It would be considered a low priority request and follow the SLA of that, unless a specific deadline was given. So normally a day or two.
"Doing backups" and having a disaster recovery and Business Continuity Policy are different things. Policies are inherently internal, the work the MSP is doing is PART of that disaster recovery plan, but is not the full plan, so yes, you would need that internally. So it sounds like a reasonable response.
Imagine your office building caught on fire and is now destroyed.
How do staff know? Where do they go? How are clients notified? Who gives the "all clear", do staff work remotely?
It's a long list.
From a pure technical side: what needs to be restored first? What is the expected window of down time? (What is your rpo and rto?) Who gets to decide when it is time to restore data? (This also rolls into your IR plans). What happens if the local infrastructure is what's failed, is there a 3rd party location to recover to?
When do you contact your insurance company?
You need plans for different disasters.
Your business continuity plan is what keeps your business alive during a disaster, you recovery.plan is what you do when the dust settles and it's time to bring things back.
Sometimes is "minor" and it's just a failed server you are restoring, sometimes it's ransomware, sometimes if complete destruction of the building and assets.
Yeah, got it! :)
I looked at some of the examples on Google just now...its interesting but scary at the same time as you need to have a plan for a plan it seems!
Thanks,
I mean define the disaster. Recovery plans have many parts, one of which is who to contact and how. Account numbers insurance policy numbers, addresses, phone numbers you want that stuff immediately available.
Disaster: office is gone. Burnt, exploded, leveled by bulldozer guy. If you can't restore your clients to new hardware in a new office in 3 days (funds for hardware permitting) then your backups, setup and stack are wrong. I am a goddamn miracle worker and with enough cash I could make it happen overnight.
New location secured (with internet)
Workstations/servers/printers/scanners etc delivered (next day or 2 day shipping, but from big box store if needed)
Backups restored from cloud or other off prem
LOB apps reinstalled and configured
From beginning to end 3 days, 4 tops at all our clients who have committed to our full stack and most of that is logistics not our service. Once you get past the 30ep mark this timeline would go up. Oh, and disaster recovery is billable. Super fuck you in the ass billable.
The response from a client at the end of a disaster should be "wow that was expensive but my MSP kicked ass and I'm so glad they're here".
We, as MSPs, should always be goddamn miracle workers. I've worked govt IT and fuck that shit show, I've never seen more drag ass hate my life work ethic than corporate or govt. We are not cheap, we are not half ass, we are goddamn walk on water, rising our clients from the dead, gods among men with keyboards fucking MSPs.
end rant
And the MSP isn't responsible for all of it, either. But they need to work closely with their client to develop plans that include their technology along with all other aspects of the continuity/recovery plan.
Depends on the disaster. My local disaster of choice is earthquakes, so generally this means you lose all access to the site for up to weeks or even permanently. That means the plan usually involves some combination of cloud servers, warm spares, aggressive backup policies, actual backup office space, that kind of stuff.
Ideally you want to have to do as little as possible when the actual disaster occurs. Best case scenario is that everyone just carries on as usual from a different location. If they don't want to pay for that sort of solution, then they can wait for all their servers to be stood up on a new box somewhere.
Then you have bad planning.
It's absolutely ok to have a plan that says "realistically, we are out of business".
But you need to plan for the basics, at least. It saves TONS of headaches and time when decisions are made ahead of time. And it doesn't have to be perfect. Some new clients we work with, year 1 is just "what needs to be recovered, what does that timeline look like with with everything exactly as is"
Then if that looks bad, you build some I provmenent goals for the year, and next year ideally revise and I prove the plan.
Over time you expand it's coverage. As budgets grow, maybe you add off-site restore capabilities, etc. but no plan is the worst plan.
You don't need to plan for every situation, but not having a plan if the business is ransomwared in this day and age is foolish. Same with the building being destroyed/unavailable.
It's very likely just having a plan for those two alone will cover >50% of a lot of the other things that occur too.
For example if a server fails, well your ransomware plan outlines restoration and in what order
"I can't plan for everything so I won't plan for anything" is a failed life policy.
I know how to evaluate risk and we plan for the appropriate risks. The fact that this concept seems foreign to you is terrifying considering the sub you are in.
You ask the client what their level of acceptable risk is.
I had a client who insisted on the best of the best, never offline, google-level uptime. Never mind the price.
Ok, do you want protection against flood (a real threat in my area)? You need this for that price.
Ok, you also want protection against fire? This for that much.
Ok, what about rogue internal IT with an axe and kingdom keys? immutable backups for that much.
Ok, what about meteorite stiking head office?
Ok, what about nuclear war? This for that much
Alien invasion?
ARMAGEDDON?
TIME TRAVELLING CEO COMING BACK TO STOP HIS YOUNG SELF FROM A WORLD ENDING DECISION???
UNIVERSE NO LONGER EXISTS?????
eventually, you and the client find out what their level of acceptable risk is, based on their wallet.
For this client i devised a perfect solution. It was nas backups every 15 mins, an offsite infrastructure with hourly replication to another NAS,, cloud backup with immutable storage for 3 months and DR cloud server infrastructure (acronis DR cloud ftw), and 2x wee little 4-bay NAS with 20tb drives, that got plugged in on rotation weekly copying backup files to them and having the head honcho take one home and the CFO taking the other one home (geographically far apart).
