Compliance-as-a-Service…Great Idea! But Start With Your Own Practice

This week, Kaseya released its 2023 Global Benchmark Survey Report. The survey, completed by more than 1000 respondents worldwide (predominantly the Americas), highlights the top trends in the MSP industry for the current year and compares them against the previous year.

 Unsurprisingly, CyberSecurity ranks as the highest concern of MSPs showing a 15% increase over the 2022 results. In fact, the top five new services MSPs plan to offer in the coming year fall into the Cybersecurity services category. Topping the list at 39% is Regulatory Compliance Management and Reporting. This is followed by Managed Detection and Response, Dark Web Monitoring, Identity and Access Management, and Security Awareness Training.

 The interest in offering Regulatory Compliance Management services, often referred to as Compliance-as-a-Service, makes sense with the increase in regulatory requirements.

 However, many MSPs need to start by getting their own house in order. True compliance requires that policies and procedures are documented, processes are audited, and all employees are trained and follow the documented procedures. Although many MSPs have implemented strong security measures and practice good general cyber hygiene, many lack the documentation and consistent auditing to pass an external audit.

 In most cases, MSPs have an integral relationship with the workflow of their clients. Tasks such as user identity creation and setting permissions place the MSP in the process of Access Control. Likewise, providing a managed backup and recovery service implies that the MSP is involved in the storage and transfer of Personally Identifiable Information (PII) which is protected under most regulations. If the MSP fails to document the policies, processes, and procedures for safeguarding this information, they place their clients in jeopardy of falling out of compliance.

 MSPs should have a Shared Responsibility Matrix with any client in a regulated industry (ideally all clients). The SRM typically maps to each control required by the regulation and identifies the responsible and accountable parties in a RACI fashion. Each process required to meet the control is identified and the Responsible, Accountable, Consulted, and Informed parties are documented.

 In the MSP relationship, certain activities will be the responsibility of the service provider and the provider will be accountable to make sure they take place. One example of this is the deployment, monitoring, and management of anti-virus software. The MSP makes sure that AV is deployed correctly, functioning, kept up-to-date, and that detected viruses are quarantined and eliminated. The customer is informed of the activity during a typical Quarterly Business Review. On the other hand, access control is a shared responsibility between the MSP and the customer. The customer must inform the MSP of all new employees and the permissions those employees should be granted. Likewise, the customer must inform the MSP of any employee terminations to ensure the account is properly disabled in a timely manner. Ultimately the customer is accountable to make sure that all employees are identified, and that their level of access is appropriate to their role.

 The shared responsibility matrix must be reviewed by the MSP and the client regularly to ensure both parties are aware of their roles and responsibilities.

 For each control of which the MSP is responsible and accountable, the policies and procedures must be documented. The method by which the process is audited must be documented as well. Since compliance is an on-going process, evidence must be gathered and maintained to prove that audits are taking place on the schedule defined within the policies. The failure of either party on any given control can put the customer in jeopardy of a regulatory violation. Likewise, the MSP could find themselves in a litigation situation with their customer.

 By having a clearly defined shared responsibility matrix based on a common cyber security framework, and supporting evidence that the process are being followed, both the MSP and the customer will be in a much better position should a breach occur.

 In fact, several states have enacted safe harbor laws that protect organizations that have adopted a common cybersecurity framework from serious penalties in the event of a breach. Utah, Ohio, and Connecticut currently have laws on the books that state that organizations that follow NIST, CIS, HIPAA, ISO 27001, etc. will be protected against punitive damages should the case land in court. Other states are sure to follow. Under these laws organizations must provide reasonable evidence that they have implemented the controls defined by the standard.

 The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here.