Universal Best Practices for Managed 
Services 
By Charles R. Weaver J.D., in association with Nimsoft 

   

1
Table of Contents 

Introduction ...................................................................................................................................... 3

Ethics.................................................................................................................................................. 3

Impartiality ........................................................................................................................................ 4

Understanding the Law & Regulation.......................................................................................... 4

Confidentiality.................................................................................................................................. 5

Disclosure .......................................................................................................................................... 6

Managed Services Expertise ......................................................................................................... 6

Process, Process, Process ............................................................................................................... 7

Bring the Right Tools ........................................................................................................................ 8

Security.............................................................................................................................................. 9

Continuing Education...................................................................................................................10

Protect Your Profession .................................................................................................................10

Managed Services Accreditation Program .............................................................................11

Conclusion......................................................................................................................................12

2

Introduction  clients in a way that few other IT
The managed services profession is as
complex as it is diverse and continues to
change to meet the needs of its many
clients throughout the world. Yet, with all
these changes facing the managed
services industry there have been a
core group of principles that have
successfully guided MSPs throughout the
years. These “best practices” are simply
philosophies that successful MSPs have
used; in fact, most of these practices
are considered to be fundamental to
running a successful business in many
other industries.
These best practices can be employed
by MSPs of all shapes, sizes, and vertical
markets. In addition to being good
business principles, these best practices
will allow MSPs to become highly
profitable, efficient, and scalable. While
there are undoubtedly other
philosophies that are worthy of mention
in the managed services profession,
these specific best practices were
chosen because of their universal
application and importance for MSPs
everywhere.
Ethics  duties. If MSPs want to ensure the
MSPs are different from any other type
of IT service provider. What makes them
unique is not their remote monitoring
and management technologies or their
recurring revenue model, but rather the
3
deep relationship they have with their
clients. MSPs enjoy the trust of their
management companies ever realize.
When a client decides to use a MSP,
they don’t’ just agree to pay money
every month. Managed services clients
provide their MSPs with access to some
very sensitive information. Access to
corporate networks and systems,
employee and customer data, are just
a few of the precious assets clients give
over to their MSP. This level of trust
should never be taken for granted.
MSPs have an obligation to behave in
an ethical manner. Technical
proficiency is not enough to a
managed service provider. MSPs must
use their technical expertise in a way
that always puts the client first. Having
the appropriate ethical foundation is
important as it will serve as the template
for everything you do as a MSP.
MSPs must be responsible for what their
employees do, just like attorneys and
doctors. In fact, almost every profession
in existence has both a
technical/educational requirement as
well as a requirement that the
professional behave in an ethical
manner while performing their official
longevity of their profession adhering to
a strong ethical foundation is crucial.
Managed Service Provider’s Code of
Ethics & Conduct
Impartiality  Understanding the Law & 
MSPs have the trust of their clients and Regulation 
that trust should never be compromised.
As the intersection between law and IT
One of the characteristics that
becomes more defined MSPs are being
distinguish a MSP from other IT providers
asked to know more about legal issues
is their ability to render impartial advice
that impact their clients. Now, it is
and counsel. The ability to elevate the
important to know when you have gone
client’s interests above those of the MSP
too far and are actually practicing law
is not only a key element of a successful
without a license. This is something you
MSP it is also a key element of many
should not do. However, as a MSP it is
other venerated professions.
imperative that you understand the
While other IT providers tend to be basic legal issues and regulations that
motivated by other interests, a MSP will are likely to affect your clients.
evaluate the situation and then
For example, today there are many laws
proscribe a course of action that is
dealing with data breaches and what a
rooted solely in furthering the client’s
company must do when they have
best interests. It may seem contrary to
suffered a data breach. It is important
what they are accustomed to but MSPs
for MSPs to be able to advise their
should avoid conflicts of interest at all
clients on how to protect their networks
costs. MSPs have a lot of important
from such loss of data. Furthermore, a
relationships with third parties that are
good MSP will also know when to advise
necessary for them to do their jobs.
their clients to seek representation from
However, these relationships should
an attorney when appropriate. Another
never compromise the MSP’s obligation
common issue facing many companies
to the client. Vendors, other MSPs,
today is data storage and archiving. In
consultants, and other parties can tend
many jurisdictions, not just in the United
to insert themselves into the MSP/client
States, there are laws mandating how
relationship. While these relationships
certain data must be stored. Certain
are necessary, a MSP must always
vertical markets, like financial services,
remember their primary obligation to
face additional pressure by having
the client and never let that obligation
specific regulations that require data
be swayed or compromised.
(like email and instant messages) to be
Always render advice that benefits your archived for a certain amount of time so
clients, not your own interests. This is the it can be readily accessed at any given
job of the MSP. moment. MSPs need to be aware of
these regulations.