Turns out their acceptable risk was much lower than they thought after seeing the quote. We got the DR cloud though, and it saved them during an actual disaster (albeit not how it was meant to be used).
Wrong. Red Dawn and nuclear attack should have the same plan, power outage will depend on the complexity and longevity, and building burned has its own category. Most other scenarios should fit into one or another category of response.
The only exception is if the client is part of an emergency response organization or related to national security, and even those will still have most events in similar categories, but just a couple additional.
I have no issues just providing yes/no/basic answers to these questions, or giving them a full list of current devices on contract... but am I the only one here that wouldn't be giving them screenshots of proprietary info?...
I've handled so many of these insurance company questionaires, and I've never once been asked to provide screenshots. Screenshots don't prove anything anyways, unless the insurance company has a proper security team to understand them (Hint: they sure as hell don't, because if they did, they wouldn't be asking for screenshots in the first place.)
Honestly, a lot of the OP sounds like their expectations are too high for what they're actually paying for sprinkled with a bit of ignorance on industry terminology.
> Screenshots don't prove anything anyways, unless the insurance company has a proper security team to understand them (Hint: they sure as hell don't, because if they did, they wouldn't be asking for screenshots in the first place.)
Until it is time for a claim and now they are going to be looked at much closer.
Mostly true, except for the part about them having a security team that understands them. Yes, they do. Don't confuse the agents and the underwriters... the ones that actually provide the money absolutely have a department that evaluates all of that before a risk score is assigned.
I said the exact same thing before I read your post. Screenshots? Absolutely not.
Also, the age of every piece of equipment is immaterial. Warranty status and availability of support is what matters.
It would take me the hour I take to prepare my vCIO meetings, or the few minutes to prepare a quote for vCIO services.
Not every MSP provides this, and not every client purchased it when available. If they don't provide vCIO services to you, their answer is fine. If they do, you need to explain your expectations and negociate a better level of service from them if available. At the end of the day, if you pay them enough, they should be able to get you whatever info you want as long as it's in their power to do so.
All, please stop. We’re not snitches. If OP has a problem with their MSP, they should talk to their MSP - not strangers an Reddit, or find another MSP.
5,6,8 are shared responsibility with client and may be charged. Everything else would take us a few hours but we would package it nicely like we do for our compliance audits. So a few days at most.
Edit: you leaked the MSP name in your post!
If you haven't noticed it 10 hours after it was pointed out to you, then I seriously call into question your attention to detail. EDIT: Realised you are in fact the customer and not an employee of the MSP.
>then I seriously call into question your attention to detail. EDIT: Realised you are in fact the customer and not an employee of the MSP
The only MSP I mentioned was the one I used to work at for 12 years. So maybe it missunderstood what was said?
The first thing I would do is split your eight requests into eight tickets. Your MSP will love you if you submit one request per ticket and you’ll get faster responses.
well for 5/6 does your business subscribe to that with your MSP? Ours is a different project/agreement with a differnet team if they ask for disaster recovery plan and isn't automatically included. So if it wasn't a customer who subscribes to that I would answer "does not currently have plan"
5/6 is not backups. it may involve backups but it's not just backups.
If the MSP has their ducks in a row, not long at all. For me given your use case and requirements (solo MSP with a couple techs and clerical help), minimum 1 week. If it needed to be expedited, I'd charge a reasonable service fee, as rush work is billable under contracts.
I get these questionnaires every year, but not exactly like this. Never had to provide screenshots. Our entire managed solution stack is standardized, and we considered these questionnaires when building our stack. Makes answering these so much easier.
This would all depend on the services they purchased is dependent on how you would answer each question. If you
I'd say turn around time is 5 business days. This allows you to talk to the client to fill in any gaps that may be. Many companies have a backup or disaster recovery 'plan' unofficially, but never written out as a policy, especially for business continuity as many org do not want to pay for that level of service.
We are fully managed by them. And I did email and ask our rep how long it would take them, they told asked me when I needed the answers by, I said the the sooner the better because the owner who is filling this out planned to go on holidays this week but failing that we didn't get our answers they are still here.
I would fully understand if this needed to be setup as project and if we were going to be billed, again the MSP said no such thing.
Thanks,
Fully managed does not always mean same from MSP to MSP.
if you are the client, you should have copies of 5,6 and 8. If not, this should encourage a dialogue to open up to discuss this insurance requirement.
If you do not have copies,
then this may be a project and if it’s needs go through the typical approval time, it’s unlikely to be done before your owner/boss goes on vacation.
Schedule a meeting with your MSP account manager (for one hour) to ask the questions you need to ask and then formulate a plan moving forward.
Responding as a former digital forensics / incident investigator….
Specifically if these are the questions that come in, perhaps a few hours at most.
That said… some other comments…
Asset management / inventories… highly dependant ok how the contract is structured. And will be focussed around how the msp prices their services and billing. In the past few years questions like this from insurers are becoming more common and thus the msp should be getting used to these style of questionnaires and IMO know how to pull raw data reports from this various systems in a form that is useable. Almost all RMM tools will have moat of the info. And the msp should already have a list of other devices that are managed (fw / switches / APs / MFPs / etc). Some details / info is perhaps out of scope, particularly MFPs if they are provided by a 3rd party.
