3 minute read
Could your IT managed service provider sign this? Have you even asked?
By Will Gardiner on 8 February 2021
Our IT managed services team talks to dozens of new businesses every month, and they have noticed a new trend emerging.
Over the last six months or so, more and more businesses are – without prompt – enquiring about our ability to keep their data safe.
This is subtly and importantly different from our ability to provide managed security services. Or to protect their data from internal and external threats. Instead, this is more about our responsibility – can we be trusted with access to their data, and can we guarantee our continuous protection of it?
Of the businesses we speak to, those with such concerns and requirements are comfortably now in the majority. While previously, Data Security Agreements – formal assurances of our suitability as a data partner – were an occasional prerequisite, they are now becoming standard.
The rising trend for such requests however is merely the symptom. What is the cause? Why are businesses more concerned about the safety of their data than ever before?
Why are Data Security Agreements becoming more common?
The events of 2020 put data safety to the front of everyone’s minds. With network perimeters dissolved as workforces were required to stay at home, businesses became immediately alarmed that their data was no longer under constant watch. Data no longer sat solely within the network and its creation, movement and treatment could no longer be constantly overseen, and neither security measures, privacy obligations nor governance requirements could be routinely guaranteed.
This brought heightened scrutiny of every way in which a business’ data could be accessed and who by. And while many partners and service providers already sat outside the network, the realisation that the perimeter no longer really existed – that the castle and moat analogy was now a myth – brought a new scrutiny of those relationships that arguably ought to have always been in place.
Data Privacy & Data Security Recommendations
Guidance on how to protect your business' data & follow data privacy regulations during COVID-19
What does a Data Security Agreement require?
The Agreements we are asked to review vary, but one thing is consistent: their name – Data Security Agreements – is a misnomer. They are in fact far more wider reaching than simply security and create requirements across the whole spectrum of data safety, including both data governance and data privacy.
Some of the most common requirements:
Data must be handled in accordance with data protection law as applicable.
|Data must not cross borders without prior agreement|
|Grant a right to audit data processing activities|
|Assist and co-operate with Data Privacy Impact Assessments (DPIAs)|
|Maintain access management restrictions and logs|
|Maintain security audit logs|
|Act only in accordance with the customer’s internal security policies|
|Take technical and organisational measures to protect against unauthorised or unlawful data processing, loss, alteration or disclosure.|
|Regularly test, evaluate and improve security measures|
Maintain complete and accurate records of all processes that support these obligations
Ensure company-wide, annually-reviewed information security policies and security awareness programmes
|Have a defined CISO role|
|Encrypt data in transit and at rest|
|Hold documented change management processes|
|Ensure organisation-wide multi-factor authentication|
|Maintain and test documented disaster recovery plans and technical & organisational business continuity processes|
Crucially, the purpose of a Data Security Agreement (however poorly named) is that service providers are required to guarantee their adherence to these requirements – and the many other underlying processes that allow these guarantees to be made.
And that is an important point: each bullet point is itself an outcome of potentially dozens of processes and policies, each documented and maintained and continually enforced throughout the organisation. So to a service provider that has not encountered these requirements before, a Data Security Agreement is insurmountable.
How common is the ability to sign them?For Calligo, agreeing to terms such as these is natural.
- We hold many data governance certifications, including ISO 27001, ISO 9001 and SOC 2 Type 1
- We align to others such as ISO 27018
- We have additional data governance accreditations for local jurisdictions, such as PSF for Luxembourg
- We have an in-house Data Protection Officer
- And we have our own team of certified data privacy professionals
- While having data safety in our DNA and heritage.
But for other MSPs, especially traditional technology-focused MSPs rather than managed data services providers such as ourselves, they can be harder to guarantee continual compliance with.
To find out why, we asked some of the previous heads of MSPs we have acquired over the years how they would have dealt with such requirements with their own businesses:
"The key obstacle for us was the lack of in-house expertise and dedicated teams and resource whose role it would be to ensure we adhered to the obligations."
"Once you have a customer operating across multiple regions and jurisdictions, it was too complex a task to keep on top of."
"We were always comfortable we could have brought systems or processes online to satisfy the majority of the requirements, but it was doing so under a formal structure that was problematic – but would have been essential in order to guarantee compliance."
Bear in mind that these MSPs were chosen to join Calligo because of their likeminded attitude to the importance, value and risk of data – and even they struggled.
Ultimately, the message is simple: Data Security Agreements are an increasingly-used tool to ensure that the chosen partner is capable and willing to guarantee data’s continuous safety. And while many MSPs may still be struggling to catch up, Data Security Agreements must continue to be routine, as they create an environment of mutual respect for the value and risk of the customer’s data.
IT Managed Services
Keep your teams productive and boost profitability with a proactive, strategic and tailored managed IT service
Managed Cloud Services
Ensure the continuous availability, security and data privacy protection of your data with high performance managed cloud infrastructure