There are likely many other scenarios

where MSPs will be asked by their clients

4
to render advice on situations that
involve a greater legal issue. In the
future, MSPs and legal professionals will
be required to work in concert to
resolve client issues that are both
technical and legal in nature. MSPs will
be well served to be aware of legal
cases and regulations as they emerge
since these issues will in all likelihood
impact at least some portion of the
client’s IT environment.
There are many good places to learn
about laws that are impacting IT. A
good place to start is to read non-IT
publications as these will be more likely
to report on a legal story. Another good
paper that describes many legal issues
that impact MSPs is “A Legal Guide to
Managed Services” by Robert J. Scott of
Scott & Scott LLP. Because there are
many areas where IT and the law are
just now beginning to intersect it may be
difficult for MSPs to get much
information from the mainstream or
even IT press. As a result, it is up to MSPs
to discuss these scenarios amongst
themselves in order to better
understand what their industry response
should be. Even though this is an
emerging area of legal philosophy,
MSPs are right in the middle of this
evolution and must be aware that they
will be impacted one way or the other.
Therefore, it is better that MSPs begin to
look outside their own industry and
realize that they are part of a larger
universe.
IT and the law now share a common
present and future. Today there are laws
5
being written that will have an impact
on how company’s run their IT. It is no
longer acceptable for MSPs to be
ignorant of how laws and regulations
affect their clients. In order to be an
effective MSP, you must have a minimal
knowledge of legal issues and how they
will impact your clients.
Confidentiality 
MSPs have access to a lot of sensitive
information. Some of this information is
freely given by the client. Clients often
will trust their MSP to help with important
projects and long term goals. It is
therefore necessary to divulge certain
information to MSPs in order for them to
do their job. Naturally, clients trust their
MSPs with this important information
because they expect them to keep it
confidential. Many service level
agreements fail to mention
confidentiality between the MSP and
the client. While the contents of any SLA
should ultimately be up to the client and
the MSP to discuss, MSPs should operate
under a general assumption that any
information entrusted to them during
the course of their representation of a
client will be kept confidential.
Just as there are confidentiality rules for
physicians and attorneys, so are there
rules for MSPs. The trust that exists
between MSP and client forms the basis
of the relationship. Without this trust
there could be no way for the MSP to
do their job. MSPs need their clients to
trust them with information in order to
recommend solutions and provide
advice. Of course, there are exceptions
to any rule.
Under certain circumstances MSPs can
be compelled to divulge information
that has been entrusted to them by a
client. For example, if asked to testify in
a court of law (or if otherwise compelled
by a legitimate governmental authority)
a MSP would be expected to respond in
a truthful manner. In the absence of any
legitimate authority, MSPs should
consider their duty of confidentiality to
their client to be supreme.
Disclosure  with another company that would
When we go to a doctor or a lawyer
(and some other professionals) there is a
process whereby the professional will
interview the prospective client/patient.
This interview process is performed for a
few reasons. One reason is many
professionals like to understand the
nature of the case prior to taking
something on for which they are
unprepared or unqualified. Another
reason for conducting a pre-interview is
to identify any conflicts of interest that
might prevent the professional from
taking on the new client.
Disclosure is a key component of a
professional’s obligation to a client.
Disclosure might come in the form of the
MSP telling a client that they cannot
represent them due to a pre-existing
relationship with another company. The
MSP might tell the client that they are
not qualified, for whatever reason, to
take the job. MSPs are always faced
6
with tests of their abilities and resources.
It is natural for clients or partners to
make requests of MSPs that push the
boundaries of their capabilities. As such,
it is up to the MSP to know when their
capabilities are being pushed too far.
When this happens, the MSP must
disclose to the client anything that
would otherwise mislead the client.
For example, if a client asks a MSP to
work on a particular technology and
the MSP has absolutely no experience in
that area they should disclose this fact
to the client. In other cases, the MSP
may have a pre-existing relationship
preclude the MSP from doing business
with the client. A more likely a scenario
is when a MSP, in the normal course of
the sales cycle, omits certain facts that
would otherwise cause the client to
change their opinion about the MSP. By
omitting important facts MSPs can
improperly influence the client. By
always maintaining an open and honest
level of communication with the client
MSPs will help earn and preserve the
trust placed in them.
Managed Services Expertise 
When you go to a professional (whether
it is a doctor, lawyer, accountant,
engineer, etc.) you expect certain