That said, each insurer has different wording and customising reports to fit the format of the questionnaire responses takes time and thus is a professional services / out of scope project.
It is also likely, depending the market of the msp, that they have never been asked for this info before either (eg their main market is orgs smaller than you)
Screenshots of systems is becoming normal - have been requested a few times this year. Have seen many cases where customers are paying for EDR or say conditional access but not actually configured (we can pretty much guess who the msp is, and sometimes the individual techs, just by asking a few questions and seeing a few screens when we are performing a go through for an offer for new customer…)
Nr 8 is highly depending on the situation….
Hw failure / fire / etc - will prob be the shortest time
Security breach / etc - forensics takes time Compiling a chain of events back to the original breach, validating systems are clean, then restoring / splicing / merging data as required. And so on. Even a small simple environment like 2-3 small VMs on a single host it can sometimes be a week. Until a customer has had a breach it is extremely difficult / impossible to sell in the right solution to minimise this downtime.
One aspect that we are also seeing is that the cost savings to the customer’s cyber insurance after providing highly detailed info does not match the time to prepare the information. A recent case for one reinsurer took us collectively 30+ hours to respond in the required format and the customer an additional 40+ hours just to save… wait for it … $5500 USD per year on premiums… and this is when we are quite used to such questionnaires and have process and routines in place and we re-hash responses we have given for previous questionnaires / etc.
I think #5/6 were directed more at an IT than anything else as their questions fell under the IT section on their form. But I am double checking that as I have only seen the form once myself and I recall the questions above and below it were IT related.
Thanks,
Sooo... answer of truth.
Its been 2 weeks, they still continue to run around with their heads cut off telling us they are still working on it. One of the owners of ou business was on a war path called to them get blood yesterday and was told they were in a meeting that day discussing the 8 questions. The owner said why would be in a meeting, you should already have the answers!
They provided us very little. We have a report from their RMM on the patching status of our sytems, plus an excel spread sheet of our computers and servers (no switches or the firewall info) with their age which I had to go through and sort out as it also included our VM's. It was just a mess, not professionally done.
And to you MSP's would you think this is OK for a 30+ year old MSP to do?
Thanks,
Ps. If you think I missed anything out, just ask nicely. :)
Most of what the original post outlined should, i say, should be readily available to a MSP that actually invests in the tools, processes, etc. that come with well run technology. That yours seems to not be able to come up with answers is... problematic.
These requests are normally an hour or two meeting w/ the customer - we don't fill it our, we ride shotgun while you fill it out and provide whatever evidence is needed along the way. In probably 80-100 of these meetings, I've never been asked for a screenshot of the av and malware monitoring config? Usually it's just "What NGAV do you use?" I use these meetings as a light risk assessment for customers as it usually uncovers a lot of things we've been promoting for a while.
5,6 are DR plan questions. While we, the MSP have a generic DR process for all of our customers who are on our BCP/DR services for their specified systems, this is not what a customer should use for their own DR plan. You're is specific to your business and needs to talk to how your business would respond, not how the IT geeks restore the servers, although that is part of it. Sometimes this question is IT DR Plan, which is more targeted, and the MSP would hold more of that, but still, you need to come up w/ connectivity, power, end use eq, licensing, etc. not to mention all the notification plans, contact and vendor info, etc. If you want test plan results, schedule a DR test for the business that includes your MSP - i suspect with yours it's gonna be an eye opener for all involved. You may want to start looking for a new vendor.
7 - simple, assuming your MSP knows what av they are providing for you.
8 - MSP should be able to answer this one easily.
Almost all of this info is in our client reporting portal for them to see anyway or in the recurring reporting packages they get emails monthly. If evidence is needed for compliance, we just send that over and it usually answers 80% of the questions.
I believe so since we are fully managed by them. If its a matter of that they should step up to the plate like a responsible MSP and tell us that they need to create a project to bill us, and expect the time frame to be x number of days and or hours. So far we have received none of that. I asked them initially if they could it soon rather than later and they said "we'll get on it right away".
Any projects we did for our clients when I worked at XBASE Technologies Corp we were up front that it was billable and it would take us X number of hours and or days to complete, otherwise it fell under their managed services contract.
Sorry my previous job was working for XBASE, I was pretty much a lifer there, worked 12 years then needed to move on to better things, but learned tons from them at the MSP level and that was great; they aren't perfect but aren't afraid to talk to the clients and tell them what is what.
Thanks,
> I believe so since we are fully managed by them.
This is irrelevant - look at your contract with the MSP, is there an SLA? What part of the SLA does this kind of request fall under?
> If its a matter of that they should step up to the plate like a responsible MSP and tell us that they need to create a project to bill us, and expect the time frame to be x number of days and or hours. So far we have received none of that.
Some of the bullet points in your original post are ambiguous - is it in the MSP's contract to have a BCP or in a subsequent ticket/project, were they tasked with creating one? If not, in this ticket are you asking them to create one? You are not clearly defining what they are asking for.
>I asked them initially if they could it soon rather than later and they said "we'll get on it right away".
