For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the time to take important steps to ensure that the transition to your new provider is a smooth one.
Tips on Getting Offboarding Started
- Maintain communication – In terms of your outgoing MSP, one adage rings true–don’t burn bridges. The company you are letting go is a key to your success moving forward. Severing all ties prematurely could leave your company stranded, unsupportable, and looking at a larger bill to recover data, admin credentials, and backups, as well as negatively impact your overall business.
- Transfer knowledge – While CyberSheath or another onboarding MSP has no authority to require the outbound MSP supply the needed information to manage the infrastructure effectively, performing knowledge transfer with your outgoing MSP can assist with all entities involved working as a team.
- Include key details in release letter – Note that it is essential to have these expectations listed in your release letter. It is also a great idea to have the leaving MSP sign off and agree to participate in this process. Without these items, your new MSP will have the daunting task of figuring out your infrastructure and credentials.
- Don’t delete a Global Admin account – Have you ever not had the global admin account for your domain controller or active directory? You will not do much without it. Deleting one of these accounts could have down-stream effects on your infrastructure and access that could require significant recovery efforts, which means considerable expense.
- Ensure outgoing MSP participation in process – It is also a great idea to have the leaving MSP signoff and agree to participate in the offboarding process. Without this input, your incoming MSP will have a daunting task of figuring out your infrastructure and credentials, which not an easy task without certain information.
Key Information to Document
Remember that the outgoing service provider was a partner in your network and infrastructure, and therefore possesses information that is vital in supporting the success of your new service provider.
Below is an initial list of important information to record as you prepare to offboard your exiting MSP. Keep in mind that your company may have unique situations requiring additional information be turned over.
- All admin credentials for all in-scope devices used in the course of business. These include but not limited to servers, routers, firewalls, storage devices, and applications used by your company. It is a good idea to maintain a list of these even if you are not transitioning to a new MSP. MSPs often create accounts for themselves within your infrastructure. These are now keys to your environment, so it is a good practice to keep a list of who has access.
- All intellectual property (IP) needed to maintain current business practices and processes. MSPs often acquire a lot of knowledge about your company in their day-to-day operations of supporting your company. While it may be impractical to truly download everything your outgoing MSP knows about your company, it is a good idea to have a non-disclosure agreement (NDA) in place to ensure that information stays confidential.
- Complete list of all assets currently managed. This will help your new MSP understand your environment.
- Network topology diagram to include current IP mappings and ports used for day-to-day operations. CyberSheath recommends that you review this diagram on a quarterly basis or as you change components within your infrastructure. For example, if you moved on-premise servers to the cloud, be sure to ask for an updated diagram.
- Knowledge base information specific to or used in the support of your company’s infrastructure. The importance of this cannot be overstated. All companies have IT skeletons in their closets. Moving to a new MSP and not helping them with understanding the unexpected, sets the stage for failure.
- Backup schedules and access to the location where backup data is stored. Also be sure to have access to credentials to retrieve those backups and applications used to perform these tasks, as well as the most recent full backup.
- Licenses schedule and account information associated with those licenses so that the licenses can be transferred to your onboarding MSP. Companies should always document and maintain this information. You cannot renew or transfer software licenses without a company’s account number and approval. It is also recommended to have a quarterly review of your licensing footprint as unused licenses incur unnoticed expenses.
- Technical Point of Contact (TPOC) that can be available for the dates of the transition (usually 30 to 60 days). It is important that the person in this role understands technical issues to ensure the onboarding company has access to the client’s IT dependencies.
If you are still searching for your new MSP, CyberSheath offers a unique managed service combining security and IT services, which bring our customers a complete, protected service solution. Our MSP offering is secure, contains no ransomware, and allows our customers to keep their data.
Collaboration and leveraging the skills of others are key aspects of growing a business. Companies worldwide are using the expertise, products, and services of other companies to enhance their core competencies. But entrusting another company (a vendor) to provide a service is not cut and dry. What if a vendor’s reputation is questionable? What if a vendor is a financial risk or has had their internal system breached before? These are all questions that should be answered prior to exposing a vendor with your company’s most valued assets. As technology begins to expand there is a need for placing increased importance on Vendor Security Management (VSM) instead of simply focusing on the vendor’s performance.
What is Vendor Security Management?
VSM is taking a proactive step in identifying and decreasing potential uncertainties and liabilities in regards to hiring 3rd party vendors for IT products and services. VSM is important because merging two or more corporate ideologies is very risky and should be handled with caution. VSM should be a top-down approach in which the Chief Information Security Officer (CISO) takes the responsibility to add this component to the vision and strategy of the company.
How does Archer handle Vendor Security Management?
Archer’s solution to VSM gives you the power to automate and streamline the continuing oversight of vendor relationships by facilitating various activities including Risk-based vendor selection, relationship management, and compliance monitoring. Archer also has seven risk categories that will provide any organization with a broadened and more in-depth perspective of the security an engagement presents. Categories include Compliance/litigation risk, financial risk, information security, reputation risk, resiliency risk, strategic risk, sustainability risk. The benefit of Archer’s solution is that it proactively breaks down VSM into manageable pieces in which each company can focus on the category that it finds most important.
What if Vendor Security Management is neglected?
Performance is not everything. A third party vendor may provide excellent service but be at high risk of a security breach. Also, maintaining a successful company means having a strong future vision in mind and being mindful of the risks presented in an engagement. Neglecting VSM could be very detrimental to customers and employees, as many stories in today’s news will report. For example, the company, Assisted Living Concepts, used a third-party payroll and HR management provider by the name of Ultimate Software (also referred to as UltiPro Services). In December 2013 Ultimate Software was breached and over 43,000 former and current employee records were stolen and used for tax fraud. Upon investigation from the IRS and the FBI it was noted that if Ultimate Software had two-factor authentication enabled for their employee accounts, the breach of their system could have been prevented. If Assisted Living Concepts knew this bit of information beforehand they may have made a different decision in choosing a vendor to provide payroll and HR management services.
Systems security breaches have been documented to cost hundreds of millions of dollars depending on the magnitude of the breach and the size of the company. Although you have the ability to recover from a breach, it will be an uphill battle to gain new customers and retain customers due to the lack of trust. Systems security breaches negatively affect current and future profits.
Why is Archer’s Vendor Security Management for you?
Investing in Archer’s Vendor Management solution instantly increases the transparency of potential vendors. Having knowledge of vendors better equips any company to make informed decisions that impact people’s lives on a daily basis.
CyberSheath understands that a “one-size-fits-all” approach doesn’t work when designing your security. We operate on four basic principles in delivering a differentiated service. First, we begin each VSM project with due diligence to gain an understanding of your business. Second, we model the assessment process based on your business complexity and resource constraints. Next, we develop a VSM solution that ensures your future security state is measurable and sustainable. Lastly, we collaborate with your business stakeholders and technical experts and directly assist in the implementation of your Vendor Security Management program. CyberSheath is built on strong security principles that we intend to bring to your business in a pragmatic and effective way.