This is part one in a series from Christie Fisher, ZAG’s VP Service Delivery, about the process we undertook to achieve the MSPAlliance® MSP Verify™ certification.
Continuous improvement is a topic that is often discussed at ZAG Technical Services. Whether it is improving a process, updating a document or reviewing the use of technology, we often ask ourselves, “How can we make this better?” It is a relatively easy question to ask about the security and stability of our technology environment. However, asking someone outside your organization the same question is a much more uncomfortable thing to do.
What is MSPAlliance and MSP/Cloud Verify?
When we first heard about the MSPAlliance® MSP/Cloud Verify™ (MSPCV) certification program, ZAG’s Executive Steering Group agreed unanimously that it was worth pursuing. Between 1% and 5% of MSP providers obtain the certification, which highlights the value it could bring to our clients. We began the road to certification with a mix of trepidation and excitement. There was obvious nervousness around the amount of work it would generate and the vulnerability of having someone from the outside come into our “home,” so to speak, and inspect the nooks and crannies that are normally hidden from view. That hesitation was quickly overshadowed by the major excitement over obtaining validation that we are doing everything we can to support our mission of “Enabling our Clients to Succeed.”
Control Objectives Audit
The MSPCV program is based on the Unified Certification Standard (UCS) for Cloud and Managed Service Providers developed by MSPAlliance. There were a number of control objectives that were examined, including:
- Governance. The organizational structure was reviewed to ensure that it is adequate for a Managed Service Provider of ZAG’s size. Strategic and operational planning were another area of focus in this objective ensuring that the plans are in alignment are reviewed on a regular basis.
- Policies and Procedures. ZAG was evaluated for its security, data breach, and intranet policies, which demonstrated to MSPAlliance that we actively adhere to our own policies given to our MSP clients. Not only did they look at policies, but they also examined our employee handbook, orientation, and certification tracking.
- Confidentiality and Privacy. This area targets whether or not ZAG has sufficient processes in place to protect client data. The policies and procedures checked included employee background checks, employee confidentiality, data classification and encryption, master services agreement, and geolocation disclosures.
- Change Management. Policies around formalized change management weren’t the sole focus of this section. Other areas reviewed were customer onboarding, configuration documentation, customer categorization, capacity planning, and patch management.
- Service Operations Management. This section focused on the core of MSP services and how the company responds to incidents/problems. Some of the items reviewed included: centralized operations center, support and problem logging/resolution, KPIs, categorization, incident management, and operations monitoring.
- Information Security. With MSP’s becoming larger cybercrime targets, information security is more important than ever, so it was no surprise to ZAG that roughly 30% of the processes, procedures, and evidence came in this section. The tasks included: access control, new hire setup, privileged user access, password policy, employee termination, MFA, secure remote access, network security monitoring/management, email security, anti-virus, wireless security, and security assessments.
- Data Management. Ensuring the integrity and availability of the data in the event of a disaster is the next logical step after securing the data. As a result, backups and replications, data recovery testing, disaster and business continuity planning, and data destruction were some of the topics addressed in this category.
- Physical Security. Physical security is also important, so this area focused on office security, physical access to files, sensitive areas and offices, data center environmental controls and maintenance. ZAG invested in a brand-new security system for its San Jose office this year, which helped streamline the collection of data needed for this category.
- Billing and Reporting. Accuracy and timeliness of invoices, ensuring that SLAs are met, and reporting how quarterly business reviews are conducted were the main points in this category.
- Corporate Health. This was the final step in the review process and focused on the overall health of ZAG with regard to operational sustainability, customer risk/relationships, insurance, and customer/employee retention.
The MSP Verify Journey
The project consisted of three phases:
- Readiness – preparation for the certification and audit.
- Verification – independent auditors verify the information provided in phase 1.
- Reporting – final report compilation and review, certification issued (if passed).
Phase 1 is where the heavy lifting occurred, and it took us longer than planned due to the disruption in normal business caused by COVID-19. We completed questionnaires in each objective and then reviewed each answer in depth with the MSPAlliance team. Based on the answers provided and the procedures in place, action items were then assigned for us to produce written procedures and evidence of execution of processes. Roughly 250 items were reviewed ranging in size/complexity from items like business continuity plans to screen shots showing backup settings.
After completing all the questionnaires and providing the required documentation and evidence, the rest of the process was in the capable hands of the third-party auditors and MSP Alliance. We “patiently” waited through phases 2-3 for questions from the auditing team, the arrival of our final report, and last but not least, the news about our certification.
MSP Verify Insights
In the next few weeks, we will take a deeper dive into the 10 objectives reviewed and what they mean for ZAG’s MSP clients.
We are extremely proud to have achieved our MSP Verify certification and to join the elite group of Managed Service Providers who are doing everything possible to protect and enable the success of their clients. We hope that you will find value in following along as we document our journey and the importance it represents.
Continue reading this series from Christie Fisher about the process we undertook to achieve the MSPAlliance® MSP Verify™ certification. Read part two here.