This is part three in a series from Christie Fisher, ZAG’s VP Service Delivery, about the process we undertook to achieve the MSPAlliance® MSP Verify™ certification. Read part two here.
In our last MSP/Cloud Verify blog, we looked at some of the foundational objectives that were scrutinized during ZAG’s preparation for the audit. But what about the managed services part of the equation? MSPAlliance® examined more categories related to our core deliverables, including change management, service operations, information security, and data management, providing a clearer picture on how we work with our clients. Here’s a closer look at those control objectives.
Covering more than simply change management, this objective also included:
- Configuration Documentation – The focus centered around how client configuration data was captured and stored upon onboarding. ZAG does a thorough assessment of a new customer’s environment and has a standard set of tools that are used both to capture the data and document it.
- Customer Categorization – ZAG categorizes its customers based on the three core managed service offerings:
- Managed Security Assurance (standard RMM)
- Managed User (RMM + Help Desk)
- All Managed
- Change Tracking – Change notifications are sent using a custom application that includes information such as a description of the proposed change, systems/services/sites affected, user impact, and more.
- Capacity Planning – Setting thresholds for storage capacity is crucial to preventing downtime. ZAG sets standard thresholds for all clients and adjusts accordingly if a client has different requirements.
- Patch Management – Patch management can be complex and requires a detailed Patch Management Policy to ensure proper patching. There must be a good plan to review/test the recent changes, automate deployment, and follow up on any systems that may be missed for one reason or another.
Service Operations Management
This objective aims to determine how the MSP responds to IT-related events – specifically how the Network Operations Center (NOC) operates, ticketing system is used, and Service Desk policies and procedures.
- Centralized Operations Center – Examines how the NOC was staffed (centralized vs. virtual) and hours of coverage. ZAG currently staffs the call center from 11 p.m. PT to 6 p.m. PT daily with 6 to 11 p.m. covered by on-call engineers.
- Support and Problem Logging – Issues are tracked in ZAG’s main ticketing system and KPIs are monitored regularly.
- Categorization and Correlation – Tickets are categorized via type, sub-type, and criticality to the customer.
- Support and Problem Resolution – ZAG provided FAQs and Incident Management procedures as part of this objective to demonstrate its processes/procedures around tracking and resolution of client support issues. Having procedures in place and following them provides consistent support, streamlined resolution and good communication.
- Operations Monitoring – ZAG’s line of business managers each review their team’s time entries weekly for accuracy and completeness. Additionally, ticket metrics (counts, handling times, stale tickets, etc.) are reviewed regularly.
Protecting data for the MSP and its customers must be a top priority and it was no surprise that this objective was the most robust in the audit. This area covered the following:
- Access to Application and Environments – Several pieces of evidence were required for this, including access control policies, AD integrations for all applications used in supporting our clients, along with multi-factor authentication
- Super User and Administrator Access Security – ZAG provided its tiered structure for privileged accounts, along with admin user lists and password policies.
- Revocation of Access – Departing employee accounts are disabled in AD immediately upon termination and tracked via offboarding tickets.
- Strong Passwords – ZAG’s AD Password Policy was reviewed to ensure proper requirements for length, complexity, and reuse, along with tracking where passwords are stored.
- Segregation of Access – Back-office and service delivery are separated via VLANs (server, voice, user, guest, and customer). Customer VLANs are restricted by a locked server room and access is controlled via a badge security system.
- Periodic Review of Access Rights – Recurring tickets are created to perform access rights reviews. Additionally, we have monitoring in place to alert if there are any changes to a privileged group.
- Secure Remote Access – All remote access is secured, restricted, and monitored. Regularly scheduled reviews of the access logs are performed.
- Network Security Management and Monitoring – ZAG’s network has multiple layers of protection and monitoring (both internally as well as through an external SOC).
- Email Security – Microsoft Exchange Online Protection with Advanced Threat Protection, DMARC, SPF, DKIM, Cisco Email Security, and email security training are some of the email security tactics that ZAG employs.
- Antivirus – ZAG recently upgraded to an Active EDR (Endpoint Detection and Response) anti-virus solution.
- Wireless Network Security – Along with using WPA2 for security, ZAG separates the ZAG internal network from a guest wireless network.
- Network Security Assessments – Vulnerability scans (both internal and external) are performed on a quarterly basis.
The goal of this objective is to evaluate whether the MSP’s policies and procedures sufficiently ensure the integrity and availability of the internal data of both the MSP and its clients, including:
- MSP Data Backup and Replication – ZAG provided backup schedules and retention policies for review as well as proof of encryption (in transit and at rest).
- Data Recovery Testing – Internal backup data is validated daily through an automated virtual machine reboot and restore, and notifications are sent if there are any failures.
- Disaster and Business Continuity Planning – ZAG’s Business Continuity Plan and results of annual tabletop exercises were supplied for review.
- Data Destruction – The data destruction policy along with a sample completed data destruction certificate were reviewed to ensure proper handling.
Going through an exercise like the preparation for this audit allowed ZAG to take a break from the daily whirlwind of a growing organization. You can liken the experience to allowing someone to come in to your house and open closets, dust off spider webs, throw away some old knickknacks, and replace them with some new, shiny ones. It was a bit like Spring cleaning – it’s a hassle while you are in the middle of it, but you always feel better about the state of your house when it’s done!
As we wrap up the last blog in our series that highlights the MSP Verify process, we will summarize how these certifications benefit ZAG and our clients and talk a little more about why the certification should be a “must” when you’re looking for an MSP partner.