Managed Security Services Provider - Reports
In this third installment of the EisnerAmper/CloudAccess podcast on Managed Security Services, Jerry and Kevin address the static reports that your MSSP should be providing, what access you, as the company, should be able to access at any time and what you should be doing with the information you receive.
Kelly Critelli: Hello and welcome back to the EisnerAmper and Cloud Access podcast series where we're talking about managed security services providers (MSSPs). I'm your host, Kelly Critelli and with us today is Jerry Ravi, EisnerAmper Partner-in-Charge of Process, Risk and Technology Solutions, and Kevin Nikkhoo, CEO of Cloud Access. In case you missed it, our last podcast dealt with what clients should do to prepare to engage with an MSSP. Jerry and Kevin, welcome and thanks for being here.
Jerry Ravi: Thank you Kelly.
Kevin Nikkhoo: Thank you.
KC: What kind of reports should a client expect to receive from their MSSP, and then what should they do with that information?
KN: From our perspective, reports are a must-have and there are a variety of them. It shouldn't be static—not only provide reports on alarms, alerts and incidents. Of course, the help desk should support all of that so you could see the incidents, incident management, the history, and what was opened and closed in real time—reports that actually give customers a view of the environment. For example, we have reports that show a summary of all the incidents. When you look at the report, you get a pretty good view of what has happened in your environment. That's just a static report, but I think it's important that the customers have the ability, through the MSSP, to be able to generate reports on the fly. Let's say that you have a particular device, say a Cisco firewall or router, that you're looking for specific top of data or stream of data that's going through the environment and you wanted to know what's going on to that specific data. Well, an MSSP should be able to create on-the-fly reports in real time, but allow executives and security analysts to look at it in real time, at the end of the week, and at the end of the month so that they get visibility to that particular data set. It's not just one set-up static report that should be delivered, but ongoing and dynamic reporting where it could adjust easily to the customer requirements. On top of that, the way Cloud Access does it is that we have weekly and monthly calls with customers to review what has happened, show them the reports, and put some meaning around those reports to tell them the type of incidents and, by the way, we think there's some vulnerabilities that need to be addressed. The reports have to support daily operations.
JR: I'm all about reporting, sitting in that risk role again, and putting that risk hat on. There's not a whole lot you can do without reporting. You have to make it relevant. When you think about compliance, whether it's a regulatory examiner coming in and wanting to see your security posture, the last thing you want to do is hand off a 120- page report of all the security vulnerabilities. That's not the way to do this. This has to be summary based. This has to be very pointed to certain things like incidents, what's been detected, and what’s happened in the last week and month. What do we do to close it? What's still open? We talked about this in terms of change management. What changes have occurred? Are we seeing this in continuous controls monitoring in our world. That's what needs to happen, and there are a lot of companies that still have yet to implement continuous controls and monitoring. Security is probably a great place to do it, especially with an MSSP provider because they have the ability to provide custom reports—to be able to look at the elements of what's going on in the environment. That's very difficult, and this is not a manual effort to do this. The system is able to automate these reports and hand them off. As as you mentioned, Kevin, you're doing weekly and monthly calls with your clients. That's really important. But if those calls are where the client doesn't understand what you're reporting, it's irrelevant and it's a non-value add. That's really key. Also, to put it in their perspective, understand what they're thinking about and what's important to them is key to bring into the reports as well.
KN: Compliance and audit. I didn't touch on that, but it's really important if you can collect all of the data necessary for reports that helped audit. So PCI, Sarbanes-Oxley, Hip Hop, all of these are built in, but shouldn't be built in as part of the report library. As you collect the information, it should make the audit process a lot easier. And that's the responsibility of the MSSP to have a reports library that addresses all the needs, not only for security monitoring that I mentioned before, but also the ability to help audit and regular compliance.
JR: I completely agree. Because the latest and greatest is anybody inside a company doesn't want to spend a whole lot of time creating things to be able to hand off to any auditor or regulator. They want it to be readily available. Actually, that's what the regulator and the auditor both want. They don't want you trying to figure out what happened because they asked. They want to make sure that you're actually doing it on the go and it's just very easy to pull into the process.
KN: We had a customer that showed our compliance reports to the auditors and they said, “Oh, this is awesome. You pass.” And it was the first one that they actually did where the audit process was so much shorter by, I would say, a factor of 10—quicker than they used to.
JR: That's music to my ears because I hear a lot of complaints from my clients that they just take way too much time and resources to be able to prepare and maintain what they will call audit readiness and regulatory exam readiness. That is key. Then one other factor to throw in this in terms of reports the client really wants—the digital age is here, digital transformation is here. The client wants to get the reports dynamically, and in combination of what we do is give them as access to the reports to be able to click through as they wish—whether it be on their mobile device or other. They don't have to necessarily receive an email saying here's the report. They can see it whenever they want, 24/7.
KC: Jerry and Kevin, thanks so much for your expertise and this great insight. And thank you for listening to the EisnerAmper Cloud Access podcast series. In our next podcast, we'll talk about some MSSP before-and-after client stories, so we hope you'll join us. In the meantime, visit eisneramper.com for more information on this and a host of other topics.
EisnerAmper’s Managed Security Services Provider Podcast addresses the best practices in security management, covering preventative and detective controls, risk assessment, data loss, and the importance of integrating all of those applications for management and audit.
In our fourth episode of the Managed Security Services podcast, Jerry and Kevin highlight some of their most significant managed security services providers (MSSP) before and after cases by looking at IT asset discovery of a private equity firm using current technology standards.
When preparing to engage with a Managed Security Services Provider (MSSP), security monitoring of regular vulnerabilities ensure that all asset risks are monitored for vulnerabilities from hackers in an IT audit. The MSSP should be able to actually detect that.
EisnerAmper’s Partner in Charge of Process, Risk and Technology Solutions introduces the concept of a Managed Security Services Provider (MSSP). A managed security service provider provides outsourced IT systems monitoring and management when dealing with potential security risks.