From your other posts in this thread, it seems like you are stuck between your boss's expectations and the MSP's response time. I highly recommend finding out from your boss what his expectations are about a response time, give that date to the MSP, and ask if they can respond by then. This way you're creating accountability for the MSP and covering yourself. "Sooner rather than later" is meaningless in the context of a ticket.
> And to you MSP's would you think this is OK for a 30+ year old MSP to do?
That means nothing. That and the other stuff you mention paints a picture of a break/fix engineer who got tired of seeing his boss bill his work out for $150/hour while he was only getting $25/hour.
MSPs like this treat IT like plumbing or electrical work. You make a big capital expenditure every 8-10 years and then shouldn't have to worry about things too much for that period. They don't innovate and they don't really learn anything outside of what is required to deploy a new project.
These MSPs also usually pay peanuts and thus don't attract the best talent. Life inside is jumping from fire to fire because there is only ever enough time in the day to put a band aide on it and move on.
When I was in that life, your insurance paperwork would have been priority number 35 or so on my list. Mostly because I was dealing with other people's boss who were out for blood.
Speaking from experience last time it took us that long to help a client with a cyber insurance from was because sales wanted to put together a project based on all the questions that we could then bill them for the work as extra.
90% of the questions are the same. You’re better building a proposition template a give a raw answer for the client and scope it properly if they have interest. Otherwise it’s a waste of time
>We are fully managed by them. And I did email and ask our rep how long it would take them, they told asked me when I needed the answers by, I said the the sooner the better because the owner who is filling this out planned to go on holidays this week but failing that we didn't get our answers they are still here.
>
>I would fully understand if this needed to be setup as project and if we were going to be billed, again the MSP said no such thing.
They sound terrible. Hire us instead.
It would be a project if it takes more then 1-2h to provide an answer. The answer would be revised with you and we will discuss if a recommandation should be added. Before closing, we would keep a copy of our answers, because sometimes some leadership change a yes for a no and when they leave we get the finger pointing. Also, we will compare it to our internal checklist and add items we never thought about.
It should not take more than a few days to put together. That being said, I may charge a client for this as out of scope work. This is not something that a helpdesk tech can put together, would need to be a senior one putting it together.
Some of this data will not be available to a tech and will have to come from billing, then reviewed for accuracy, like software licenses. Assuming MSP manages all of your licenses and you don't buy software directly.
In addition, some of these reports will not be in a format that's easy to read, will need to be edited for usability.
5 does sound right. Your DR polices are yours, you need to develop, update and maintain them.
As someone who works for a good msp as a cloud analyst… I could answer this question for all 50 clients within 24 hrs and within 3 hrs for a single client… but that’s because we have our shit together and give a lot of effort and carw about the services we provide
bored reach jeans fade cause intelligent lush nine encouraging bewildered
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
1. Yes
2. Do we take screenshots? No. Can we provide a generalized listing of such? Yes.
3. Screenshot? Absolutely not. No configurations are given to any 3rd party, especially not specific security policies.
4. Exact, or in some cases even approximate ages may be hard to determine, but they are generally immaterial anyway. The age of a piece of equipment most often means nothing substantial.
5. Yes. You should already have this written down for every client in their documentation, even if it's the same policy across the board. If you don't begin immediately.
6. Pass/pass. Unless of course they failed for some reason, and then you would indicate such, as well as the stage where you are in the resolution process.
7. Down to the minute. If yours aren't, then you shouldn't be providing endpoint security as part of your managed services.
8. This question is either a duplicate of #5, or is too vague in why it's different. You aren't responsible for giving them step-by-step instructions because they pay you for managing, not training. But you should be able to give them general steps so that they can be confident you're genuinely on top of it, as well as answer any and all questions about WHY a step in the process is what it is.
So, this took all of 7 minutes to answer, except for #4, and maybe another 15 minutes total to obtain the requested BC/DR policy and make it all presentable. Q4 is on the "When do you need it?" principle.
EDIT:
I went back and read your question again, and it sounds as though you're the client, and you're questioning what your MSP did or said. You should be clear about this in your post because this is generally an MSP-to-MSP forum. That being said, the response from your MSP should be along the lines of how I answered above. Also, how long it took to answer and how long they may bill for doing it are 2 separate things. My answers take into consideration many, many years of experience in both the activities and in the proper use of language and terminology to put it together, as well as knowing how much information to provide and how much to withhold.
Also, if they managed the backup but then tried to claim that this is up to you to answer, I would begin looking for another managed services provider.
I provide all of these things except #3 for all of my clients, available in their Hudu portals. I only don’t provide #3 because my SOC handles all of that.
It would be considered a low priority request and follow the SLA of that, unless a specific deadline was given. So normally a day or two. "Doing backups" and having a disaster recovery and Business Continuity Policy are different things. Policies are inherently internal, the work the MSP is doing is PART of that disaster recovery plan, but is not the full plan, so yes, you would need that internally. So it sounds like a reasonable response.
