification and Encryption – ZAG has a Data Classification policy and encrypts all email/data at rest and locally encrypts laptops.
- Data Geolocation Disclosure – ZAG learned through this process that it should inform its customers where we locate client data. As a result, we added a geolocation clause to our Master Service Agreement.
- External Service Provider Access Management – If external providers have access to customer data, access needs to be controlled, monitored, and disclosed to customers.
There is a lot in the news about cybersecurity and its importance to an organization. Many companies forget that the physical security of an office location is crucial to protecting data centers and other critical assets in today’s threat landscape:
- Physical Access Policies and Procedures – The certification examined the company’s Physical Access policy, security access controls (proximity cards, biometric readers, camera systems, and security alarms), how access is granted/approved, visitor logging, and whether or not Physical Security Assessments are performed.
- Sensitive Area Security – ZAG protects these areas and restricts access using a badge system. Access is reviewed periodically to ensure that access is limited only to those employees who require it.
- Revocation of Physical Access – Employee offboarding processes were reviewed to ensure that physical access was revoked for terminated employees as soon as possible.
Billing and Reporting
One of the shorter questionnaires in the process, the Billing and Reporting section, dealt with the following:
- Signed Contracts and Agreements – We provided sample copies of our Master Service Agreement and MSP agreements to the auditors for review.
- Accuracy of Service Invoices – ZAG provided a copy of our weekly managed services invoices and walked through our methodology for invoice pricing, preparation, and review.
- Report Availability – Reporting to our customers, and customers can access the ticket portal landing page was one of the main focal points in this section. In addition, we presented a sample Quarterly Business Review presentation.
ZAG completed a corporate health questionnaire for this section designed to evaluate the company’s financial and corporate health, ensuring that its customers are adequately protected.
- Operational Sustainability – ZAG reported how our financial statements are prepared – whether internally or externally, along with the frequency. We also provided our profit/loss by month over the previous year.
- Significant Customer Risk – ZAG broke down its revenue by the top five largest managed services customers and described strategies to acquire new clients, reducing potential revenue concentration.
- Gross Profit Margin on Services – This covered the breakdown of the cost of services inclusions and ZAG’s managed services practice’s gross profit margin.
- Customer Relationships – Examining the length of MSP relationships is crucial to determining the company’s sustainability and new growth. ZAG proudly reported that 47% of our managed services client partnerships are greater than five years, with the oldest relationship exceeding 20 years.
- Insurance – ZAG holds all four types of insurances recommended by the MSPAlliance MSP Verify program:
- Errors and Omissions
- Professional Liability
- Cyber Security
- Key Man
- Customer and Employee Retention – We calculated retention rates for both customers and employees for the previous 12-month period. ZAG’s employee retention came in at 81%, while the client retention rate for that period was an impressive 97%. (We’re hiring and if you’d like to join a team that very few people leave, check out our open opportunities.)
As ZAG examined each of these control objectives, we had an opportunity to focus on the areas where improvement was needed, even if we met or exceeded the base standard. Continually improving in these areas for our own company, while providing ongoing services to clients, provides us with transparency and accountability that contributes to our success. And for ZAG, it’s not only our managed services clients that benefit from this process; every client can rest assured that we take the safety and security of client data and our ongoing improvements seriously.
In our next blog, we take a closer look at the managed services-related objectives focusing on the services we provide to our customers.