things. For instance, you expect that
professional to be “technically”
proficient in what they do. If it is a
doctor, you expect that doctor to
understand the basics of practicing
medicine. You do not go to a
physician’s office and ask the doctor to
prove their knowledge of medicine. It is
assumed that the medical degree
hanging on the wall (along with the fact
that it is illegal to practice medicine
without a license) proves that this
person has had medical training and is
qualified to practice medicine. This is
equally true with many other
professions.
Furthermore, it is expected that a
professional (let’s keep using the
example of the doctor) will be able to
identify situations where they are not
qualified and make the appropriate
recommendations. It is often the case
where a doctor will identify a patient
that has a medical condition that
requires expertise beyond what the
doctor can offer. In these situations, it is
quite common to make a referral to
another physician. It is essential that
professionals demonstrate a minimal
amount of expertise to practice their
trade and yet know when they are
being asked to render advice that is
beyond their current level of
understanding. This is no different with
MSPs.
It is assumed that a MSP has a basic
level of technical knowledge. Think of
how silly it would be to have to contact
a MSP and make them prove that they
are technically competent to manage
your IT. Certain things must be assumed
if only for ease. However, if you contact
a MSP and you ask them to do
something that is beyond their level of
expertise, you would also be correct in
7
expecting them to tell you that they
cannot perform the task required. In
such a situation you could expect the
MSP to make a referral to another MSP,
or at least hear them explain that they
do not have experience in doing such a
thing but that they can either partner
with someone else to do it or they can
learn how. It goes without saying that to
misrepresent your abilities as a MSP
would constitute a fundamental breach
of the Managed Service Provider’s
Code of Ethics.
As a MSP it is up to you to maintain the
standards set and adhered to by other
MSPs. Understanding when it is
acceptable to take on a client and
when you should make a referral or
simply say no is an important part of
your role as a managed services
professional.
Process, Process, Process 
MSPs utilize many different tools and
resources in order to deliver their
services to a client. There are many
different types of tools available to MSPs
today; technology, business, financial,
sales/marketing, even legal tools are
necessary components in the MSP tool
bag. There is one critical component
that is used by all effective MSPs and it is
the one resource that cannot be
purchased: I am talking about a
managed service delivery process.
No matter how many fancy gadgets
and technologies you possess, without
the right service delivery process in
place you will find it very difficult to be a
profitable or good MSP. Some
companies believe that if you buy a
remote monitoring or management
product you will automatically be a
MSP. This is like saying if you buy a
scalpel you are a surgeon. Of course,
this is not the case. Without the right
knowledge no tool in the world will help
raise you to the level of a professional
MSP.
There are many different IT service
delivery processes available today. ITIL,
ISO, Six Sigma, and CoBIT, are just a few.
You can even create your own service
process. What is important is you
document your processes and subject it
to periodic review and change. As a
MSP, your process is what makes you
unique. While every surgeon uses the
same (or similar) tools, it is their
experience and knowledge that makes
them unique from their colleagues.
Having a process for delivering your
managed services will also help you in
other areas of your managed services
practice. A process will help you
become more efficient, it will identify
areas of your practice that need to be
made more secure, it will even help you
make more money (think of all the
wasted time your technicians spend
because they do not have any
guidance when it comes to how your
managed services are delivered). For
the minimal amount of time it takes to
develop your own process, you will reap
numerous benefits for your managed
services practice.
8
For more information about the IT
processes mentioned please visit the
following sites:
http://www.iso.org/
http://www.motorola.com/motorolauni
versity.jsp
http://www.itil-officialsite.com/
http://www.isaca.org/cobit/
Bring the Right Tools 
Once you have developed your service
delivery process the task of choosing
which tools you will need becomes
much easier. Far too many MSPs go out
and buy a set of managed services
tools without ever knowing what type of
practice they will have. Different MSPs
need different tools. You must know
what type of services you will be offering
before you can buy the tools.
When a young MSP goes out to
purchase an IT product, if they
understand that technology will be used
they will be able to better evaluate and
acquire technologies that are relevant
to their managed services practice. For
example, if a MSP has predominately
smaller clients, then going out and
buying the most expensive IT
management tools might not be the
smartest approach. On the other hand,
if you have very large clients (or clients
that demand sophisticated managed
services) then buying the cheapest tool
with minimal service delivery features