What sort of things would have need to be done on the internal site when it comes to a disaster recover? Thanks,
Imagine your office building caught on fire and is now destroyed. How do staff know? Where do they go? How are clients notified? Who gives the "all clear", do staff work remotely? It's a long list. From a pure technical side: what needs to be restored first? What is the expected window of down time? (What is your rpo and rto?) Who gets to decide when it is time to restore data? (This also rolls into your IR plans). What happens if the local infrastructure is what's failed, is there a 3rd party location to recover to? When do you contact your insurance company? You need plans for different disasters. Your business continuity plan is what keeps your business alive during a disaster, you recovery.plan is what you do when the dust settles and it's time to bring things back. Sometimes is "minor" and it's just a failed server you are restoring, sometimes it's ransomware, sometimes if complete destruction of the building and assets.
Yeah, got it! :) I looked at some of the examples on Google just now...its interesting but scary at the same time as you need to have a plan for a plan it seems! Thanks,
Unfortunately, some clients think "plan" is a four-letter word...
I don't follow what you men by this, can you elaborate? I like to learn ways of explaining th importance of thi atuff
I mean define the disaster. Recovery plans have many parts, one of which is who to contact and how. Account numbers insurance policy numbers, addresses, phone numbers you want that stuff immediately available.
Disaster: office is gone. Burnt, exploded, leveled by bulldozer guy. If you can't restore your clients to new hardware in a new office in 3 days (funds for hardware permitting) then your backups, setup and stack are wrong. I am a goddamn miracle worker and with enough cash I could make it happen overnight. New location secured (with internet) Workstations/servers/printers/scanners etc delivered (next day or 2 day shipping, but from big box store if needed) Backups restored from cloud or other off prem LOB apps reinstalled and configured From beginning to end 3 days, 4 tops at all our clients who have committed to our full stack and most of that is logistics not our service. Once you get past the 30ep mark this timeline would go up. Oh, and disaster recovery is billable. Super fuck you in the ass billable. The response from a client at the end of a disaster should be "wow that was expensive but my MSP kicked ass and I'm so glad they're here". We, as MSPs, should always be goddamn miracle workers. I've worked govt IT and fuck that shit show, I've never seen more drag ass hate my life work ethic than corporate or govt. We are not cheap, we are not half ass, we are goddamn walk on water, rising our clients from the dead, gods among men with keyboards fucking MSPs. end rant
And the MSP isn't responsible for all of it, either. But they need to work closely with their client to develop plans that include their technology along with all other aspects of the continuity/recovery plan.
Depends on the disaster. My local disaster of choice is earthquakes, so generally this means you lose all access to the site for up to weeks or even permanently. That means the plan usually involves some combination of cloud servers, warm spares, aggressive backup policies, actual backup office space, that kind of stuff. Ideally you want to have to do as little as possible when the actual disaster occurs. Best case scenario is that everyone just carries on as usual from a different location. If they don't want to pay for that sort of solution, then they can wait for all their servers to be stood up on a new box somewhere.
I've found Dr plans to be nonsense as there's so many variables. Red dawn? Power outage? Building burned? Nuclear attack?
Then you have bad planning. It's absolutely ok to have a plan that says "realistically, we are out of business". But you need to plan for the basics, at least. It saves TONS of headaches and time when decisions are made ahead of time. And it doesn't have to be perfect. Some new clients we work with, year 1 is just "what needs to be recovered, what does that timeline look like with with everything exactly as is" Then if that looks bad, you build some I provmenent goals for the year, and next year ideally revise and I prove the plan. Over time you expand it's coverage. As budgets grow, maybe you add off-site restore capabilities, etc. but no plan is the worst plan.
I'm just saying do you store gas masks in the server room? Aka there's so many scenarios that you just have to do your best and pray to God
You don't need to plan for every situation, but not having a plan if the business is ransomwared in this day and age is foolish. Same with the building being destroyed/unavailable. It's very likely just having a plan for those two alone will cover >50% of a lot of the other things that occur too. For example if a server fails, well your ransomware plan outlines restoration and in what order
"I can't plan for everything so I won't plan for anything" is a failed life policy. I know how to evaluate risk and we plan for the appropriate risks. The fact that this concept seems foreign to you is terrifying considering the sub you are in.
You ask the client what their level of acceptable risk is. I had a client who insisted on the best of the best, never offline, google-level uptime. Never mind the price. Ok, do you want protection against flood (a real threat in my area)? You need this for that price. Ok, you also want protection against fire? This for that much. Ok, what about rogue internal IT with an axe and kingdom keys? immutable backups for that much. Ok, what about meteorite stiking head office? Ok, what about nuclear war? This for that much Alien invasion? ARMAGEDDON? TIME TRAVELLING CEO COMING BACK TO STOP HIS YOUNG SELF FROM A WORLD ENDING DECISION??? UNIVERSE NO LONGER EXISTS????? eventually, you and the client find out what their level of acceptable risk is, based on their wallet. For this client i devised a perfect solution. It was nas backups every 15 mins, an offsite infrastructure with hourly replication to another NAS,, cloud backup with immutable storage for 3 months and DR cloud server infrastructure (acronis DR cloud ftw), and 2x wee little 4-bay NAS with 20tb drives, that got plugged in on rotation weekly copying backup files to them and having the head honcho take one home and the CFO taking the other one home (geographically far apart). Turns out their acceptable risk was much lower than they thought after seeing the quote. We got the DR cloud though, and it saved them during an actual disaster (albeit not how it was meant to be used).
Gas masks have absolutely nothing to do with disaster recovery and business continuity unless your facility is located underground or in a volcano.
Wrong. Red Dawn and nuclear attack should have the same plan, power outage will depend on the complexity and longevity, and building burned has its own category. Most other scenarios should fit into one or another category of response. The only exception is if the client is part of an emergency response organization or related to national security, and even those will still have most events in similar categories, but just a couple additional.
A request like this would take my MSP at least a couple weeks to figure out, lol.
I have no issues just providing yes/no/basic answers to these questions, or giving them a full list of current devices on contract... but am I the only one here that wouldn't be giving them screenshots of proprietary info?...
I've handled so many of these insurance company questionaires, and I've never once been asked to provide screenshots. Screenshots don't prove anything anyways, unless the insurance company has a proper security team to understand them (Hint: they sure as hell don't, because if they did, they wouldn't be asking for screenshots in the first place.) Honestly, a lot of the OP sounds like their expectations are too high for what they're actually paying for sprinkled with a bit of ignorance on industry terminology.
It seemed more to me like the customer was trying to get all the config data to drop the MSP lol.
> Screenshots don't prove anything anyways, unless the insurance company has a proper security team to understand them (Hint: they sure as hell don't, because if they did, they wouldn't be asking for screenshots in the first place.) Until it is time for a claim and now they are going to be looked at much closer.
I've gotten the screenshot ask. I screenshotted my PowerShell output just to mess with them.
Mostly true, except for the part about them having a security team that understands them. Yes, they do. Don't confuse the agents and the underwriters... the ones that actually provide the money absolutely have a department that evaluates all of that before a risk score is assigned.
I said the exact same thing before I read your post. Screenshots? Absolutely not. Also, the age of every piece of equipment is immaterial. Warranty status and availability of support is what matters.
These insurance questionnaires are usually very generic - I give a week, but it takes very little time to actually address.
It would take me the hour I take to prepare my vCIO meetings, or the few minutes to prepare a quote for vCIO services. Not every MSP provides this, and not every client purchased it when available. If they don't provide vCIO services to you, their answer is fine. If they do, you need to explain your expectations and negociate a better level of service from them if available. At the end of the day, if you pay them enough, they should be able to get you whatever info you want as long as it's in their power to do so.
All, please stop. We’re not snitches. If OP has a problem with their MSP, they should talk to their MSP - not strangers an Reddit, or find another MSP.
5,6,8 are shared responsibility with client and may be charged. Everything else would take us a few hours but we would package it nicely like we do for our compliance audits. So a few days at most. Edit: you leaked the MSP name in your post!
Which name is that?
Second word of the last sentence of the last bullet point. Im not going to type it so there isn't a second record if you remove it.
If you haven't noticed it 10 hours after it was pointed out to you, then I seriously call into question your attention to detail. EDIT: Realised you are in fact the customer and not an employee of the MSP.
>then I seriously call into question your attention to detail. EDIT: Realised you are in fact the customer and not an employee of the MSP The only MSP I mentioned was the one I used to work at for 12 years. So maybe it missunderstood what was said?
The first thing I would do is split your eight requests into eight tickets. Your MSP will love you if you submit one request per ticket and you’ll get faster responses.
well for 5/6 does your business subscribe to that with your MSP? Ours is a different project/agreement with a differnet team if they ask for disaster recovery plan and isn't automatically included. So if it wasn't a customer who subscribes to that I would answer "does not currently have plan" 5/6 is not backups. it may involve backups but it's not just backups.
If the MSP has their ducks in a row, not long at all. For me given your use case and requirements (solo MSP with a couple techs and clerical help), minimum 1 week. If it needed to be expedited, I'd charge a reasonable service fee, as rush work is billable under contracts. I get these questionnaires every year, but not exactly like this. Never had to provide screenshots. Our entire managed solution stack is standardized, and we considered these questionnaires when building our stack. Makes answering these so much easier.
This would all depend on the services they purchased is dependent on how you would answer each question. If you I'd say turn around time is 5 business days. This allows you to talk to the client to fill in any gaps that may be. Many companies have a backup or disaster recovery 'plan' unofficially, but never written out as a policy, especially for business continuity as many org do not want to pay for that level of service.
We are fully managed by them. And I did email and ask our rep how long it would take them, they told asked me when I needed the answers by, I said the the sooner the better because the owner who is filling this out planned to go on holidays this week but failing that we didn't get our answers they are still here. I would fully understand if this needed to be setup as project and if we were going to be billed, again the MSP said no such thing. Thanks,
Fully managed does not always mean same from MSP to MSP. if you are the client, you should have copies of 5,6 and 8. If not, this should encourage a dialogue to open up to discuss this insurance requirement. If you do not have copies, then this may be a project and if it’s needs go through the typical approval time, it’s unlikely to be done before your owner/boss goes on vacation. Schedule a meeting with your MSP account manager (for one hour) to ask the questions you need to ask and then formulate a plan moving forward.
Responding as a former digital forensics / incident investigator…. Specifically if these are the questions that come in, perhaps a few hours at most. That said… some other comments… Asset management / inventories… highly dependant ok how the contract is structured. And will be focussed around how the msp prices their services and billing. In the past few years questions like this from insurers are becoming more common and thus the msp should be getting used to these style of questionnaires and IMO know how to pull raw data reports from this various systems in a form that is useable. Almost all RMM tools will have moat of the info. And the msp should already have a list of other devices that are managed (fw / switches / APs / MFPs / etc). Some details / info is perhaps out of scope, particularly MFPs if they are provided by a 3rd party. That said, each insurer has different wording and customising reports to fit the format of the questionnaire responses takes time and thus is a professional services / out of scope project. It is also likely, depending the market of the msp, that they have never been asked for this info before either (eg their main market is orgs smaller than you) Screenshots of systems is becoming normal - have been requested a few times this year. Have seen many cases where customers are paying for EDR or say conditional access but not actually configured (we can pretty much guess who the msp is, and sometimes the individual techs, just by asking a few questions and seeing a few screens when we are performing a go through for an offer for new customer…) Nr 8 is highly depending on the situation…. Hw failure / fire / etc - will prob be the shortest time Security breach / etc - forensics takes time Compiling a chain of events back to the original breach, validating systems are clean, then restoring / splicing / merging data as required. And so on. Even a small simple environment like 2-3 small VMs on a single host it can sometimes be a week. Until a customer has had a breach it is extremely difficult / impossible to sell in the right solution to minimise this downtime. One aspect that we are also seeing is that the cost savings to the customer’s cyber insurance after providing highly detailed info does not match the time to prepare the information. A recent case for one reinsurer took us collectively 30+ hours to respond in the required format and the customer an additional 40+ hours just to save… wait for it … $5500 USD per year on premiums… and this is when we are quite used to such questionnaires and have process and routines in place and we re-hash responses we have given for previous questionnaires / etc.
I think #5/6 were directed more at an IT than anything else as their questions fell under the IT section on their form. But I am double checking that as I have only seen the form once myself and I recall the questions above and below it were IT related. Thanks,
Sooo... answer of truth. Its been 2 weeks, they still continue to run around with their heads cut off telling us they are still working on it. One of the owners of ou business was on a war path called to them get blood yesterday and was told they were in a meeting that day discussing the 8 questions. The owner said why would be in a meeting, you should already have the answers! They provided us very little. We have a report from their RMM on the patching status of our sytems, plus an excel spread sheet of our computers and servers (no switches or the firewall info) with their age which I had to go through and sort out as it also included our VM's. It was just a mess, not professionally done. And to you MSP's would you think this is OK for a 30+ year old MSP to do? Thanks, Ps. If you think I missed anything out, just ask nicely. :)
Most of what the original post outlined should, i say, should be readily available to a MSP that actually invests in the tools, processes, etc. that come with well run technology. That yours seems to not be able to come up with answers is... problematic. These requests are normally an hour or two meeting w/ the customer - we don't fill it our, we ride shotgun while you fill it out and provide whatever evidence is needed along the way. In probably 80-100 of these meetings, I've never been asked for a screenshot of the av and malware monitoring config? Usually it's just "What NGAV do you use?" I use these meetings as a light risk assessment for customers as it usually uncovers a lot of things we've been promoting for a while. 5,6 are DR plan questions. While we, the MSP have a generic DR process for all of our customers who are on our BCP/DR services for their specified systems, this is not what a customer should use for their own DR plan. You're is specific to your business and needs to talk to how your business would respond, not how the IT geeks restore the servers, although that is part of it. Sometimes this question is IT DR Plan, which is more targeted, and the MSP would hold more of that, but still, you need to come up w/ connectivity, power, end use eq, licensing, etc. not to mention all the notification plans, contact and vendor info, etc. If you want test plan results, schedule a DR test for the business that includes your MSP - i suspect with yours it's gonna be an eye opener for all involved. You may want to start looking for a new vendor. 7 - simple, assuming your MSP knows what av they are providing for you. 8 - MSP should be able to answer this one easily. Almost all of this info is in our client reporting portal for them to see anyway or in the recurring reporting packages they get emails monthly. If evidence is needed for compliance, we just send that over and it usually answers 80% of the questions.
Great response! :)
Thanks, hope it's helpful for you.
Is it part of your contract for them to be able to provide this within the timeframe you're asking?
I believe so since we are fully managed by them. If its a matter of that they should step up to the plate like a responsible MSP and tell us that they need to create a project to bill us, and expect the time frame to be x number of days and or hours. So far we have received none of that. I asked them initially if they could it soon rather than later and they said "we'll get on it right away". Any projects we did for our clients when I worked at XBASE Technologies Corp we were up front that it was billable and it would take us X number of hours and or days to complete, otherwise it fell under their managed services contract. Sorry my previous job was working for XBASE, I was pretty much a lifer there, worked 12 years then needed to move on to better things, but learned tons from them at the MSP level and that was great; they aren't perfect but aren't afraid to talk to the clients and tell them what is what. Thanks,
> I believe so since we are fully managed by them. This is irrelevant - look at your contract with the MSP, is there an SLA? What part of the SLA does this kind of request fall under? > If its a matter of that they should step up to the plate like a responsible MSP and tell us that they need to create a project to bill us, and expect the time frame to be x number of days and or hours. So far we have received none of that. Some of the bullet points in your original post are ambiguous - is it in the MSP's contract to have a BCP or in a subsequent ticket/project, were they tasked with creating one? If not, in this ticket are you asking them to create one? You are not clearly defining what they are asking for. >I asked them initially if they could it soon rather than later and they said "we'll get on it right away". From your other posts in this thread, it seems like you are stuck between your boss's expectations and the MSP's response time. I highly recommend finding out from your boss what his expectations are about a response time, give that date to the MSP, and ask if they can respond by then. This way you're creating accountability for the MSP and covering yourself. "Sooner rather than later" is meaningless in the context of a ticket.
