For the past several years states have been passing privacy laws that impose stiff penalties on organizations that mishandle the personal information of their residents. However, a growing number of states have passed legislation that can provide legal “safe harbor” to those organizations that implement and maintain security measures based on a recognized cybersecurity framework.

In recent years, Utah, Ohio, and Connecticut have enacted legislation that offers legal protection to organizations that have implemented and maintained strong security practices. Specifically, the laws cite several common cyber security frameworks that apply including NIST CSF, NIST 800-171, CIS, and ISO27001 among others. For those organizations in a regulated industry (HIPAA, SOX, CMMC, etc.) demonstrated compliance with those regulations apply. Several other states have proposed bills and pending legislation that will offer the same protection in those states. Additionally, some states, such as California, have included safe harbor provisions in their data privacy laws.

Under the legislation, should an organization find itself in court as the result of a cyber incident, the laws provide an affirmative defense for liability caused by data breaches if the organization can prove that it took reasonable steps to maintain security in accordance with a recognized standard.

With the cybersecurity threat landscape growing rapidly, the states are recognizing that organizations must improve their security practices and maintain a strong cyber security posture. However, we know that there is no 100% when it comes to cyber security. By enacting these laws, states are shielding those organizations that take reasonable steps to protect their data from the worst legal consequences.

Of course, safe harbor does not give an organization a "hall pass" in the event of a data breach. For instance if the organization was aware of a threat or vulnerability and did nothing to remediate it, safe harbor offers no protection. Organizations must not only implement the security framework, it must maintain it ongoingly. Proper maintenance of a security plan involves documentation, adherence to procedures, continual auditing, and change management. Security must become a part of the culture to be maintained.

Managed Service Providers can help their clients get this protection by, first, ensuring their own practices meet the requirements of an established cybersecurity framework. Then, the MSP can work with the client to ensure their internal practices align with the standard. Wrapping this in with a Compliance-as-a-Service offering can provide an additional revenue source for the MSP as well. By working strategically with their clients to protect their business both technically and legally, MSPs can provide more value and command higher rates.

There are few cases of the existing laws being tested in court. Often, it is challenging for the judges and jury to understand the details of technology related cases. Exactly how an organization proves that was in compliance with the standard, in a court of law, at the time of the breach is unclear and likely will vary by state and case. Ultimately, good documentation of procedures, log files, change management, and proof of past audits around the time of the incident are critical pieces of evidence that would be required to prove reasonable measures were taken. All of this is part of the compliance process regardless of the framework.

OTX Roundtable GRC

The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here. 

A couple of months ago I wrote about the importance of adopting a security framework to give structure and process to securing your practice. I went over several common frameworks and debated the pros and cons of each. In this article I am going to delve into the reasons why the Center for Internet Security (CIS) Frame work is the best for MSPs.

When we compared the NIST and ISO Frameworks to CIS, we discovered that NIST and ISO were somewhat loose and vague in regards to what controls needed to be implemented in order to be compliant. Both standards leave a lot of leeway for alternative approaches to meeting the standard of the control. While this flexibility may be desirable in some situations, it can be confusing and lead to lapses in security. On the other hand, CIS is very defined and prescriptive in terms of that actions are needed to meet the standard. CIS also offers clearly defined three levels of compliance, Implementation Groups 1, 2, and 3, based on the needs of the organization.

Implementation Group 1 covers basic cyber hygiene.  All organizations should strive to achieve IG1 at the very least. And that may be enough for small business with no real exposure to sensitive data. Implementation Group 2 is most likely the appropriate level for most organizations and most MSPs. It provides an appropriate level of protection with a reasonable amount of financial investment. Those organizations that are custodian to very sensitive information or manage critical systems would likely want to achieve Implementation Group 3 status.

Perhaps the most difficult part of implementing a security framework is knowing where to start. To guide organizations through the process CIS has created the CIS Self-Assessment Tool (CSAT). By using the CSAT, MSP can quickly determine their current state in relation to the CIS Framework. They can then determine the gap between where they are today and the desired Implementation Group attainment. They can then use the tool to track their progress against the goal.

One of the fundamental tasks of any MSP is the deployment of new technology into their client's networks. This includes servers (cloud based or on-premises), workstations, switches, firewalls, wifi, Etc. Each of these devices introduces potential vulnerabilities if not configured properly. This is where CIS really sets itself apart from the rest of the security framework community. Through close collaboration with many hardware and software manufacturers, CIS has developed a series of  Benchmarks that provide a clear guide on the configuration of hundreds of products. This includes Windows Operating Systems, Microsoft Azure Services, Mac OS, Palo Alto Firewalls, Cisco Switches, etc. For instance, if the MSP is deploying a Windows Server 2019, they can reference the Benchmark guide for Windows 2019 and configure all of the settings in compliance with CIS IG1, 2, or 3.

The Benchmark guides are extremely thorough and detailed. Many are more than 1000 pages in length. Although it would be possible to follow the guide and configure a system manually, it would be incredibly time consuming and laborious. For this reason, CIS has created Build Kits for most of the Benchmarks. Build kits automate the application of the configuration through scripts and group policy objects. This allows the MSP to apply the proper security to the device quickly, efficiently, and consistently.

Additionally, CIS has created the CIS CAT Pro Assessor Tool. CIS CAT Pro automates the comparison of a system's configuration against the corresponding Benchmark. It can also identify missing patches. The resulting report provides all of the changes required to bring the system back into compliance.

Access to the CIS Framework documentation and CSAT Tool is free of charge. However, the more advanced tool in the CIS Framework require membership in the CIS SecureSuite Program. The annual fee for membership in SecureSuite varies by company size. Academic, non-profit, and governmental agencies may be eligible for free subscriptions. MSPs looking to use the framework for commercial purposes and consulting services would pay an annual fee based on their annual revenue.

Given the highly prescriptive nature and clear definition of the standards the CIS Security Framework is the ideal framework for MSPs. Compliance is achieved through specific controls and those controls are enforced on deployed products in an automated and auditable fashion.

Additionally, CIS overlaps heavily with all of the other common frameworks and standards, therefore MSPs that have achieved CIS Implementation group 2 ensure their security standards are up to par with many of the regulatory requirements to which their clients are subject such as HIPAA, SOX, GLBA, Etc. Those MSPs that also pursue NIST or ISO certification are close to that goal as well due to the overlap and cross references between standards.

By implementing the CIS Security framework MSPs will increase their value, reduce their risk, and outshine the competition. What MSP wouldn’t want that?