may not be wise. Similarly, if you are
providing a lot of security services to
your clients, then having a tool set that is
feature rich on security would be a
necessity in any product suite you
purchase.
Having the right tools is one of the key
benefits of using a MSP. If clients could
have easy access to IT management
tools and knew how to use them, the
value of a MSP would be greatly
diminished. Fortunately for the MSPs,
there are a lot of different tools out
there and using any one of them can
be quite tricky. IT managers typically do
not want to have to deal with keeping
up this type of technology; instead, they
want to maintain a focus on their
company’s IT. Leveraging an
experienced MSP with the right tools
can help many companies (including
their IT staff) maintain an effective hold
on their IT management.
Security  
It is expected of professionals that they
will practice what they preach. If a
doctor tells you that it is unsanitary to
not wash your hands, you would expect
that same doctor to also wash their
hands prior to seeing patients. MSPs
frequently tell their clients to treat data
in a secure fashion lest it fall into the
wrong hands. It is only natural to expect
your MSP to abide by certain security
practices to prevent client data from
becoming compromised.
MSPs, as we have already discussed,
have a lot of responsibility for the IT
9
assets of their clients. It is expected that
MSPs will take certain precautions to
safeguard client data and
infrastructure. For example, just as other
professionals are responsible for the
actions of those employees who work in
their office, so are MSPs responsible for
technicians who touch or interact with
clients. Having a detailed and
documented internal security policy is
very important for MSPs. Not only will it
help the MSP maintain the appropriate
level of internal security, it will also go a
long way in showing the client that the
MSP takes security seriously.
Some of the following items may help
you begin to think about what security
protocols you should have in your
managed services practice:
- Documented security practices
- Human Resource safeguards (i.e.,
background checks, appropriate
corporate computer use, etc.)
- Strong authentication
- Unique User IDs
- Encryption of data, particularly
data that is stored
There are many other security measures
you can implement; including
technologies you can employ to help
you safeguard your practice. Whichever
path you take, make sure you at least
consider all the ways you need to
protect yourself, both from internal and
external threats. If you protect yourself it
is a lot easier to protect your clients.
Continuing Education  for social networking, it is about keeping
MSPs are responsible for a lot of things.
To simply say a MSP manages the IT for
their clients is an understatement. MSPs
have to be vigilant on many fronts in
order to do their jobs. As such,
education becomes a major role in
keeping MSPs aware of what is
happening in the world and how it
impacts their clients.
Other professions encourage their
members to continue their education of
the trade, even after their formal
education is complete. Both doctors
and lawyers have continuing education
even after they have graduated from
their respective schools and received
their degrees. In fact, both of these
professions make continuing education
a requirement. Doctors and attorneys,
among other professions, make their
members constantly aware of all the
advancements and changes in their
profession. Whether it is technology,
changes in case law, or simply being
aware of trends that will impact the
profession, all mature professions have a
requirement to remain educated.
MSPs deal with technology on a daily
basis. Perhaps no other profession is as
quick paced as IT management. Threats
can emerge on a daily basis and if the
MSP is unaware of these changes it can
negatively impact their clients.
Moreover, MSPs need contact with
other MSPs in order to maintain a sense
of community, if only to hear about how
other colleagues are dealing with similar
issues. This educational process is not just
10
in touch with a professional community
so you do not fall behind.
Another important reason for
participating in the ongoing education
of your profession are so younger
members will quickly adopt the same
standards and practices. Imagine if
every new doctor decided to do things
their own way and completely
disregarded proven medical standards.
A lot of patients would be needlessly
harmed. In addition, the medical
profession would quickly fall into
disrepute if there were no standards to
be enforced.
As MSPs, it is incumbent upon you to
safeguard your profession by educating
and guiding younger MSPs. To let these
new entrants fall outside the normal
practice guidelines would not only harm
clients, it would also jeopardize the
legitimacy MSPs currently enjoy in the
market.
Protect Your Profession 
Every profession experiences attacks on
the credibility and legitimacy of their
trade. Whether it is a doctor that harms
a patient, a lawyer that harms his
client’s interests, or an accountant who
loses his client’s money, there will always
be instances where the managed
services profession will be tested. Many
of the theories discussed in this paper
speak directly to the preservation of
MSPs and the important work they
perform.
MSPs should be a little protectionist
when it comes to their profession. This is
only natural. Setting and enforcing
standards for other MSPs is an effective
method for preserving high quality levels
and maintaining consumer credibility in
the managed services community.
When companies were value added
resellers, this sense of community did not
exist. As such, nobody paid attention to
the consumer and whether or not their
interests were being protected. As MSPs,
companies can no longer remain
isolationist in their behavior. Instead,
MSPs should embrace this new sense of
community and rejoice in their new
found ability to learn, grow, and prosper
in the managed services profession.
It is imperative that MSPs work to self
regulate their industry before it is done
for them by some outside group. The
technological advancements and
overall business progress the IT sector
has shown over the last several decades
is one of the main reasons this industry
has not yet been regulated by
governmental bodies. However, it is a
foregone conclusion that some MSPs will
be accused, whether fairly or unfairly, of
harming the welfare of the general
public. When this happens it will be a
natural reaction by the general public,
and soon thereafter politicians, to
safeguard the mass public by some
form of direct or indirect regulation.
MSPs would be well advised to take this
eventuality seriously and begin to
exercise some semblance of self-
regulation and enforcement of
standards as a means of preventing
11
actual governmental interference in the
future. Every other profession has
regulated itself to prevent official
governmental regulation. Even if some
official government agency attempts to
regulate the managed services
profession the existence of some form of
self regulation will help the MSPs create
a regulatory environment that is more
favorable to them. No other group will
pay attention to standards in managed
services if the MSPs do not do it
themselves.
Managed Services Accreditation 
Program 
There are many certifications that
should be examined by MSPs. The
natural starting place is to become
certified on the technologies you
currently use. If you are Microsoft
partner and also sell a lot of SonicWALL
you may want to consider obtaining
any certifications provided by those
vendors. As was discussed elsewhere in
this paper, it is assumed that MSPs have
technical competency in the areas in
which they practice. It would be wise to
seek certification in as many of the
products and technologies you support
as a MSP. This will keep you up to date
on any changes to the technology and
it will provide your clients with additional
security and comfort.
In addition to technical product
certifications, if your company has even
a small percentage of revenues from
managed services you should plan on
taking the Managed Services
Accreditation Program™ exam
(MSAP).The MSAP exam is the only
neutral benchmark of a company’s
ability to safely and efficiently deliver
managed services to end-users. What
makes the MSAP exam so unique is that
it was created by MSPs who wanted to
have a vendor neutral standard of
excellence for other MSPs to follow.
Not only is the MSAP exam well
respected by many governmental and
financial institutions (like Lloyd’s of
London and AIG) it has also been
successfully used by many MSPs when
undergoing rigorous scrutiny by a
prospective client. Client’s like to see
standards like the MSAP because it gives
them greater comfort in knowing their
MSP will be held to a high standard of
excellence.
Finally, taking the MSAP exam is a great
way to identify areas where your
managed services practice could be
improved. Similar to how we learn in
grammar school or college, the MSAP
exam will force you to rethink your
business and technical strategies,
thereby helping you to find areas where
you are performing at a less than
optimal level.
For more information on how to take the
Managed Services Accreditation
Program™ exam please contact the
MSPAlliance at info@mspalliance.com
12
Conclusion 
The managed services profession is
growing at a rapid pace and will likely
continue at this speed for the next
several years. This growth will largely be
driven by a combination of increased
regulatory pressure as well as the
mounting complexity of even basic IT
management. Businesses need
Managed Service Providers. This will
likely never change. More importantly,
businesses need to be able to place
their trust in a professional body of MSPs
and know that their IT management
needs will be looked after and not
abused.
If you would like to read more about the
Managed Services profession there are
many books available. In particular,
“The Art of Managed Services” provides
a very good overview of the managed
services marketplace as well as helpful
tips for improving your overall managed
services practice.
MSPs have an incredible amount to be
thankful for these days. The continued
collision of law and technology is
forcing even the smallest of
organizations to take their IT seriously.
Remember, these best practices are
part of a larger framework of guidelines
and standards for MSPs. It is up to you,
as a MSP, to diligently strive for
perfection as you manage and
safeguard the IT assets of your clients. If
you adopt these best practices and put
them to use, you will go a long way in
securing and improving your managed
services delivery. By adopting these best
practices you will not only be building a
successful and more profitable
managed services practice for your
own company but you will also be
taking the necessary steps to protect
this profession for many years to come.