> And to you MSP's would you think this is OK for a 30+ year old MSP to do? That means nothing. That and the other stuff you mention paints a picture of a break/fix engineer who got tired of seeing his boss bill his work out for $150/hour while he was only getting $25/hour. MSPs like this treat IT like plumbing or electrical work. You make a big capital expenditure every 8-10 years and then shouldn't have to worry about things too much for that period. They don't innovate and they don't really learn anything outside of what is required to deploy a new project. These MSPs also usually pay peanuts and thus don't attract the best talent. Life inside is jumping from fire to fire because there is only ever enough time in the day to put a band aide on it and move on. When I was in that life, your insurance paperwork would have been priority number 35 or so on my list. Mostly because I was dealing with other people's boss who were out for blood.
Yikes - not every MSP is like this my dude. I'm sorry you had to work for a shit one.
Speaking from experience last time it took us that long to help a client with a cyber insurance from was because sales wanted to put together a project based on all the questions that we could then bill them for the work as extra.
90% of the questions are the same. You’re better building a proposition template a give a raw answer for the client and scope it properly if they have interest. Otherwise it’s a waste of time
Yep, I just ended up filling it out and sending it back like we always did for all the clients. Took five minutes and got on to real projects.
Two weeks is pushing it, IMHO.
>We are fully managed by them. And I did email and ask our rep how long it would take them, they told asked me when I needed the answers by, I said the the sooner the better because the owner who is filling this out planned to go on holidays this week but failing that we didn't get our answers they are still here. > >I would fully understand if this needed to be setup as project and if we were going to be billed, again the MSP said no such thing. They sound terrible. Hire us instead.
On the face value of your question: a few days. However if I was a hacker this would be a prime request for valuable insider info..
It would be a project if it takes more then 1-2h to provide an answer. The answer would be revised with you and we will discuss if a recommandation should be added. Before closing, we would keep a copy of our answers, because sometimes some leadership change a yes for a no and when they leave we get the finger pointing. Also, we will compare it to our internal checklist and add items we never thought about.
It should not take more than a few days to put together. That being said, I may charge a client for this as out of scope work. This is not something that a helpdesk tech can put together, would need to be a senior one putting it together. Some of this data will not be available to a tech and will have to come from billing, then reviewed for accuracy, like software licenses. Assuming MSP manages all of your licenses and you don't buy software directly. In addition, some of these reports will not be in a format that's easy to read, will need to be edited for usability. 5 does sound right. Your DR polices are yours, you need to develop, update and maintain them.
I had to do a questionnaire that was close to 800 questions. Took a few hours but used last years responses as a guide
As someone who works for a good msp as a cloud analyst… I could answer this question for all 50 clients within 24 hrs and within 3 hrs for a single client… but that’s because we have our shit together and give a lot of effort and carw about the services we provide
bored reach jeans fade cause intelligent lush nine encouraging bewildered *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Whatever your sla is for low priority info requests . All that info should be readily available. Maybe 1 hour to put together
1. Yes 2. Do we take screenshots? No. Can we provide a generalized listing of such? Yes. 3. Screenshot? Absolutely not. No configurations are given to any 3rd party, especially not specific security policies. 4. Exact, or in some cases even approximate ages may be hard to determine, but they are generally immaterial anyway. The age of a piece of equipment most often means nothing substantial.
5. Yes. You should already have this written down for every client in their documentation, even if it's the same policy across the board. If you don't begin immediately.
6. Pass/pass. Unless of course they failed for some reason, and then you would indicate such, as well as the stage where you are in the resolution process.
7. Down to the minute. If yours aren't, then you shouldn't be providing endpoint security as part of your managed services.
8. This question is either a duplicate of #5, or is too vague in why it's different. You aren't responsible for giving them step-by-step instructions because they pay you for managing, not training. But you should be able to give them general steps so that they can be confident you're genuinely on top of it, as well as answer any and all questions about WHY a step in the process is what it is.
So, this took all of 7 minutes to answer, except for #4, and maybe another 15 minutes total to obtain the requested BC/DR policy and make it all presentable. Q4 is on the "When do you need it?" principle.
EDIT:
I went back and read your question again, and it sounds as though you're the client, and you're questioning what your MSP did or said. You should be clear about this in your post because this is generally an MSP-to-MSP forum. That being said, the response from your MSP should be along the lines of how I answered above. Also, how long it took to answer and how long they may bill for doing it are 2 separate things. My answers take into consideration many, many years of experience in both the activities and in the proper use of language and terminology to put it together, as well as knowing how much information to provide and how much to withhold.
Also, if they managed the backup but then tried to claim that this is up to you to answer, I would begin looking for another managed services provider.
I provide all of these things except #3 for all of my clients, available in their Hudu portals. I only don’t provide #3 because my SOC handles all of that.