Cyber Security Best Practices: Contracting With Managed Service Providers

Number: IN17-003
Date: 03 April 2017

Purpose

The purpose of this Information Note is to provide best practices and highlight security considerations when subscribing to services offered by managed service providers.

Assessment

The decision to engage a managed service provider to operate an organization’s information technology services can be cost-effective and create efficiencies. There are two broad categories of service providers which will be referenced in this product: managed service providers (MSPs) who offer a range of information management and information technology services including both physical infrastructure (e.g. servers) and virtual, or cloud, infrastructure; and cloud service providers (CSPs) who manage and store data primarily in a virtual environment. The decision to centralize information with a third-party service provider can present risks to the privacy and integrity of proprietary information. This Information Note is intended to provide an overview of the security and privacy challenges pertinent to public cloud computing, and highlight considerations organizations should take when outsourcing data, applications, and infrastructure to a third-party service provider.

Mitigating the risks associated with using service providers is a responsibility shared between the organization (referred to as the “tenant”) and the MSP or CSP. However, organizations are ultimately responsible for protecting their systems and ensuring the confidentiality, integrity and availability of their data. Organizations that outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage clients’ services. The information contained in this product is designed to facilitate that dialogue.

Organizations should consider performing a detailed risk assessment and implementing associated mitigations before engaging with a MSP or CSP. Key considerations when using these services include:

Suggested Action

CCIRC recommends that organizations review the following best practices and consider their implementation in the context of their business needs:

Organizations who detect activity related to this Information note are encouraged to contact CCIRC.

References:

Government of Canada Security Control Profile for Cloud-based GC IT Services
http://www.canada.ca/en/treasury-board-secretariat/services/information-technology/cloud-computing/government-canada-security-control-profile-cloud-based-it-services.html

CSE Information Technology Security Guidance (ITSG) 33 on IT security risk
https://www.cse-cst.gc.ca/en/node/265/html/22814

Contracting Clauses for Telecommunications Equipment and Services
https://www.cse-cst.gc.ca/en/node/299/html/25729

Australian Signals Directorate: Cloud Computing Security for Tenants
http://asd.gov.au/publications/protect/cloud-security-tenants.htm

NIST Special Publication 800-145: NIST Definition of Cloud Computing
http://dx.doi.org/10.6028/NIST.SP.800-145    

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: