Organizations struggle to implement and maintain a cyber security posture that is appropriate for today's threat landscape. They implement policies and procedures with the intent of protecting their data. Under the assumption that policy violations are typically the result of ignorance or malicious behavior, they strive to educate their workforce on the importance of adhering to the policy and the ramifications of a violation. However, most of these efforts fail to accomplish the goal of improved security.  A recent study in the Harvard Business Review indicates that other factors come into play when users are faced with compliance tasks. In the study, which focused on remote workers during the pandemic, it was found that most policy infractions were the result of intentional yet non-malicious violations, largely driven by employee stress. According to the study, "when asked why they failed to follow security policies, our participants’ top three responses were, 'to better accomplish tasks for my job,' 'to get something I needed,' and 'to help others get their work done.'”  This last motivator, the desire to help others cuts to the core of the Managed Service Provider's role. After all, that's what they are here to do, help others. And hackers know that. The recent breaches at MGM Grand and Caesars were both the result of a socially engineered password reset request to the third-party help desk employed by the casinos. In the desire to "help" the end user, the helpdesk technician most likely circumvented the identity verification process in some way. Security policies can also create hinderances to productivity and increase stress. According to the study, "Too often, IT departments develop protocols in a vacuum, with limited understanding of how these rules might interfere with people’s workflows or create new sources of stress."

Given the competing demands of productivity and a helpful environment versus cyber security it is critical that the culture of the organization instills an inherent desire to remain secure. So how does an organization implement a cyber security focused culture?   

Corporate culture is established by executive leadership. For the workforce to take cybersecurity seriously, corporate executives need to internalize the need and incorporate it into everything the company does. They don’t need to understand the technical details, but they need to listen to, and support, those that do. Their messaging must reinforce the need for vigilance and compliance at all levels. Larger organizations may implement a Chief Information Security Officer (CISO) position as a member of the executive team or designate a senior security engineer that reports to the executive team regularly. However, as the head of the organization the CEO or Executive Director must continually reinforce the importance of cybersecurity at every opportunity.

Organizations should form a "Security Council" in charge of overseeing the policies and procedures of the organization with regard to cyber security. The council is comprised of both technical and non-technical employees from all levels of the organization. Members should have a thorough understanding of the workflow of the organization, the data the organization holds, and the need to balance maximal security with the need for productivity. The council should meet regularly. In addition to developing policies and procedures the group should review the performance of the organization by reviewing internal audit results. The council can serve as a platform to review proposals by non-members for additional tools, services, or policies to ensure they are in alignment with the security needs of the organization. 

Security Awareness Training has become commonplace within organizations. They train our employees to identify phishing attempts, practice basic cyber hygiene, and keep a watchful eye. They even test them by sending fake phishing emails and tossing USB drives in the parking lot. However, they often fail to teach them how their role impacts the security of the data for which the organization is custodian. Regardless of whether the organization is in a regulated industry, company data must be protected. In regulated industries it is even more critical the employee understand their role in maintaining compliance. To perform their job, many employees must be granted access to confidential data. However, employees must be trained to take that privilege seriously and not abuse it.  It may be tempting to peek at the medical records of that celebrity that was just admitted to the hospital in which you work (TMZ might even pay a pretty penny for that information). Copying confidential data to your laptop so you can work on it at home after hours seems like it would improve your productivity. However, these are violations that can have significant consequences. Employees must be continually reminded of the proper handling of the data. Department managers can support this effort by including the topic of data security in their staff meetings regularly. Have the CISO or a member of the Security Council present the latest security intel at a staff meeting occasionally.   

Compliance is a process, not an abstract idea. It needs to be integrated into the workflow of the organization. Wherever possible, security measures or compliance requirements should be built into procedures such that a task cannot be completed without verification that the security measure has been accounted for. Depending on the task and process, this can be accomplished using workflow software, automation, peer review, or checklists. Regardless of the method, employees must be held accountable to ensuring the process is followed and completed properly.

However, employees make mistakes. Even the best processes can be circumvented, whether accidentally or maliciously.  The organization must foster a culture that is supportive of employees stepping forward to report errors they have personally made. These must be viewed as learning experiences and should carry no punitive consequences. Employees witnessing misconduct by others must feel comfortable bringing it to management's attention. However, According to a 2022 Gartner survey, only 54% of employees feel that reporting workplace misconduct is the right thing to do. Only one-third believed that reporting will lead to a better work environment or improve their team's morale or performance. And only one-in-five think reporting will be good for their career.  Employees reporting bad behavior of others must be protected from retaliatory actions. Employees must see benefit for their team or career when reporting bad behavior. The company must be transparent about the outcomes of reports received. The organization should implement mechanisms by which employees can report potential security infractions without fear of retribution.

In the words of John Wooden, legendary basketball coach: "The eight laws of learning are explanation, demonstration, imitation, repetition, repetition, repetition, repetition, repetition." All these concepts need to be reinforced continually. An internal marketing campaign might include physical posters, emails, newsletters, and even games designed to educate in an entertaining way. By ensuring cybersecurity is emphasized from top to bottom, organizations will be far more likely to succeed in the implementation of their security plan.

OTX Roundtable GRC

The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here. 

In the past the Managed Service Provider could typically deliver a complete service without engaging with other partners. By deploying a fault-tolerant system, protected behind a good firewall, and managed by a good RMM, the MSP pretty much had their clients covered.

However, those days are over. The landscape has changed dramatically in the past ten years. Even the smallest clients require services that span beyond what most MSPs can deliver alone. Many of the services offered by MSPs today are hosted by major cloud service providers. Even basic cybersecurity services require technical skills beyond what many MSPs have on staff. And most MSPs are not adequately equipped to properly respond to a sophisticated cyber attack.  

MSPs now must determine which services they can deliver with their own in-house talent and those they should use an external partner to provide. 

The first step is to take an honest look at the capabilities of the current staff. Typically, the MSP has a team that is well versed at deploying infrastructure, monitoring performance, managing failures, and remediating network issues. They are also comfortable implementing and managing basic firewall protection, Antivirus, web-filtering, and perhaps an EDR solution. However, advanced security services such as managed SOC, SEIM, and forensics typically fall outside of the capabilities of the typical MSP. Likewise, auditing and compliance skills are generally not found within the average MSP

Clients, however,  are looking for a one-stop-shop. They do not want to manage multiple relationships. It is up to the MSP to develop the partnerships necessary to deliver a seamless solution to the client.

The MSP should identify those organizations that complement their capabilities and can offer a tightly integrated service. These may be a local MSSP or a global SEIM/SOC vendor. They could include a small compliance and audit firm. It doesn't matter as long as the selected partners provides quality service and can work in tandem with the MSP.

The MSP must also develop relationships with others to provide a complete solution. The changing landscape of the managed services business demands that the legal and contractual relationship between the MSP and client keep pace. MSP can no longer rely on the brother-in-law that runs a legal practice to properly manage their contract stack. Managed Service Providers should be working with a law firm that specializes in the technology industry. The Master Services Agreement will likely change on a regular basis in order to address new requirements and services. New and existing clients need to be able to agree to those changes as they are introduced. The MSP must develop a system and process that ensures all clients are kept abreast and agree to changes as they occur.

The need for cyber insurance has never been greater. The MSP must be working with an insurance carrier that can provide a comprehensive Tech E&O/Cyber insurance policy. Likewise, the MSP should be requiring all of their clients carry first party cyber insurance as part of their MSA. This need has given rise to a new breed of insurance carriers that specifically work with MSPs to provide insurance to their clients. This is not to say that the MSP "sells" the insurance to the client but simply facilitates the transaction. The MSP implements security controls prescribed by the insurance carrier to support the policy.

The MSP should have a relationship with a professional forensics team that can investigate potential breaches on short notice. Be aware, however, that, in the event of a major security breach where an insurance claim is likely, the insurance carrier may have their own forensics and legal team for the MSP to work with. The MSP should work closely with their insurance carrier for guidance on the proper response to potential security breaches.

The old saying "It takes a village…" comes to mind when thinking about the delivery of managed services in today's world. Few organizations can truly offer a complete solution alone. It takes a series of partnerships and business relationships to provide the level of service demanded.

OTX Roundtable

The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here. 

For many MSPs, the word "compliance" conjures up images of intrusive bureaucracy and major expense. Although the reality may not be too far from that, compliance has inevitably become a concern for MSPs (whether they realize it or not).

Over the past 15 years or so, the workflow of the MSP has become more and more intertwined with that of the client. As the MSP takes on services such as backing the client's data up to the cloud, on-boarding and off-boarding employees, or completely hosting the client’s data in the cloud, the regulatory compliance of the client is dependent on the MSPs processes and procedures meeting the requirements.

But fundamentally, what does it mean to be compliant? In many cases, the MSP is already providing services that meet the requirements. However, they are probably not well documented and are not audited on a regular basis. To prove that your practices meet regulatory standards, the processes and procedures must be documented and audited. Evidence must be produced and preserved that proves that policies are being followed.

Let's look at what the entire process of implementing complaint practices looks like.

The Six Steps of Implementing a Complaint Process

Regardless of the standard to which you are trying to achieve compliance, the process remains the same. There are six steps to the process:

Document Policies

Implement tools/controls

Document Procedures

Train staff

Audit processes

Assess and revise processes

We'll go through each step. For this exercise, we will use Access Control as the example process. Every security framework or regulation has a requirement to control access to data.

Document Policies

For each control or requirement, a policy must be developed to clearly identify what the organization does to achieve compliance with the requirements of the framework.

Policies are relatively broad. They are documentation of WHAT the organization must do, not HOW it gets done. Because policies must be signed by senior management, it is important that they not change very often. The underlying processes and procedures may change as other changes may occur within the organization, but the policy should remain relatively static.

For Access Control, the policy would identify how employees are onboarded, how employees are off-boarded, how permissions are determined, and how access is altered when an employee changes role. It may also include a remote access policy, wifi policy, and personal device restrictions. In our example, the policy may discuss the concepts of role-based access and of least privilege when assigning permissions.

Implement Tools/Controls

The organization must implement tools by which they can enforce and manage the policies. In our Access Control example we might implement tools like Active Directory, Multi-factor Authentication, VPN technology, Single Sign-on, SASE, and others.

The tools should be capable of meeting all the objectives defined in the policies. The configuration of the tools would be dictated by the policies as well. As an example, regulations may require certain levels of encryption, or a particular certification to meet the requirements.

Documenting Processes

With the tools in place, you will need to document the procedures to use the tools to meet the requirements of the policy. In our example, we would document how users are added in Active Directory, how MFA is applied to users, and what parameters are applied for VPN Access. This is not a step-by-step, click/next type of instruction set. We assume that our administrators know how to use the tools. However, it is detailed enough that all processes are completed in the same manner regardless of which admin performs the task.

The process, in many cases, should include a checklist to ensure all tasks are completed. Most PSA systems support the creation of checklists within the ticketing system. In this way, incomplete tasks can easily be identified. The ticket cannot be closed until all tasks are complete. By creating a unique ticket type for compliance related tasks, they can be easily tracked and deviations can be identified.

Training

All employees must be trained on the policies and procedures. Global policies such as acceptable use policies, remote work policies, and confidentiality policies, which apply to all employes, must be reviewed and accepted by all employees. In our Access Control example, employees must be trained to refrain from allowing strangers to enter secured doors behind them without swiping a badge. Implementing an electronic review and sign off system is a great way to ensure employees review the policies annually. Ideally, incorporating corporate policies into Security Awareness training is a way to ensure the training and acceptance occurs on a regular basis.

System Administrators need to be trained in the processes they administer. Within Access Control, admins must be trained to follow the documented processes for account creation, permissions assignments, and account termination. It is important that the processes be followed accurately and consistently.

Auditing

We can't simply assume that our policies and processes are being followed by our employees and admins. We must "inspect what we expect". Our overall process must include an audit function that gathers evidence of compliance or indicators of non-compliance. It is through the auditing process that we prove our compliance.

The audit process can include the collection of system logs, alert reviews, and manual inspection of systems and data. In our access control example, we might have a monthly review of all employee hires and terminations in the previous month. A review of the accounts created and removed should match the list. Completed checklists of actions taken by admins should indicate any incomplete tasks.

Using the ticketing system in our PSA for this function can improve the process. By creating a recurring ticket for each audit function at the time it is supposed to happen applies automation to the process. The ticket is assigned to the individual in charge of the function and cannot be closed until the process is complete. A report on open tickets identifies any audits that are not complete.

Process Assessment and Revision

The one constant in business is change. Policies and procedures become outdated or ineffective due to changes within technology or business. New policies need to be developed to address new threats, concerns, or regulations. A great example occurred during the pandemic. Although many companies had remote access policies and procedures prior to the pandemic, they were most likely only applied to a small subset of the workforce that had periodic or intermittent needs for remote access. The pandemic rapidly changed that by forcing most, if not all, employees to work from home. The existing remote work tools, policies, and procedures were inadequate to address the need.  This created an unprecedented need for organizations to quickly implement new tools, define new policies, develop new procedures, and train employees in a dramatically accelerated timeframe. This entire process, which would normally take several months, was compressed into just a few weeks.

While that may be a drastic example, it demonstrates the fact that policies and procedures can change based on external forces. Your process should include some form of annual review that examines changes in the organization and identifies areas where the policies and procedures do not align with the changes.

This can be done as a formal annual review of policies and procedures where stakeholders simply go over each policy and discuss whether any changes have occurred that require modification of the policies or the written procedures. This could also include an annual SOC II Type 2 audit where a formal report is produced by a third party to express an official opinion on the organization's effectiveness against the policies in place. It can also include a formal certification process such as ISO 27001 or the upcoming CMMC program.

Summary

Achieving and maintaining compliance is an ongoing and never-ending process. It needs to be engrained within the culture of the organization. From senior management down to front line workers, compliance must be taken seriously. By following the process, policies and procedures can be developed, trained, maintained, and adjusted to keep the organization in compliance and out of trouble.

 OTX Roundtable GRC

The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here. 

The clock is ticking on the implementation of the new FTC Safeguards Rule. The June 9, 2023 deadline has already been pushed back from the original date of December 9, 2022. If organizations have not already begun tackling the new requirements, it is unlikely they could meet them in time at this point. However, organizations with a relationship with an MSP may be close to compliance already and just need to fill in a few gaps.

 A Little History

In October 2021 the Federal Trade Commission amended the "Standards for Safeguarding Customer Information", commonly referred to as the "Safeguards Rule". The original rule traces its origins back to the Gramm-Leach-Bliley Act (GLBA) of 1999. We are all familiar with the privacy notices we receive each year from the banks, credit unions, and other financial institutions we deal with. We can thank GLBA for that. Additionally, GLBA required covered entities to protect customer information in relatively vague terms:

 "each agency…shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards."

 (1) to insure the security and confidentiality of customer

records and information;

(2) to protect against any anticipated threats or hazards

to the security or integrity of such records; and

(3) to protect against unauthorized access to or use of

such records or information which could result in substantial

harm or inconvenience to any customer

Broadly speaking, GLBA also defines covered entities as Federal Banks, Savings Institutions, FDIC Insured State banks,  NCUA member Credit Unions, SEC registered Brokers, Investment companies, Investment Advisors, and Insurance Companies.

The New Rule

The new FTC Safeguards Rule greatly expands the covered entities of GLBA and provides much more detail regarding the specific safeguards covered entities must implement.

The rule defines a financial institution as "any institution the business of which is engaging in an activity that is financial in nature…" and  "An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities.."

Within the new rule itself the following examples are cited specifically as covered entities:

More specifically, those entities include, but are not limited to:

•  mortgage lenders

• “pay day” lenders

• finance companies

• mortgage brokers

• account servicers

• check cashers

• wire transferors

• travel agencies operated in connection with financial services

• collection agencies

• credit counselors and other financial advisors

• tax preparation firms

• non-federally insured credit unions

• investment advisors that are not required to register with the Securities and Exchange Commission

• entities acting as finders

• A retailer that extends credit by issuing its own credit card directly to consumers

 The rule further expands additional examples of covered entities:

•  An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days

• A personal property or real estate appraiser

• A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution

• A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution

 It is likely that an MSP will have several clients that fall into one or more these categories. When the law takes effect  on June 9, all of these clients will need to be compliant with the new rule. So what does the new rule actually require of covered entities?

 Within the rule, Section 314.4 of the FTC Safeguards rule requires covered entities to:

•  Designate a Qualified Individual to oversee their information security program. (Can be a an external contractor or vCISO)

• Designated Qualified Individual is required to report, in writing, at least annually to the board of directors.*

• Develop a written risk assessment*

• Limit and monitor who can access sensitive customer information

• Perform continuous monitoring or periodic penetration testing and vulnerability assessments*

• Encrypt all sensitive information

• Provide Security Awareness Training to staff and train security personnel adequately

• Develop a written incident response plan*

• Periodically assess the security practices of service providers

• Implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.

 *Covered Entities with fewer than 5000 customers are exempted from these requirements

For many of the new covered entities these will be new requirements. The list may seem daunting to many. However, the rule recognizes that one size does not fit all. The Rule states that the in developing the Information Security Plan:

 “You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”

 How can MSPs help?

For existing customers of an MSP, many of the requirements are already being met. For instance, the MSP may be providing penetration testing and vulnerability scanning as part of their service offering. Likewise, the MSP may be providing security awareness training for staff and, as the de facto security team, maintaining their own staff's training. However, the key to compliance is providing evidence. This is done through proper process, documentation,  and audit practices. In order to keep the client in compliance the MSP must make sure that proper documentation of policies, processes, and procedures is being kept. More importantly, the client and the MSP must make sure that those procedures are being followed through a formal auditing process.

 As with other regulations, the FTC Safeguards rule provides a great opportunity take on a necessary strategic role with the client. If the client has not performed a risk assessment recently or developed an incident response plan, this makes a great project for the MSP to perform. Likewise, if the client does not have an appropriate internal resource to act as the "qualified individual" the MSP can fulfill that role. This presents  the opportunity for the MSP to get in front of the owners or the board of directors regularly to review the overall security posture of the organization.

 Meanwhile, the MSP must always be looking in the mirror to make sure that their own practices meet the requirements imposed upon their clients. Today's MSP is integral to the workflow of their clients. In managing their cloud infrastructure, performing their backups, and monitoring their security the MSP maintains a shared responsibility that makes the client's overall compliance dependent upon the practices and procedures of the MSP. The best way for MSPs to ensure their own compliance is to adopt and maintain a structured cyber security framework.

 OTX Roundtable GRC

The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here. 

For the past several years states have been passing privacy laws that impose stiff penalties on organizations that mishandle the personal information of their residents. However, a growing number of states have passed legislation that can provide legal “safe harbor” to those organizations that implement and maintain security measures based on a recognized cybersecurity framework.

In recent years, Utah, Ohio, and Connecticut have enacted legislation that offers legal protection to organizations that have implemented and maintained strong security practices. Specifically, the laws cite several common cyber security frameworks that apply including NIST CSF, NIST 800-171, CIS, and ISO27001 among others. For those organizations in a regulated industry (HIPAA, SOX, CMMC, etc.) demonstrated compliance with those regulations apply. Several other states have proposed bills and pending legislation that will offer the same protection in those states. Additionally, some states, such as California, have included safe harbor provisions in their data privacy laws.

Under the legislation, should an organization find itself in court as the result of a cyber incident, the laws provide an affirmative defense for liability caused by data breaches if the organization can prove that it took reasonable steps to maintain security in accordance with a recognized standard.

With the cybersecurity threat landscape growing rapidly, the states are recognizing that organizations must improve their security practices and maintain a strong cyber security posture. However, we know that there is no 100% when it comes to cyber security. By enacting these laws, states are shielding those organizations that take reasonable steps to protect their data from the worst legal consequences.

Of course, safe harbor does not give an organization a "hall pass" in the event of a data breach. For instance if the organization was aware of a threat or vulnerability and did nothing to remediate it, safe harbor offers no protection. Organizations must not only implement the security framework, it must maintain it ongoingly. Proper maintenance of a security plan involves documentation, adherence to procedures, continual auditing, and change management. Security must become a part of the culture to be maintained.

Managed Service Providers can help their clients get this protection by, first, ensuring their own practices meet the requirements of an established cybersecurity framework. Then, the MSP can work with the client to ensure their internal practices align with the standard. Wrapping this in with a Compliance-as-a-Service offering can provide an additional revenue source for the MSP as well. By working strategically with their clients to protect their business both technically and legally, MSPs can provide more value and command higher rates.

There are few cases of the existing laws being tested in court. Often, it is challenging for the judges and jury to understand the details of technology related cases. Exactly how an organization proves that was in compliance with the standard, in a court of law, at the time of the breach is unclear and likely will vary by state and case. Ultimately, good documentation of procedures, log files, change management, and proof of past audits around the time of the incident are critical pieces of evidence that would be required to prove reasonable measures were taken. All of this is part of the compliance process regardless of the framework.

OTX Roundtable GRC

The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here. 

This week, Kaseya released its 2023 Global Benchmark Survey Report. The survey, completed by more than 1000 respondents worldwide (predominantly the Americas), highlights the top trends in the MSP industry for the current year and compares them against the previous year.

 Unsurprisingly, CyberSecurity ranks as the highest concern of MSPs showing a 15% increase over the 2022 results. In fact, the top five new services MSPs plan to offer in the coming year fall into the Cybersecurity services category. Topping the list at 39% is Regulatory Compliance Management and Reporting. This is followed by Managed Detection and Response, Dark Web Monitoring, Identity and Access Management, and Security Awareness Training.

 The interest in offering Regulatory Compliance Management services, often referred to as Compliance-as-a-Service, makes sense with the increase in regulatory requirements.

 However, many MSPs need to start by getting their own house in order. True compliance requires that policies and procedures are documented, processes are audited, and all employees are trained and follow the documented procedures. Although many MSPs have implemented strong security measures and practice good general cyber hygiene, many lack the documentation and consistent auditing to pass an external audit.

 In most cases, MSPs have an integral relationship with the workflow of their clients. Tasks such as user identity creation and setting permissions place the MSP in the process of Access Control. Likewise, providing a managed backup and recovery service implies that the MSP is involved in the storage and transfer of Personally Identifiable Information (PII) which is protected under most regulations. If the MSP fails to document the policies, processes, and procedures for safeguarding this information, they place their clients in jeopardy of falling out of compliance.

 MSPs should have a Shared Responsibility Matrix with any client in a regulated industry (ideally all clients). The SRM typically maps to each control required by the regulation and identifies the responsible and accountable parties in a RACI fashion. Each process required to meet the control is identified and the Responsible, Accountable, Consulted, and Informed parties are documented.

 In the MSP relationship, certain activities will be the responsibility of the service provider and the provider will be accountable to make sure they take place. One example of this is the deployment, monitoring, and management of anti-virus software. The MSP makes sure that AV is deployed correctly, functioning, kept up-to-date, and that detected viruses are quarantined and eliminated. The customer is informed of the activity during a typical Quarterly Business Review. On the other hand, access control is a shared responsibility between the MSP and the customer. The customer must inform the MSP of all new employees and the permissions those employees should be granted. Likewise, the customer must inform the MSP of any employee terminations to ensure the account is properly disabled in a timely manner. Ultimately the customer is accountable to make sure that all employees are identified, and that their level of access is appropriate to their role.

 The shared responsibility matrix must be reviewed by the MSP and the client regularly to ensure both parties are aware of their roles and responsibilities.

 For each control of which the MSP is responsible and accountable, the policies and procedures must be documented. The method by which the process is audited must be documented as well. Since compliance is an on-going process, evidence must be gathered and maintained to prove that audits are taking place on the schedule defined within the policies. The failure of either party on any given control can put the customer in jeopardy of a regulatory violation. Likewise, the MSP could find themselves in a litigation situation with their customer.

 By having a clearly defined shared responsibility matrix based on a common cyber security framework, and supporting evidence that the process are being followed, both the MSP and the customer will be in a much better position should a breach occur.

 In fact, several states have enacted safe harbor laws that protect organizations that have adopted a common cybersecurity framework from serious penalties in the event of a breach. Utah, Ohio, and Connecticut currently have laws on the books that state that organizations that follow NIST, CIS, HIPAA, ISO 27001, etc. will be protected against punitive damages should the case land in court. Other states are sure to follow. Under these laws organizations must provide reasonable evidence that they have implemented the controls defined by the standard.

 The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here. 

As cyber insurance becomes a necessity rather than a luxury, our clients are increasingly asked to answer lengthy questionnaires regarding their cyber security measures. They often approach their MSP for assistance in filling out the questionnaire. After all, they depend on their MSP to manage their network.

 Most MSPs are happy to help their clients with this as they see it as a value-add. Also, first party cyber insurance carried by their client is a benefit to the MSP as it shields the MSP from potential primary claims in the event of a breach. In fact, many MSPs are now requiring their client to hold first party cyber insurance within their Master Services Agreement (MSA).

 At our recent offsite in Dallas, Texas OTX Roundtable members discussed the practice and some of the precautions they should be taking when assisting client with cyber insurance questionnaires.

 A recent lawsuit, Traveler's Insurance vs. International Control Services drives the point home. In this case, Travelers did not simply deny a cyber insurance claim, they sued the client to nullify the policy. The insurance company cited the fact that ICS claimed is had implemented Multi-Factor Authentication on their questionnaire. However, after a breach was investigated, it was discovered that ICS had only implemented MFA on portions of their network, not every ingress point. Travelers prevailed in the lawsuit nullifying the policy and likely recovering legal fees. 

For MSPs helping their client complete the questionnaires, the stakes just got higher. Were such an event happen to their client, the client would likely sue for damages due to incorrect answers provided by the MSP.

Clients are often under the mistaken impression that their own cyber security and compliance is the responsibility of the MSP. When asking the MSP for help in completing the questionnaire they may assume the MSP is ultimately accountable for all answers provided, at least the technical ones. This could not be further from truth. It is the client that is submitting the questionnaire and attesting to its accuracy.

However, MSPs must be clear with their clients as to the services they provide and what is included. These are typically defined in their MSA and subsequent service orders. Not only does this make it clear to the client the responsibilities the MSP is taking on but it also defines the limitations of liability associated with those services. Those limitations of liability are applicable only to those services declared in the MSA or service orders.

An MSP is engaged in assisting a client with a cyber security insurance questionnaire, whether as a courtesy or as a billable engagement, is providing a service to the client. If that service is not declared in their MSA with the client, none of the protections provided by the MSA apply. In a case such as the Travelers incident, the MSP could be held liable for misinformation provided in the questionnaire.

At the OTX Roundtable Offsite, presenter Rob Scott of Scott and Scott LLP offered solid advice to our members. According to Scott, their latest iteration of their master agreement essentially states "we may fill it out and help you with it from time to time but the information is yours and any adverse reaction by the carrier, either in underwriting or claims, is not our responsibility."

So what's an MSP to do?

• Make sure your contract stack is clear as to the services you are providing the client.

• Regardless of whether you assist clients with cyber insurance questionnaires as a courtesy or a billable engagement, declare it as a service in your MSA.

• Make it clear to the client that they are ultimately responsible for the cyber security on their network. When they sign the cyber insurance questionnaire they are attesting to its accuracy.

• Work with legal firm that is familiar with the managed services to craft you contract language. Keep your contract stack up to date with recent developments in the threat landscape.

The worst time to develop your Cyber Security Incident Response Policy (CSIRP) is after the incident has happened, or "right of the boom". Without a well-crafted and tested strategy, precious time will be wasted and costly mistakes will be made.

As a Managed Service Provider, when developing a comprehensive Incident Response Plan many factors must be considered. The MSP must first have a CSIRP for any potential breach that may occur on their own internal network. Then they must work with their clients to develop a CSIRP for breaches that may involve a breach on one of their networks.

The five important aspects of the Cyber Security Incident Response Policy are:

Technical preparedness and response

Reviewing tech E&O/cyber insurance implications

Understanding regulatory reporting requirements

Relationships with local and federal law enforcement

Controlling messaging 

The first step in creating a CSIRP is defining the team that will oversee the process. This would include members of the senior management team, the CISO or security team, IT personnel, and key department managers. This is the team that will develop the processes and procedures defined by the policy.  Ideally, this is the internal security council for the MSP.

When creating the plan for the internal network the MSP must begin by ensuring they have taken the proper steps "left of the boom". These are all of the security measures and practices that are in place prior to any incident occurring. This could, and should, include implementing security controls based on a recognized cybersecurity framework (NIST, CIS, ISO, etc.).

Of course, no security practice is 100%. Therefore, the MSP must consider what happens not if, but when, an incident occurs. They must consider their internal cyber forensics capabilities, Tech E&O/Cyber Insurance coverage, Regulatory reporting requirements they may be under, criminal justice ramifications, and potential damage to reputation.

When an incident occurs, it is important that the MSP act quickly. Time is the enemy of cyber security. However, the MSP should understand what actions may be appropriate given the situation. They must train their internal staff to take those steps in a rapid but organized fashion. If criminal activity has occurred, it is important to preserve as much evidence as possible without allowing the breach to continue. During last year's breach at Kaseya, the decision to shut the entire system down was made very quickly and likely saved the entire system from further damage. If necessary, the MSP can engage with an external cyber forensics firm to determine the extent of the damage and the likely perpetrators.

The MSP should engage with their Tech E&O Insurance (which should include CyberInsurance) carrier when developing a CSIRP. They should understand what their responsibilities are in reporting the incident and what actions the carrier may require in response to the situation. These procedures should be included in the CSIRP.

If the MSP manages or stores any data that falls under regulatory guidelines and there is evidence that data was compromised, the MSP must understand the reporting requirements of those regulations. Many regulations have time limits within which the breach must be reported, and the scale of the breach must be declared. This information must be included in the CSIRP.

The MSP should also be familiar with the process of engaging with law enforcement if the breach reached the appropriate level of criminality. The MSP should establish relationships with local law enforcement as well as local or regional FBI resources. The Department of Homeland Security (DHS) has created guidelines for reporting cybersecurity incidents to the Federal Government. Understanding this process prior to incident allows the MSP to engage with law enforcement much quicker.

Finally, the MSP must understand how security breaches can damage their professional reputation. Messaging must be controlled carefully. All messaging regarding the incident must come from Senior Management. Engineers, technicians, sales reps, and others must be trained to refer any questions regarding the incident to senior management or the designated party. If the breach has detrimental effects on a client's network, it may result in a lawsuit. Anything communicated to the client by an employee of the MSP may be used the MSP in court. The Senior Management team may decide to engage with a reputable Public Relations firm to refine their public messaging.

Once the MSP has defined and tested their CSIRP, they should work with their clients to develop a corresponding CSIRP for their organization. All of the same principles apply; however, the client is ultimately responsible for the management of the policy and the tangential relationships involved. The MSP would play a certain role withing the CSIRP, but it must be owned and managed by the client.

In the event of a breach occurs on a client's network the messaging aspects are even more critical for the MSP. In his video "MSP Liability Considerations after Client's 'Cyber Event'", Joe Brunsman explains the concept of "Identify, Contain, and Refrain". He councils that MSPs focus on the technical aspects of identifying and containing the breach but refrain from discussing any legal or forensic issues. Training of the engineers on what they can say and what they cannot say in the event of a client breach is critical in protecting the practice.

The key to success in handling a data breach is proper preparation. Simply reacting when one occurs can have devastating effects on an MSP.

OTX Roundtable was created to provide a peer-based environment where MSPs can work together to achieve compliance and certification. If you are looking for a peer group focused on risk management and compliance, please reach out

Many employees tend to think of security and compliance as the responsibility of the IT department or the Security Team. Managed Service Providers know that is not the case. However, what are MSPs doing to ensure that end users are doing their part in maintaining compliance?

Compliance is all about data processing and privacy. That entails the Confidentiality, Integrity, and Availability (CIA) of the data. The IT department bears the bulk of the responsibility for maintaining the Integrity and Availability of the information. They put in place all of the systems that prevent access to the data by malevolent actors. They monitor the system for malicious activity to ensure integrity of the data. They build redundant and resilient systems to make sure the system is always available.

But when it comes to the confidentiality of the data, the end user has a large role to play. Employees must access confidential and protected information as a matter of course in their daily duties. Those in in the healthcare industry must access patient records containing Protected Health Information (PHI) covered by HIPAA guidelines. Financial workers must protect Personally Identifiable Information (PII) under GLBA. Defense department contractors must protect Controlled Unclassified Information (CUI) governed by the coming CMMC. And now, virtually every industry is falling under some form of data processing regulation based on a person's location of residency or citizenship as is evidenced by the California Consumer Privacy Act (CCPA) and the European Union's GDPR among other.

The confidentiality of protected information can be compromised in many ways. And the consequences of a compromise can be severe. A few examples include the doctor at a Los Angeles hospital that was caught snooping through over 300 patient records of celebrities admitted to find out the reason for admission. The doctor received a four-month prison sentence and lost his license to practice medicine. In another case, a Cisco employee was fooled by a "vishing" scam designed to circumvent multi-factor authentication systems. The hack resulted in the theft of critical files. An employee at Twillio fell for a "Smishing" scam by clicking on a text message with a malicious link allowing the bad actors access their customer files.

In all cases, an employee, whether intentionally or inadvertently, was directly involved in the transaction leading to the compromise. Having access to confidential information make employees the targets of social engineering attacks. Every employee has a responsibility to protect the data they have access to. But how?

By now, most organizations have implemented some form of employee security awareness training. This is a requirement in most regulated industries. However, the depth and quality of that education can vary greatly. Some organizations might offer an annual mandatory education seminar for the sake of "checking a box", while others may take it seriously and present a comprehensive and continuous education and testing system for their employees. As MSPs we need to make sure that our clients fall into the latter camp. Many of us are reselling sophisticated security awareness platforms to our clients to provide them with the tools. But how many of us are following up with the client to make sure that the training is being taken or, better yet, the phishing test failure rate is low? As a managed service, are we managing the education and testing campaigns? The bottom line is, the better educated and tested employees are, the better the data is protected.

As part of that training, employees are taught about the proper treatment of passwords: Don't share passwords, don't write them down, use strong passwords, and don’t use the same password for every account. But today we have so many accounts that require passwords, dozens often. How are we supposed to remember all those passwords? The truth is you can't. Employees should be encouraged to use a secure password manager. And they need to make sure to enable multi-factor authentication on their password account. This prevents someone from accessing the "keys to the kingdom" if the password to the password manager is compromised

Employees also need to resist the urge to "snoop". As a teller at a bank, you may wonder how that neighbor of yours can afford that huge house, two large SUVs, and a boat. It is tempting to look up their account and check out their bank balances. This is a clear violation.

Organizations create and distribute specific policies that the employee must read and agree to. Commonly, employees are presented an "acceptable use policy" on the first day of employment. This defines what the employee can and cannot do while using corporate resources (Network, Internet, laptop, phone, personal devices, etc.). It is important that employees are reminded of the policy periodically as it may have changed as new exploits are discovered. Many organizations have an "Incident Response Policy" intended to inform employees of how to respond if they suspect a breach happened. It defines whom the employee needs to contact and any actions that should be taken immediately. The amount of time between the discovery of a breach and evasive action is crucial to minimizing the damage done. It is the employee’s responsibility to review these policies and understand them. Managers should be incorporating periodic policy review as well as other security related topics in their staff meetings. Having the CISO present to staff periodically is a good practice.

Many organizations have a "clean desk policy". This is not about keeping crumbs off your keyboard. This is about making sure that confidential information is not left lying about for the world to see. Likewise, the computer screen should be locked when the employee is away from the desk, even if just going to get a cup of coffee in the break room.

"CEO fraud" is another common technique ("spear phishing") aimed at employees. In this scam, an employee with the authority to transfer money is targeted with a bogus email purportedly sent by the CEO late on a Friday afternoon that goes something like this: "Hey, I need you to wire $500,000 to the account below immediately so we don’t lose this deal. I am just about to board a plane, so you won’t be able to get a hold of me…". The email may have even originated from the CEOs actual email account. This is the result of a breach that has already occurred as the CEO's email account has been compromised. The message is designed to create a sense of urgency and dissuade the employee from trying to contact the CEO directly. In this case the employee should attempt to contact the CEO by phone anyway. If the CEO cannot be contacted directly, the employee should check with their second in command. Organizations should also implement a policy that requires two "signatures" prior to the wiring of any money over a certain amount.

All the examples above can, and should, be covered in the employee's security awareness training. And it is essential that employees take security awareness training seriously. This is the number one responsibility of the end user. And the MSP needs to play a role in ensuring it happens. Instead of simply reselling a Security Awareness Training service, walking away, and letting the client manage it, MSPs should be offering SAT as a service. They must be reviewing the results of employee training and testing during each QBR (you are doing QBRs, right?).

By ensuring end-user compliance, MSPs can kept not only their clients' businesses secure and compliant but their own as well.

MSPs need to keep their own practices secure and compliant. If you are an MSP that wants to build a maintain a security focused and compliance-based culture, click here to find out how we can help.

For the past three years Department of Defense contractors and the MSPs that serve them have been facing the inevitable need to meet Cybersecurity Maturity Model Certification (CMMC) requirements. There has been a lot of hand wringing and gnashing of teeth regarding the relatively new model. The goalposts have moved a few times and the messaging has been unclear from the Department of Defense. That is until now.

First a little history on CMMC. Bear with me as there is an alphanumeric bowl of soup coming. We'll start in October 2016 when the DoD issued the DFARS 252.204-7012 or the "Safeguarding Covered Defense Information and Cyber Incident Reporting" clause. This clause, when included in a DoD contract, required the contractor (and their subcontractors) to develop a System Security Plan (SSP) based on the NIST 800-171 set of controls regarding the handling of Controlled Unclassified Information (CUI). The program was based on a self-assessment process that contractors would conduct using the NIST 800-171A Assessment Guide. NIST 800-171A articulated the 110 Controls and the underlying determination statements that need to be met to be complaint with the DFARS 252.204-7012 clause.

In 2019, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) performed audits against a number of contractors and discovered that none were fully compliant, and most were woefully deficient.

In response, The DOD developed a certification program that would become known as the Cybersecurity Model Certification (CMMC). CMMC Version 1.0 was released in late 2019. The first version of the CMMC program was overly complex and confusing. There were five different levels of certification depending on the controls met. It was a strict program which required full compliance with all 110 NIST 800-171 controls. There was no allowance for Plans of Action and Milestones (PoAMs) for controls that had not been fully met. Full compliance would be required by 2025 to be eligible for DoD contracts. Many contractors complained that it would be very difficult to certify on such a new program without significant burden and expense. However, the controls were based on the requirements of the original DFARS 252.204-7012 clause that contractors should have already implemented back in 2016.

In September 2020, the DoD issued an Interim Rule consisting of three new DFARS 252.204 (7019, 7020, 7021) clauses. In a nutshell, these new clauses defined the Supplier Performance Risk System (SPRS) and required contractors to score themselves on a self-assessment basis using a defined scoring system. Contractors are required to upload their score into the SPRS tool. Finally, it states that, if asked, contractors are required to provide proof of compliance with those controls met as indicated on their uploaded SPRS score.

In November 2021, The DoD announced CMMC 2.0. It streamlined the program down to three levels (1, 2, and 3). Although CMMC 2.0 is still under development, the Interim Rule released in September 2020 is in effect now. Therefore, contractors are required to have their scores recorded in SPRS in order to be eligible for DoD contracts containing the DFARS 252.204-7012 clause. The requirements of DFARS 252.204-7019, 7020, and 7021 apply regardless of whether expressly stated in the contract or not.

For sake of this article, we will focus on CMMC 2.0 Level 2 which is required for any contractor or subcontractor handling CUI. CMMC 2.0 Level 2 is not a specification in and of itself. It is simply a certification program wrapped around the requirements of meeting NIST 800-171A. The CMMC 2.0 Level 2 Assessment Guide includes the same controls and determination statements as NIST 800-171A. The wording is identical. The entire CMMC process involves having a Certified 3rd Party Assessor Organization (C3PAO) perform an audit of the contractor’s compliance with the controls and determination statements defined by NIST 800-171A.

The timeline for the requirement of certification is still undetermined but in a recent presentation by Stacy Bostjanick, Senior Program Director of CMMC at the DoD, and Dave McKeown, Deputy CIO of Cybersecurity at DoD, gave some indication was given as to the potential timeline for implementation. Depending on the speed at which the Office of Management and Budget (OMB) can complete its rule-making process, the requirement could go into effect as early as May of 2023. On the outside, the timeline may be pushed out to May of 2024. Regardless, DoD contractors and subcontractors should be working toward compliance NOW. Despite the fact that CMMC 2.0 is still not completely defined, the underlying requirements of NIST 800-171A are not changing.

Additionally, in June the DoD released a memo indicating that Contractors not compliant with the November 2020 Interim Rule risk serious penalties up to and including termination of existing contracts.

So how does all of this affect Managed Service Providers that service DoD contractors handling CUI? Many MSPs have wondered whether they will be required to become CMMC certified as well. In the recent DoD presentation in June, Stacy Bostjanick, Senior Program Director of CMMC at the DoD, stated that full CMMC certification would not be required of MSPs (see update below). However, she was clear that MSPs would be required to work with their DoD contractor clients on the development of a Shared Responsibility Matrix (SRM). This is a document that describes who is responsible for the attainment of each control, the role each plays, and the documentation (evidence) of compliance. MSPs offering cloud services and other functions to DoD contractors will be required to declare in the SRM what their responsibility is and document the processes and procedures involved. In the event the MSP is reselling services provided by others, they must provide evidence of due diligence in ensuring that third-party provider has implemented the necessary controls. Bostjanick also hinted that the DoD may develop a FEDRAMP type program for MSPs to demonstrate compliance. FEDRAMP is an existing program where cloud service providers can prove compliance at "Medium" or "High" Levels once and that certification can be applied to all government contracts as necessary.

Even though MSPs will not be required to certify under CMMC, it is in their own best interest to implement the NIST 800-171 controls within their environments. Many contractors will require MSPs to prove compliance to remain their MSP to allay any doubts. At the very least it will provide a competitive edge over other MSPs not holding the certification. In a nutshell, MSPs are under the same requirements and deadlines as the DoD contractors they serve.

I'll continue to follow this topic as it emerges so check back for the latest info.

Update: December 2023

The sands of CMMC continue to shift. I stated back in the summer of 2022 that it was unlikely that MSPs would have to fully certify on CMMC in order to offer their services to contractors in the DIB that had to certify themselves. This was not just speculation but was based on comments from Stacy Bostjanick, Senior Program Director of CMMC at the DoD, during a briefing in June of 2022. In July 2023 the DoD passed the final rule on to the Office of Information and Regulatory Affairs (OIRA) for review. The rule was accidently published to the OIRA website for about 24 hours but that was long enough for people in the industry to get a good look at it. In the final rule which will be released for comment very soon, it is expected to clearly define the role of “External Service Providers”. Under the definition MSPs would qualify as an ESP and thus be required to fully certify under CMMC Level 2.

This obviously places a hurdle for many MSPs servicing those in the DIB. However, it can create opportunities for others. The barrier to entry will be quite high and therefore there will be far fewer MSPs servicing the industry. As CMMC rolls out, contractors will be seeking partners from a much smaller pool. MSPs that decide to “take the plunge” and make the required investments will command much higher rates than those seen in unregulated industries.

There is also speculation that CMMC will find its way into the contracts of other federal agencies. MSPs looking to do business the the federal government would be advised to get on the bandwagon now or risk being shut out of that market.

When we were teenagers we were taught not to succumb to peer pressure. As our friends were pushing us to try cigarettes or drink alcohol, we were told to hold fast and resist the temptation. Peer pressure, back then, was generally a bad thing full of negative consequences.

In adulthood, however, peer pressure can be a force for good that can motivate us and hold us accountable to our goals. Within the MSP industry there are many peer groups where members share goals of growing their business and meeting certain metrics. These are usually financial benchmarks around maximizing profits and improving performance. Members report progress towards those goals at quarterly meetings. Members hold each other accountable to meeting those goals and contributing to the collective success of the group. You don’t want to be the member that is not hitting their goals or at least making progress. In fact, in some cases, members that consistently miss their goals risk being expelled from the group.  This peer pressure keeps members on task and forces them to prioritize profits and performance ahead of the day-to-day distractions that we all face.

As the MSP industry becomes riskier each year, it is important we start prioritizing risk management, compliance, and cyber security ahead of other distractions as well. Regulatory requirements such as HIPAA, CMMC, GDPR, and others are forcing MSPs to formalize their approach to security and compliance. For years MSPs have signed Business Associate Agreements (BAA) with their healthcare clients stating that their practices as compliant with HIPAA guidelines. However if MSPs were audited for compliance with HIPAA, most would fail. For the past several years Managed Service Providers doing business Defense Industrial Base (DIB) contractors that handle Controlled Unclassified Information (CUI) have been required to comply with the NIST 800-171 standard. This was a self-assessment and self-attestation process. However in a 2019 report, not a single organization was 100% compliant. The average organization had only implemented 39% of the required controls. Thus, the government has created the Cybersecurity  Maturity Model Certification (CMMC) program. Although it is still a bit of a moving target, all companies in the DIB, including MSPs servicing them, will have to complete a certification process to prove compliance with CMMC. This is likely the first of many requirements to prove compliance coming in the MSP industry.

Attaining compliance with any standard is difficult. It is a long and laborious process of assessing the current state and performing a gap analysis between the current state and full compliance. Policies and procedures need to be developed and documented. Then the organization must prove that due care is being taken. In other words, your policies and procedures are being followed by your employees. This requires a cultural shift within organizations whereby daily compliance with policies and procedures is engrained within the company.

Compliance cannot be outsourced. Managed Service Providers can hire consultants to craft policies and develop procedures to meet controls within a standard. However, it is unlikely a consultant can affect the culture of a company to make cybersecurity a top priority.

Keeping compliance goals on the front burner can be a challenge. The daily flow of distractions often takes our eye off the ball. Having a peer group of like-minded companies with common goals is of great benefit. Members hold each other accountable for implementing certain controls by certain dates. Members report on their progress quarterly and share challenges and successes. Policies and procedures are shared. Collectively the group amasses a library of practices and a common set of knowledge for the group. No matter the standard, the members progress through the process of attaining compliance together.      

OTX Roundtable was created to provide a peer-based environment where MSPs can work together to achieve compliance and certification. If you are looking for a peer group focused on risk management and compliance please reach out

Cyber security is often considered the responsibility if the IT department. Nothing could be further from the truth. Although the IT team has certain responsibilities in deploying and maintaining security systems, the ultimate responsibility for maintaining a strong security culture lies with Senior Management.

Senior Management must first take on the responsibility of Security Governance.  This means managing security as a process, not unlike many other functions within the company. As such, the implementation and management of the process falls to others within the organization under the leadership of senior management.

In order accomplish proper security governance, organizations should form a Security Council consisting of departmental leaders from all aspects of the organization and led by senior management.

The functions of the Security Council include:

• Clearly identifying roles and responsibilities of council members

• Implementing and promoting a culture of security awareness and vigilance

• Adopting an appropriate security framework for the organization

• Performing a thorough risk assessment for the organization

• Determining a desired security "profile" for the organization

• Generating a gap analysis between the desired profile and the current state

• Developing and implementing a plan to address security gaps

• Developing and approving policies and procedures defining proper security practices

• Maintaining security though monthly meetings and regular audits

• Identifying new threats and adapting processes to address them

• Establishing a comprehensive Cyber Security Incident Response Policy

Each member of the council should have deep experience with the functions of their department and understand the sensitivity of the informational assets their department owns. For instance, the HR director should understand where employee records are stored and the ramifications if that information were subject to unauthorized access. The Finance director should understand the importance of the financial data they own and the impact of that data being compromised. The participation of department heads in the risk assessment process is crucial to the proper identification of information at risk.

Representatives of the IT department take feedback from the department heads and formulate plans to secure the data in accordance with adopted security framework. The IT department typically identifies and implements the tools necessary to monitor and manage the security of the organization's assets.

However, it is not the role of IT to drive a culture of security awareness. That must come from top. All employees must be made aware of the importance of security in the organization. This is accomplished through security awareness training and testing.  It is not enough to simply educate users on the dangers of phishing or malware. They must be tested regularly to make sure their radar stays sharp. Senior management, along with the security council must continuously audit the results of testing and take corrective action to deal with repeat offenders.

With senior leadership driving a strong security awareness culture, flanked by a strong security council organizations can protect themselves to a great degree.

I've said it before only to be proven wrong…but I believe the end of the pandemic phase of COVID-19 is near. We seem to be entering the endemic phase where we learn to live with COVID-19 long term. The same is true for some of the changes that Covid has foist upon us. Specifically, that of the hybrid remote worker. Gone are the days of the Monday through Friday office commute for many in the aftertimes. According to a recent Info-Tech Research poll, 79% percent of companies survey said they would maintain a mix of in-office and home office workers long term. For many employees this is a long-overdue and welcome shift.

However, organizations have been struggling to adapt their security systems to this new work model. The security footprint of the organization has grown exponentially to include the residences of many of their employees. The traditional method of granting access to the corporate network involved providing the employee a VPN connection. This provided the "tunnel" by which remote workers could access internal resources such as databases, files shares, and other applications. Security was provided at the edge of the corporate network. In recent years many organization implemented a "Next Generation" Firewall at the corporate edge as well. The NG Firewall converged many technologies such as Web-filtering, anti-malware, Data Loss Prevention (DLP), and SD-WAN into a single device. As the gatekeeper before most internal resources and end users this was an appropriate approach.

However, as more and more internal resources are moving to the cloud and the dramatic increase in remote work, enforcing security at the corporate edge begins to make less sense. Given that most traffic now travels directly to the cloud rather than via the corporate network it would make more sense to implement security at the edge of the cloud instead.

Enter the Secure Access Service Edge (SASE - pronounced "sassy") architecture.  SASE is a cloud service that combines several existing technologies to provide an integrated, highly comprehensive approach to both network architecture and security systems. In fact, SASE represents the convergence of several Network as a Service and Security as a Service technologies. In order for it to make sense to deploy SASE, an organization should have more that 50% of its resources based in the cloud.

It is important to understand that SASE is an architecture, not a single product or technology. SASE can include several networking technologies and many security technologies. For instance, SASE networking components can include SD-WAN, VPN, Bandwidth Aggregation, and various edge equipment. Security components commonly found in SASE implementation include Cloud Access Security Brokers, Firewall as a Service (FWaaS), secure web gateways, Zero-Trust Networking, remote browser isolation, single sign-on, Data Loss Prevention, and DNS filtering.

A SASE solution can be purchased as an all-in-one service from a single vendor or it can be assembled with several best-of-breed components. The simplest approach would be to source the package through a single vendor. Many major networking and security companies now offer a SASE solution including Cisco, Fortinet, VMWare, Palo Alto, and more. 

In a SASE-based model, end users gain access to corporate resources by first connecting to a SASE cloud service via Points-of-Presence (POP) to authenticate and be given access to resources. The assignment and redirection of cloud resources is handled by a Cloud Access Security Broker (CASB) in connection with a Single Sign-On(SSO) service. The user authenticates to the CASB and is provided access to those cloud resources that are authorized to the user. For example, Office 365 and Salesforce, but not Quickbooks on-line. Once the connection is established, additional security measures can be enforced such as endpoint interrogation, web-filtering, DLP, Remote browser isolation, etc. It is up to the organization to determine which services to enable. This is usually a balance of risk tolerance versus potential negative impact on the organization.

The technology can be deployed via an agent loaded on the endpoint or in an agentless manner. Most likely, larger organizations will choose a combination of the two as some use cases won’t support the agent based approach. The CASB can also be configured through APIs to broker access to services, however, this is an advanced approach and should only be done if a particular circumstance demands it.

Perhaps the biggest challenge to implementing the SASE model comes from one of its strengths. Because SASE incorporates both networking technologies and Security technologies in a converged architecture, the skills required to implement it properly often exist in separate teams. In larger organizations whose teams tend to operate separately and involves different mindsets. The SASE models forces those teams to work together to ensure the optimal implementation.

Finally, by deploying a SASE architecture, organizations:

• Extend the secure perimeter of the corporate "network" to the remote endpoint.

• Combine several "point solutions" into a single pane of glass

• Improve the control over remote worker experience

• Provide more granular control over access to cloud-based resources. Zero-Trust access can be applied

• Allow for inline inspection of network traffic to and from the remote endpoint. Prevents data loss

• Improve regulatory compliance where necessary

As we continue to put the pandemic behind us, we will need to embrace some the paradigm shift it has placed on the work environment. SASE will become a crucial part of the evolution of the distributed network.

A couple of months ago I wrote about the importance of adopting a security framework to give structure and process to securing your practice. I went over several common frameworks and debated the pros and cons of each. In this article I am going to delve into the reasons why the Center for Internet Security (CIS) Frame work is the best for MSPs.

When we compared the NIST and ISO Frameworks to CIS, we discovered that NIST and ISO were somewhat loose and vague in regards to what controls needed to be implemented in order to be compliant. Both standards leave a lot of leeway for alternative approaches to meeting the standard of the control. While this flexibility may be desirable in some situations, it can be confusing and lead to lapses in security. On the other hand, CIS is very defined and prescriptive in terms of that actions are needed to meet the standard. CIS also offers clearly defined three levels of compliance, Implementation Groups 1, 2, and 3, based on the needs of the organization.

Implementation Group 1 covers basic cyber hygiene.  All organizations should strive to achieve IG1 at the very least. And that may be enough for small business with no real exposure to sensitive data. Implementation Group 2 is most likely the appropriate level for most organizations and most MSPs. It provides an appropriate level of protection with a reasonable amount of financial investment. Those organizations that are custodian to very sensitive information or manage critical systems would likely want to achieve Implementation Group 3 status.

Perhaps the most difficult part of implementing a security framework is knowing where to start. To guide organizations through the process CIS has created the CIS Self-Assessment Tool (CSAT). By using the CSAT, MSP can quickly determine their current state in relation to the CIS Framework. They can then determine the gap between where they are today and the desired Implementation Group attainment. They can then use the tool to track their progress against the goal.

One of the fundamental tasks of any MSP is the deployment of new technology into their client's networks. This includes servers (cloud based or on-premises), workstations, switches, firewalls, wifi, Etc. Each of these devices introduces potential vulnerabilities if not configured properly. This is where CIS really sets itself apart from the rest of the security framework community. Through close collaboration with many hardware and software manufacturers, CIS has developed a series of  Benchmarks that provide a clear guide on the configuration of hundreds of products. This includes Windows Operating Systems, Microsoft Azure Services, Mac OS, Palo Alto Firewalls, Cisco Switches, etc. For instance, if the MSP is deploying a Windows Server 2019, they can reference the Benchmark guide for Windows 2019 and configure all of the settings in compliance with CIS IG1, 2, or 3.

The Benchmark guides are extremely thorough and detailed. Many are more than 1000 pages in length. Although it would be possible to follow the guide and configure a system manually, it would be incredibly time consuming and laborious. For this reason, CIS has created Build Kits for most of the Benchmarks. Build kits automate the application of the configuration through scripts and group policy objects. This allows the MSP to apply the proper security to the device quickly, efficiently, and consistently.

Additionally, CIS has created the CIS CAT Pro Assessor Tool. CIS CAT Pro automates the comparison of a system's configuration against the corresponding Benchmark. It can also identify missing patches. The resulting report provides all of the changes required to bring the system back into compliance.

Access to the CIS Framework documentation and CSAT Tool is free of charge. However, the more advanced tool in the CIS Framework require membership in the CIS SecureSuite Program. The annual fee for membership in SecureSuite varies by company size. Academic, non-profit, and governmental agencies may be eligible for free subscriptions. MSPs looking to use the framework for commercial purposes and consulting services would pay an annual fee based on their annual revenue.

Given the highly prescriptive nature and clear definition of the standards the CIS Security Framework is the ideal framework for MSPs. Compliance is achieved through specific controls and those controls are enforced on deployed products in an automated and auditable fashion.

Additionally, CIS overlaps heavily with all of the other common frameworks and standards, therefore MSPs that have achieved CIS Implementation group 2 ensure their security standards are up to par with many of the regulatory requirements to which their clients are subject such as HIPAA, SOX, GLBA, Etc. Those MSPs that also pursue NIST or ISO certification are close to that goal as well due to the overlap and cross references between standards.

By implementing the CIS Security framework MSPs will increase their value, reduce their risk, and outshine the competition. What MSP wouldn’t want that?

By now, most Managed Service Providers are aware that Microsoft has rolled out a new licensing model for the most common Office 365 and MS 365 products. Their New Commerce Experience (NCE) model introduces term-based licensing with firm commitments. New licenses can be purchased as 12-month or 36-month (not yet available) term agreement with early termination fees applying should the client cancel the agreement prior to the end of the term. The termination fees are equal to all fees that would have been paid if the agreement had not been canceled. Microsoft is also offering a month-to-month NCE option. However, that subscription comes at a 20% premium. This is a significant departure from legacy licensing program which allowed termination without penalty.

In addition, Microsoft is increasing prices on several Office/MS 365 products by as much as 25% on March 1st.

Increases include:

 *These prices apply to NCE 12-month and 36-month agreements. Month-to-month agreements are 20% more.

**No Change to Microsoft 365 E5 or Microsoft Business Standard.

The pricing for the upcoming 36-month agreement will be the same as the 12-month agreement. So why would a customer make a three year commitment for the same price as a one year? Because the 36-month commitment comes with a price locking mechanism. This is a pretty good indicator that Microsoft is planning on some price increases in the next three years.

For those CSPs that have been selling Office 365 licensing as month-to-month, they will have to convert those customers to NCE 12 or 36 month term licensing or face as much as 50% increase in cost if they choose the NCE month-to-month option.

Microsoft has gotten a fair amount of pushback from the MSP community in the public forums on the new programs. However, it is not surprising that Microsoft is making these moves. After all, as MSPs we all understand the importance of monthly recurring revenue. And the contractual commitment by the customer to pay the bill every month has a direct correlation to the value of our practice. Microsoft is simply applying that principle to their business and increasing shareholder value. As far as price increases go, Microsoft has not increased their prices for their cloud offerings in years. Again, an understandable move.

Accepting that Microsoft is justified in making these moves, they will still have an impact on any MSP that is a Microsoft Cloud Service Provider (CSP). These changes will affect every part of the MSP relationship with the client.  Beyond the increased cost of the licenses, this impacts how the MPS provisions the licenses, how the customer budgets for licenses, how the MSP monitors and manages the licenses, and what happens if the client terminates their MSP agreement with the provider.

As the CSP, the MSP is on the hook to Microsoft for the cost of the licenses for the length of the term. Regardless of whether the client continues to pay the CSP, the CSP must continue to pay Microsoft. In the extreme case of the client going out of business (simply declaring bankruptcy), the CSP can be left holding the bag.

In the NCE program there is no facility to transfer licenses from one CSP to another CSP mid-term. In the case of the client choosing to move to another MSP/CSP at the end of their Managed Services Agreement, the client would need to continue to pay the original MSP through the end of the term at which point the new CSP can take over the licenses. However, this can only be done within a three day window at the end of the term. CSPs need to monitor and manage renewal dates closely to avoid unintended auto-renewals.

The NCE licenses are applied to the client Microsoft tenant through the new NCE SKUs. The client can purchase 12-month NCE licenses and apply that to the tenant. They can also purchase 36-month (not available yet) or month-to-month licenses and apply them to the tenant as well. Additional licenses can be added to the tenant at any time during the term. For example, the customer can purchase 50 Licenses of Office 365 E3 12-month NCE in January. In March they might add another 10 O365 E3 12-month licenses. Those 10 additional license are added to the original 50 licenses of the same SKU and will co-terminate with the original 50. Customers can mix and match any combination of 12-month, 36-month, month-month SKUs within the same tenant. With the term SKUs, licenses can be added to the tenant at any time during the term, however licenses cannot be removed until the end of the term is reached and a new agreement started.   

Therefore, customers will likely need some flexibility in how they purchase NCE licensing. It probably makes sense to have most of the organization on a long term agreement. However, for those organizations that expect some ebb and flow in their workforce, it may make sense to have a certain percentage on the month-to-month plan. For instance a company may opt to put 90% of its workforce on a term agreement and leave 10% on month-month. The 20% premium paid for month-month licensing would be offset by not paying for unused licenses in the event of a workforce reduction.

All of these changes are not happening overnight. There are several milestones to keep in mind:

January 10, 2022 - NCE 12-month and Month-Month SKUs became available. SKUs purchases between January 10 and March 1st will lock in current pricing for 12 months. Month-to-Month NCE licenses can be purchased at the current 12-month rate through June 2021. There are also some timed pricing incentives available. Check with your distributor for details.

March 1, 2022: All NCE SKUs increase in price based on the table above.

March 10, 2022: All new subscriptions will be NCE. New legacy subscriptions will no longer be available.

July 1, 2022: All month-to-month NCE agreement incur 20% increase. Renewals of legacy subscriptions can only be done with NCE licensing.

December 2022: CSP Incentives on legacy subscriptions

July 2023: All remaining legacy subscriptions must be converted to NCE

So what are the key takeaways for MSPs?:

• Work with you customers now to get them on the right NCE program. Time is running out to beat the price increases in March, but there is still time.

• Discuss the impact of the term agreements with your clients. Make sure they understand the early termination fees for the 12 and 36 month options.

• Review your Master Services Agreement and consider adding language that makes it clear that MS 365 licensing cannot be moved mid-term in the event of a cancellation of your MSP agreement.

• Prepare your PSA for change. Add the proper SKUs and understand the process of order new NCE subscriptions and converting legacy subscriptions.

• Review your license management processes. Most subscriptions will be set to auto-renew and there is only a 3 day window at renewal time to adjust the number of seats in each SKU. As a function of your client Quarterly Business Review, audit the number of licenses for each SKU and note the renewal dates for each SKU. Adjust license counts accordingly.

In some ways these changes have made Microsoft licensing more complex. In other ways they have simplified things. It is important that MSPs understand the program and take steps to mitigate the risks and reap the benefits.

Over the past two decades there has been an ever increasing amount of regulation regarding data privacy. Organizations are held to a much higher standards in terms of the protections they must put in place to ensure that personal data remains confidential. At the same time, the market on the dark web for personal data has exploded.

The list of data privacy regulations is long and touches most industries. The alphabet soup includes HIPAA, GLBA, SOX, FERPA, COPPA, etc. Other regulations are geography based, GDPR (EU) and CCPA (California) for example. Many other states are working on their own versions of CCPA as well.

Our clients may be subject to one or more data privacy regulations as a function of the business they are in. Some are obvious such as the fact that all medical practices are subject to HIPAA by default. However, many organizations not directly involved in the delivery of healthcare services may store Protected Health Information(PHI) for reasons not so obvious. Those organizations are bound to HIPAA rules as any other healthcare institution.

Geography based regulations can apply to any industry. They typically aim to protect the Personally Identifiable Information (PII) of the citizens of that region regardless of the location of the service provider. As an extreme example, if a small inn in rural United States were to host a guest from France they would typically collect the name, address, credit card info, phone number, etc. of that person. At that point they are holding PII of an EU citizen and are therefore bound to the regulations of GDPR with regard to protecting that information.

As a service provider to these organizations with some level of access to, and potentially storing, that data, we are subject to the same regulations.

In part one of this series we discussed the fact that we become subject to these regulations either knowingly or through the happenstance of contracting with a covered entity. In part one, Rob Scott of Scott and Scott LLP, stressed the importance of excluding any responsibility for regulatory compliance in our master services agreement. According to Scott, the master services agreement should require that any client subject to a particular regulation must declare that fact and enter into a separate Data Processing Agreement (DPA) specific to that regulation. In the absence of such an agreement, the client must hold the MSP harmless from any failures to comply with the regulation.

Scott goes on to recommend that MSP create their own version of the DPA for each regulation they offer compliance with. This, as opposed to letting each client present their own version.

MSPs should make sure they are familiar with the laws surrounding the regulation before agreeing to comply. Fortunately, most of them hold similar requirements. Compliance with one, largely overlaps with others. Your DPA for each regulation would address the specifics of that regulation and state your compliance measures.

The other aspect of regulations involving PII is the right of the individual. This includes things such as the individual's right to have access to the data held by the organizations, the right to have that data deleted, and the right to transfer that data to another entity. As an MSP serving your clients, you would likely not be in a position to control this aspect of the data but it is important to understand the requirements.

In a previous blog we discussed the importance of adopting a common security framework to formalize your security processes and procedures. By doing so, you would likely be in compliance with the regulatory requirements put forth by any of these regulations.

Throughout this series we have explored the four pillars of Risk Management for all MSPs. As a review, they are:

Contracts

Policies and Procedures

Insurance

Regulatory Risks

By addressing each one of these areas, MSPs can take an ever increasingly risky business and make it safe, secure , and profitable.

In part three of our series on risk management for MSPs we'll take a look at the role of insurance. Several months back we posted a blog on the importance of having a comprehensive cyber insurance policy to protect against potential claims of negligence or malpractice from your clients.

Most likely from the early days of our practice we have carried Errors and Omissions (E&O) insurance to protect against potential claims for negligence in the course of our work. Should one of our engineers accidently lose significant data of one of our clients resulting in a claim, we wanted to make sure we were covered. However, most older traditional E&O policies do not cover cybercrime events.

It is important for MSPs to now carry insurance that covers any type of cybercrime that takes place inside their organization as well as any cybercrime that takes place within one their clients environment. For instance, if a client were to experience a ransomware attack and claim that somehow it was the result of negligence on your part (whether true or not), you need to have insurance to cover the cost of remediation should it go that far.

So does the MSP simply shop around for a cyber insurance policy to compliment their existing E&O insurance? No, according to Justin Reinmuth of TechRug, an insurance broker specializing in MSPs. "You should really have two policies in one. your E&O should also be your cyber liability, they should be together." If the policies are separate there may be gaps. Traditional E&O policies cover errors, omissions, staff mistakes, etc. A proper E&O policy contains third party liability that covers unauthorized access to your client's network. As an example, if an engineer on your team were to disable MFA on a client's system while troubleshooting an issue and then forget to reenable it, your traditional E&O likely would not cover it. Even though the issue was caused by an error on your part, the damage was caused by unauthorized access to the network which is typically not covered under traditional E&O.

As with all insurance policies, the devil is in the details. In his "Tech E&O Insurance Run Through for MSPs" YouTube video, Joe Brunsman of Chesapeake Professional Liability Brokers takes a detailed look at a sample Tech E&O policy with cyber provisions. Brunsman walks us through the definitions of the various aspects of the policy and how they relate to the overage in common scenarios in the MSP industry.

Another reason to have a single E&O policy with comprehensive cyber coverage is the existence of "other insurance" clauses. Most cyber insurance policies have a some overlap with Traditional E&O policies. It is common for these policies to include an "other insurance" clause that states that in the event that another insurance policy in effect has coverage for the particular type of claim, that other insurance policy is primary. Therefore, the coverage under that other policy must be exhausted before the coverage under this policy kicks in. Assuming both policies have that same clause, the two insurance companies will be claiming the other is primary. Of course, there may by special cases where an MSP has needs that cannot be addressed with a single policy. In such cases they would need to ensure the policies are written in such a way to eliminate overlap or have the second underwriter commit to being primary for the special case.

Underlying all of this, the cyber insurance industry in a major state of flux. According to Justin Reinmuth, "carriers that were in this business two years ago…90% of them are gone." Unlike auto insurance, which has a long established track record and years of actuarial data to accurately assess the risk, the cyber world is a relatively young and everchanging landscape. Both the MSP and the cyber insurance industries are unregulated at this time. This makes it a risky business for any underwriter.

The bottom line for MSPs is to work with an insurer that is familiar with the MSP business. Have them craft a full Tech E&O policy with comprehensive cyber liability coverage. At the same time, make sure your legal counsel is familiar with the MSP industry. The combination of the two will ensure that you are adequately protected should the inevitable occur.

Policies and Procedures

In our last article, we discussed the importance of reviewing your current contracts to make sure that you are protecting yourself against new threats, not just from nefarious parties but from your vendors and your clients 

In part two of our series we'll look at policies and procedures you should be implementing in your MSP practice. As with your contracts you may have created policies procedures over the years that are simply not adequate in today's threat landscape.

According to Rob Scott of Scott and Scott LLP, a basic set of policies would include:

Written information security  policy

Breach incident response plan

Acceptable use policy

Other policies required by regulation

Information Security Policy

Your information security policy outlines the procedures by which you keep data in your organization confidential, insure its integrity, and always make it available to those that need it. As an MSP your ISP should include policies and procedures by which you protect data for your clients as well

Confidentiality

Your ISP must address how you are securing access to your data to ensure only those with a need to access it have the rights to do so. This includes people inside your organization as well as those from the outside. This aspect of your security policy would include standard permissions for access to data based on individual credentials, role, and/or location. Strict procedures for the on-boarding and off-boarding employees would be outlined in the ISP ensuring that the process is followed and repeated for all employees. Your organization may include a zero-trust policy whereby the basic profile of a user is provided access to nothing. Only those permissions necessary for the function of the employee are given on an as needed basis. The location sensitive and protected data is identified and permissions are applied accordingly.

Details such as password strength, multi-factor authentication, and remote access would be discussed.

Any Data Loss Prevention (DLP) measures, such as outbound email filtering, and Mobile Device Management (MDM) would be articulated in the ISP.

Security monitoring systems such as a Security Information and Event Management (SIEM) system, Managed Detection and Response (MDR), or Endpoint Detection and Response (EDR) would be described in the ISP.

Integrity

The ISP needs to ensure that the data within your organization can be trusted. Processes must be put in place to detect and identify any attempt to modify data in an unauthorized manner, either through error or malicious behavior. The ISP should identify processes that ensure that systems in place to protect access to the data are configured properly and remain so. As an example, change control procedures should ensure that proposed changes to systems are reviewed in advance and the changes are documented properly. Auditing should be enabled on all systems to make sure that those responsible for making changes are identified.

Your security policy will include procedures for workflow as well. As an example, Rob Scott recommends a policy of requiring verbal confirmation of wire transfers of monies. In recent years, CEO fraud has resulted in companies fraudulently wiring millions of dollars based on a forged email sent from within the corporate email system.  

Availability

As part of your ISP you must ensure that corporate data is available when it is needed. This includes a comprehensive disaster recovery plan. Disasters come in all shapes and sizes, from something as simple as a user erroneously deleting entire data set, to major equipment failures, to a ransomware attack, to catastrophic earthquakes.

Your disaster recovery plan must identify your backup and restoration procedures. Those procedures must address the Recovery Time Objective (how long can a system be down) and Recovery Point Objective (How much data can you lose). System and procedures must be able to make the data available to the users within RTO based on the  severity of the incident and the criticality of the system. 

The DR plan must be tested periodically to ensure the RTO can be reasonably met in the event of a true disaster.

As an MSP, the information security policy for you organization can serve as the framework for the ISP for your clients' networks. 

Acceptable Use Policy

The Acceptable Use Policy for your organization should provide users with a clear understanding of what they can and cannot do. The existence of the AUP would be identified in the Information Security Policy, likely as a document presented to new employees when they are on-boarded.  The details of acceptable and behavior are articulated in the AUP itself. Users are made aware of their responsibilities to help keep corporate data secure and available

Core to the AUP is the explanation that the corporate network is company property and the rules set forth by the AUP must be abided by in order to retain access to the network. The AUP usually includes obvious restrictions on illegal activities, obscene or offensive behavior, and accessing known rogue web-sites. Companies may include other restrictions such as limiting access to social media sites, shopping sites, gambling sites, etc.

Many organizations also state in their AUP that the email system is a corporate asset and therefore all mail flowing through the system is the property of the organization. Employees should be aware that the company reserves the right to open and read all email in the event it is required.

Breach Incident Response Plan     

In the event a security breach is detected, a set of procedures must be identified that users and management can follow in response.

An IRP identifies the various organizational members and teams that will be involved on any response and the responsibilities those individuals and teams will have in responding. These will likely include the CISO, members of the Executive team, the Privacy/compliance officer, and certain department heads. The IRP may classify the protected information and assign severity levels based on the sensitivity of specific information. 

The IRP will identify the workflow of an incident response including what information is provided to whom, and whether law enforcement needs to be included, who is authorized to speak on behalf of the organization, and what information should be disseminated.

As Security Breaches can take many forms and the severity of the incident can vary, the IRP needs to be flexible but clear. Typically, when a security breach is detected, time is of the essence. The plan needs to be relatively simple. Employees at all level of the organization need to be informed of its existence and trained on it. If the plan is too complicated it will likely lead to confusion and potentially make a bad situation worse.

As an MSP servicing your clients you may identify that a breach has occurred in your client's network. It is critical your staff be trained on how to, not only react to the breach, but what you should do and what you should not do. It is also important your staff knows what should be communicated. According to Joe Brunsman in his YouTube podcast "MSP Liability Considerations After Client's 'Cyber Event'", MSPs should follow three major steps: Identify, Contain, and Refrain. Brunsman explains that MSPs should be able to identify a breach and take immediate measures to contain it. However, if the MSP does not have a credentialed forensics practice they should stop there and have the client engage with a forensics team to identify the extent of the damage. The MSP should also refrain from providing any legal advice whatsoever. This includes not recommending the client pay any ransom or other concessions. It is important that your staff does not make inadvertent comments that can be misconstrued as legal advice or indications that the issue is resolved when no forensics have been performed.

Again, the existence of the IRP is described in the Information Security Policy with the details being articulated in the IRP itself.

Training and Testing

Policies that are written and distributed once and forgotten are useless. It is important that organizations train their end user community on the policies continually. Most of us have by now implemented end user security training in our organization in order to make sure our employees can detect phishing attempts and other email fraud. It is a natural extension to include continual training on Acceptable Use Policies and Incident Response Plans.

IT teams should be testing these policies and procedures regularly to identify gaps in the plan and ensure they can be followed easily in the event of an incident. Simple table top exercises can simulate a situation and provide great insight into how well the policy is performing and how well it is understood.

Relationship to Common Security Framework

A few weeks back I wrote an article about the importance of adopting a common security framework such as NIST or CIS. Whichever framework you choose, it will provide the underlying foundation of your Information Security Policy. Each control typically maps to a process or procedure that should be included in your Information Security Policy. Depending on which level of the framework you decide to implement, those controls would be included in your ISP.

By certifying on that framework you would ensure that your policies and procedures are reviewed on a period basis and therefore would not become out of date.

In part three of this series we'll look at cyber insurance and how implementing the things we have discussed so far will help you obtain quality insurance to protect your business and reduce your premiums.

The one constant in the MSP business is change. In order to address the constantly changing threat landscape we must take a holistic view of risk management and reexamine all aspects of our business. This four-part series will look at the threat landscape for MSPs from several angles.

We are used to thinking of the threats as acts perpetrated against us by bad actors. We mitigate those risks through the use of firewalls, anti-virus/malware software, SIEM/MDR solutions, and end user training, etc. Job done! Right?

Nope! The threat landscape for MSPs extends way beyond "the bad guys".  The sources of risk for your organization also include your vendors, employees, and even your customers. Because your customer's network is an extension of your own,  your customers expose you to risk if their network is not secured at least as well as your own. The customer that refuses to make adequate investments in security exposes your organization to unnecessary risk and puts everyone in jeopardy. 

As we will see throughout this series, the steps we take to mitigate risks will involve how we interact with our customers at all levels.

There are four pillars to risk management in the MSP world:

• Contracts

• Policies and Procedures

• Insurance

• Regulatory Risks

Contracts

Those of us that have been in the business for many years developed our contracts at time when the MSP world was a simpler place. At that time, we provided most of the services using our own team and a small set of tools to manage our clients' networks. As such, our contracts barely spoke (if at all) of third party vendor products used in the delivery of service. Today, with the proliferation of cloud based services, we have become more of an aggregator of services to our clients.

Every third party vendor we engage with presents us with a contract in which we agree to hold them harmless and indemnify them in the event of a failure of the product or a security breach regardless of whether it was their fault (think Kaseya). Many of them go even further and stipulate that you have shared their end user agreement with the clients to which you are providing the service. How many of us can say we have actually done that? Your contracts now should reference every third party vendor's End User Agreement with a link to it on the vendors website. When the client signs your contract, they are acknowledging that they have seen the third party vendors' contracts. According to Robert Scott of Scott and Scott LLP, "third party service provider risk, channel related risk, is probably the biggest thing you need to solve for in your contracts today."

Another threat that did not exist when we created our contracts was that of ransomware. In recent years, organizations of all sizes have been hit by ransomware attacks. Recovery from an attack can be expensive and time consuming. In many cases MSPs have performed lengthy recovery projects that the client assumed was covered under their contract. Regardless of the resolution, most likely the relationship was damaged if there was a disagreement on payment. Your contract should be clear up front. In the event of a ransomware attack, your customer may choose to pay the ransom, or pay for your services at the current rate to remediate. Any work related to ransomware recovery is not included in the contract.

We'll discuss the issue of regulatory risks in more detail later in the series, but suffice it to say many of our clients are bound in some way to regulatory requirements. Common regulations include HIPAA, SOX, GLBA, GDPR, etc. The list is quite long. It is impossible for any MSP to know all of regulations any individual client is bound to. The onus of identifying those regulations to the MSP must be placed on the client. Therefore your contract should clearly state that there is no inherent compliance with any regulation in your Master Services Agreement unless a separate Data Processing Agreement is in place. The client must request a DPA for the regulation in question. If your business agrees to abide by those regulations, you should have standard DPA available to provide to the client for that regulation rather than allowing the client to provide you with theirs.

Later in the series we'll also discuss cyber insurance in more detail as well. However, our contracts should address the need for the client to carry their own first party cyber insurance policy. Clients should not be relying on your cyber insurance policy to kick in should a breach occur that is potentially due to negligence on your part.

Given the changing landscape, contracts today need to be somewhat dynamic. Robert Scott recommends moving to a web-based contract management system that can automate the signing, linkage, storage, and maintenance of contracts. As changes in contracts occur, clients can access their updated contracts through a web-portal. This dramatically simplifies the process of keeping contracts current and adapting to new threats and regulatory requirements.

Contract language strikes at the heart of the value of the MSP business. Robert Scott states that "when you are thinking about risk balancing, when you are going to sell your managed services business, or if [you] are looking to buy IT Managed Services businesses…you want to be looking at what is the exposure in the paper."  Because your contract base is your biggest asset as an MSP, if contracts are weak on provisions for Limitations of Liability, Indemnity, and Insurance requirements, your business won't be worth as much.

In our next post in the series we will look at policies and procedures MSPs should have in place to mitigate risks.

As the threat landscape for MSPs continues to get broader and wider, it is more important than ever that we shore up our internal security as much as possible. However, this should not be done in a "piecemeal" manner. It is easy to fall into the trap of assuming that we know which specific measures should be taken and simply implementing those. That may result in a more secure network, but it will most likely leave gaps and literally provide a false sense of security.

There are several Common Security Frameworks (CSF) available that provide a standard set of guidelines that can be followed by the MSP. By selecting one of the common security frameworks, an MSP will have a structured roadmap by which to assess their current state, identify the gaps, remediate the gaps, and certify the environment. By selecting and meeting common standards, MSPs also add to the protection they gain in the event of a lawsuit brought on by a breach. If the MSP has certified against a recognized standard, and their practices are compliant with that standard, any legal liabilities will be greatly mitigated. Cyber Insurance providers are more likely to pay the claim.

Although each CSF can be "certified" by an audit process, none of them require this as an outcome. However potential clients and industries may require certification as a prerequisite of doing business.

Three foundational CSFs are available for general (but deep) security regardless of industry: NIST CSF, ISO 27000 Series, and CIS CSF.

NIST CyberSecurity Framework:

The NIST CSF is a basic set of guidelines upon which other, industry specific NIST frameworks build. It is based on five primary functions: Identify, Protect, Detect, Respond, and Recover. Each Function has a set of categories and each category has a set of sub-categories. In total there are 5 Functions, 23 Categories, and 108 sub-categories.

 Each sub-category articulates a specific outcome to gain compliance. For instance ID.AM-1 (Function: Identify, Category: Asset Management, Sub Category: 1) stipulates that "Physical Devices and Systems within the organization are inventoried". Likewise Sub-category PR.AT-1 stipulates "all users are informed and trained" (on cybersecurity). 

The NIST CSF also provides Informative References that act as a cross-reference to sub-categories within other CSFs such as CIS, ISO 27000, NIST 800-53, and COBIT.

The NIST Framework provides definitions for organizations to assess their level of security preparedness against a four tier scale: partial, Risk informed, Repeatable, Adaptive.  

 Organizations identify their current tier (current profile) and their desired tier (target profile). Using the NIST Framework guidelines they identify the gaps between their current profile and their target profile.

NIST then provides a 7-step process to follow in order to achieve the desired state.

Once the MSP has achieved NIST CSF compliance they can layer on any industry specific requirements based on their typical client profile.

Center for Internet Security Cyber CSF

Like the NIST CSF, The CIS CSF is industry agnostic. In many other respects the frameworks are similar as well.

In CIS CSF v8 the aspects of cyber security are divided into 18 controls with 153 underlying safeguards.

As with NIST, CIS provides a tiered approach to compliance that allows organization to achieve compliance at a level that is appropriate to their risk profile and the available resources they have available to achieve and maintain compliance. CIS defines three Implementation Groups (IG1, IG2, IG3). Compliance with each Implementation Group is based on meeting the safeguards associated with that IG. For instance, IG1 which is considered basic cybersecurity hygiene requires that 56 foundational safeguards be met. IG2 requires IG1 safeguards plus an additional 74 safeguards. IG3 requires all 153 safeguards be met.

CIS provides a Controls Self-Assessment Tool (CSAT) as well as a Risk Assessment Methodology (RAM) to help organizations identify where they are in their current state and identify the gaps between that and their desired state.

One aspect of the CIS CSF that differs from the others is that it provides a set of benchmarks specific to industry leading hardware, software, and operating systems. The CIS Benchmarks identify specific configuration parameters that map to CIS safeguards for over 100 products. This is a huge benefit for organizations as they assess their environments. For MSPs this is a great resource for guidance in deploying systems securely within their clients environments.

ISO 27001

The ISO 27000 Series CSF is published by the International Organization for Standards. As with NIST and CIS, it is a series of categories and controls. In this case, 14 categories and a total of 114 controls.

As an international standard, it is recognized globally and certification may be required to do business with many international enterprises. Although certification is not required to complete compliance, most organizations implementing ISO 27001 are doing so with certification in mind.

ISO 27001 is more focused on the implementation and maintenance of a functioning Information Security Management System (ISMS)  than the actual controls themselves. In fact, the latest revision of the standards does not require the organization to implement the controls as defined but rather demonstrate that they have adequately mitigated the risk in some way. As an on-going process the organization must demonstrate the ISMS is continuing to function and must recertify every three years.

The ISO 27000 Series contains several supplementary standards that build on ISO 27001. Perhaps the most common one is ISO 27002. This provides far more detail on the controls defined in ISO 27001. There is no certification for ISO27002 as it is not specific to the ISMS.

Whereas NIST and CIS frameworks are free and self-assessment is possible, ISO 27001 certification can be costly. Typically, organizations implementing ISO 27001 have already achieved a higher level of operational maturity.

Other Standards:

Beyond the common frameworks above there are many other standards that can be layered on top. These are useful and often required to do business within certain industries:

Control Objectives for Information Technology (COBIT)

COBIT was create by ISACA and is often used in conjunction with other frameworks as it is more focused on governance than the technical aspects. It offers cross-references to NIST Controls in the same way NIST offers Informational References to COBIT.

HITRUST CSF:

Originally specific to the healthcare industry, HITRUST was developed to offer guidance to healthcare organizations of all sizes to comply HIPAA requirements regarding the safeguarding of PHI. HITRUST is based on the ISO 27001. Where the ISO standard tends to be liberal in enforcing the specific controls to mitigate risk, HITRUST is designed to be more prescriptive, yet flexible enough to address the threats and needs of organizations of any size. HITRUST offers three levels of implementation of controls to allow for "scaling" to the size and resources of the organization. By using the HITRUST framework, organizations can achieve compliance appropriate to the risks they face.

SOC 2:

The SOC 2 framework is one of three reporting options developed by the American Institute of Certified Public Accountants (AICPA) in 2011. It is based on five Trust Services Criteria (TSP): Security, Availability, Processing Integrity, Confidentiality, and Privacy. As SOC 2 has a formal audit inherent to the process it is a good choice for those looking for a certification as the outcome. Organizations are free to make the scope of the audit as narrow or as broad as they would like depending on the needs of the organization. This can include one or all TSPs. The SOC 2 reporting process can be used to audit controls of other security frameworks as well.

NIST 800-171 and CMMC

NIST 800-171 is a publication that builds on the NIST CSF, however it includes specific guidance for the handling of Controlled Unclassified Information(CUI). This is important for any organization doing business directly with the Department of Defense or contractors working with the DoD. The publication was originally distributed as a specific set of controls with a worksheet that allowed organizations to self-assess. There has been no requirement for a formal audit or certification. However in December 2020, the US government established the Cybersecurity Maturity Model Certification (CMMC) process. CMMC is a certification related to NIST 800-171. It provides five levels of certification based on the number of NIST 800-171 controls implemented and verified. CMMC Level 3 certifies all controls in 800-171. Levels 4 & 5 certify controls from other frameworks beyond 800-171. In 2026, all organizations wishing to do business with DoD related companies will be required to be certified under CMMC.

Decisions, Decisions…

So which framework should you choose? For the most part it doesn't matter. However, if your typical client profile fits into certain business types such as healthcare, finance, retail/hospitality, or defense contractors, that may guide your decision. As we've seen, most of the Common Security Frameworks overlap heavily.

It is up to each MSP to determine which framework is best for them. Smaller MSPs would be best served looking at either the NIST CSF or the CIS CSF. Both provide a standardized process to follow to implement the framework and can be done at no cost. One big advantage of the CIS framework is the companion set of CIS Benchmarks which offer guidance on specific configuration parameters on over 100 products. This can help MSP implement their services to their clients in a compliant way as well.

Simply adopting and implementing any standard framework is a huge step forward in protecting your business as the threat landscape continues to expand.