13
About MSPAlliance

The MSPAlliance is a global organization made up of service providers and technology

enablers who work in a collaborative effort to define, promote and educate the
Managed Services Industry and the end-user consumer on the adoption and successful
use of technology through Managed Services. The MSPAlliance works as a vendor-
neutral body to promote the Managed Services Industry and its members, as well
as serve as an accrediting body. The MSPAlliance harnesses the expertise and support
of the MSPAlliance Advisory Board and MSPAlliance Industry Outreach Council. With
thousands of corporate members world-wide and growing rapidly, the MSPAlliance is
an unparalleled powerhouse, and the ONLY unified voice for the Managed Services
Industry!

About Nimsoft

Nimsoft provides next generation performance and availability monitoring solutions for
the complete physical and virtualized IT infrastructure. The Nimsoft solutions redefine the
standards for ease of use and speed of deployment - providing outstanding return on
investment and unparalleled customer satisfaction. Over 600 customers in 30 countries
rely on Nimsoft solutions to monitor their IT based business applications and services.
These customers include mid-market and global organizations, such as Barclays Capital
and Amway Corporation, Bay Area Rapid Transit, Ladbrokes, TRW Automotive, and
hundreds of leading managed service providers such as CDW Berbee, Easynet,
FusionStorm, Rackspace Managed Hosting, and T-Systems. For more information, visit
www.nimsoft.com.

14