Professional Documents
Culture Documents
Emagined Security MSSP Partner Evaluation Checklist
Emagined Security MSSP Partner Evaluation Checklist
The following are some sample questions that you may consider asking when
evaluating prospective MSSPs to determine if they will be a Provider or a
Partner:
If we (the customer) need to retain logs for an
COMPANY BACKGROUND & REPUTATION
extended period of time, what are the options?
How long has your company been providing MSS
Who is responsible for backing up collected logs?
services?
How does MSS solution fit into your larger company SECURITY MONITORING & RESPONSE
focus and portfolio? GENERAL
Are you willing to provide at least 3 references? What are your service level options for Security
Are 100% of the employees / resources in the USA? Monitoring?
(Required for Government Contractors / DoD) Will the SOC work with us to refine which incidents
Will the MSSP consider being part of a Proof of are more/less important?
Concept project? How do you monitor threat actors and how do you
leverage this information?
TOOLS AND SECURITY EVENT DATA How far do you go in evaluating whether or not we
OWNERSHIP
have an incident?
Who owns the security technology and can it still be
Can the service be adjusted for hunting after critical
used if the MSSP services are no longer required?
incidents instead of just monitoring?
Is the SIEM technology COTS or is it proprietary to
Are fully encrypted computing resources /
MSSP?
communications used?
Is open source technology being used in the SIEM
Can SLA’s be tailored after contract completion based
technology or it a commercially viable product?
upon real needs without a contract modification?
(Commercial Products Provide Advantages to
Stability) SIEM
How are logs analyzed for Security Incidents?
LOG RETENTION AND COLLECTION
Do you support the following technologies (state your
ARCHITECTURE
key security tools)?
Do we (the customer) have access to the logs?
How long are logs available online to be queried?
EDR
How are the logs stored and can they be accessed if
Can EDR events be monitored and action be taken?
the MSSP services are no longer required?
Do you take any actions if malware is identified on
EDR protected systems?
What type of blocking response actions can be taken Can you create custom collectors for non-standard
by the MSSP? (e.g., Delete a file, kill a process; delete devices?
a registry key)
CUSTOMER PORTAL
VULNERABILITIES How is authentication to your customer portal
How is Vulnerability data leveraged as part of Incident handled?
analysis and presentation? Does your portal support role-based access control?
Do we (the customer) have access to the vulnerability Can everyone be granted access to security incidents,
data? device details, and reports for different parts of my
Are dashboards available to help turn raw organization?
vulnerability data into a management program? Do we (the customer) have access to the same
dashboards and data as the MSSP?
SECURITY OPERATIONS & DELIVERY Are we (the customer) and MSSP part of the same
Is there an individual that is assigned as a primary communication channels (e.g., Microsoft Teams)?
MSSP interface?
How is communication with the SOC conducted? SECURITY & RESILIENCY OF VENDOR
On an average week, how often do you chat with ENVIRONMENT
each customer? Describe your process for vetting staff that have
Are any 3rd party contractors or companies used as access to client data.
part of your solution? Do you have Disaster Recovery and Business
Are services tailored to each client’s needs? Continuity Plans?
Can support be made available to support other How long has your backend technology been in
security needs (Tool Installation, Deployment, place?
Patching and System Maintenance)? Describe your vulnerability management approach for
Can security coaching and mentoring be made ensuring the security and integrity of the SOC.
available?
Are services available 24x7? PRICING
Describe your pricing model, licensing agreements,
SERVICE ON-BOARDING and maintenance agreements.
Detail your methodology for on-boarding managed Is the pricing predictable?
security services. Is pricing designed to maximize utilization or is it a
How long does it typically take bring a new customer charge per device?
onboard and start reporting alerts? Is there a charge to changed out or added new
How long does it take to realize full benefits of the technologies / servers?
SOC? Do different technology characteristics (i.e. devices
Do any forms need to be filled out to onboard each type, device size, high availability, firewall interfaces)
security device? impact pricing of the solution?
Approximately how long to does it take to add a new
device for monitoring?