Compliance is a Process
For many MSPs, the word "compliance" conjures up images of intrusive bureaucracy and major expense. Although the reality may not be too far from that, compliance has inevitably become a concern for MSPs (whether they realize it or not).
Over the past 15 years or so, the workflow of the MSP has become more and more intertwined with that of the client. As the MSP takes on services such as backing the client's data up to the cloud, on-boarding and off-boarding employees, or completely hosting the client’s data in the cloud, the regulatory compliance of the client is dependent on the MSPs processes and procedures meeting the requirements.
But fundamentally, what does it mean to be compliant? In many cases, the MSP is already providing services that meet the requirements. However, they are probably not well documented and are not audited on a regular basis. To prove that your practices meet regulatory standards, the processes and procedures must be documented and audited. Evidence must be produced and preserved that proves that policies are being followed.
Let's look at what the entire process of implementing complaint practices looks like.
The Six Steps of Implementing a Complaint Process
Regardless of the standard to which you are trying to achieve compliance, the process remains the same. There are six steps to the process:
Document Policies
Implement tools/controls
Document Procedures
Train staff
Audit processes
Assess and revise processes
We'll go through each step. For this exercise, we will use Access Control as the example process. Every security framework or regulation has a requirement to control access to data.
Document Policies
For each control or requirement, a policy must be developed to clearly identify what the organization does to achieve compliance with the requirements of the framework.
Policies are relatively broad. They are documentation of WHAT the organization must do, not HOW it gets done. Because policies must be signed by senior management, it is important that they not change very often. The underlying processes and procedures may change as other changes may occur within the organization, but the policy should remain relatively static.
For Access Control, the policy would identify how employees are onboarded, how employees are off-boarded, how permissions are determined, and how access is altered when an employee changes role. It may also include a remote access policy, wifi policy, and personal device restrictions. In our example, the policy may discuss the concepts of role-based access and of least privilege when assigning permissions.
Implement Tools/Controls
The organization must implement tools by which they can enforce and manage the policies. In our Access Control example we might implement tools like Active Directory, Multi-factor Authentication, VPN technology, Single Sign-on, SASE, and others.
The tools should be capable of meeting all the objectives defined in the policies. The configuration of the tools would be dictated by the policies as well. As an example, regulations may require certain levels of encryption, or a particular certification to meet the requirements.
Documenting Processes
With the tools in place, you will need to document the procedures to use the tools to meet the requirements of the policy. In our example, we would document how users are added in Active Directory, how MFA is applied to users, and what parameters are applied for VPN Access. This is not a step-by-step, click/next type of instruction set. We assume that our administrators know how to use the tools. However, it is detailed enough that all processes are completed in the same manner regardless of which admin performs the task.
The process, in many cases, should include a checklist to ensure all tasks are completed. Most PSA systems support the creation of checklists within the ticketing system. In this way, incomplete tasks can easily be identified. The ticket cannot be closed until all tasks are complete. By creating a unique ticket type for compliance related tasks, they can be easily tracked and deviations can be identified.
Training
All employees must be trained on the policies and procedures. Global policies such as acceptable use policies, remote work policies, and confidentiality policies, which apply to all employes, must be reviewed and accepted by all employees. In our Access Control example, employees must be trained to refrain from allowing strangers to enter secured doors behind them without swiping a badge. Implementing an electronic review and sign off system is a great way to ensure employees review the policies annually. Ideally, incorporating corporate policies into Security Awareness training is a way to ensure the training and acceptance occurs on a regular basis.
System Administrators need to be trained in the processes they administer. Within Access Control, admins must be trained to follow the documented processes for account creation, permissions assignments, and account termination. It is important that the processes be followed accurately and consistently.
Auditing
We can't simply assume that our policies and processes are being followed by our employees and admins. We must "inspect what we expect". Our overall process must include an audit function that gathers evidence of compliance or indicators of non-compliance. It is through the auditing process that we prove our compliance.
The audit process can include the collection of system logs, alert reviews, and manual inspection of systems and data. In our access control example, we might have a monthly review of all employee hires and terminations in the previous month. A review of the accounts created and removed should match the list. Completed checklists of actions taken by admins should indicate any incomplete tasks.
Using the ticketing system in our PSA for this function can improve the process. By creating a recurring ticket for each audit function at the time it is supposed to happen applies automation to the process. The ticket is assigned to the individual in charge of the function and cannot be closed until the process is complete. A report on open tickets identifies any audits that are not complete.
Process Assessment and Revision
The one constant in business is change. Policies and procedures become outdated or ineffective due to changes within technology or business. New policies need to be developed to address new threats, concerns, or regulations. A great example occurred during the pandemic. Although many companies had remote access policies and procedures prior to the pandemic, they were most likely only applied to a small subset of the workforce that had periodic or intermittent needs for remote access. The pandemic rapidly changed that by forcing most, if not all, employees to work from home. The existing remote work tools, policies, and procedures were inadequate to address the need. This created an unprecedented need for organizations to quickly implement new tools, define new policies, develop new procedures, and train employees in a dramatically accelerated timeframe. This entire process, which would normally take several months, was compressed into just a few weeks.
While that may be a drastic example, it demonstrates the fact that policies and procedures can change based on external forces. Your process should include some form of annual review that examines changes in the organization and identifies areas where the policies and procedures do not align with the changes.
This can be done as a formal annual review of policies and procedures where stakeholders simply go over each policy and discuss whether any changes have occurred that require modification of the policies or the written procedures. This could also include an annual SOC II Type 2 audit where a formal report is produced by a third party to express an official opinion on the organization's effectiveness against the policies in place. It can also include a formal certification process such as ISO 27001 or the upcoming CMMC program.
Summary
Achieving and maintaining compliance is an ongoing and never-ending process. It needs to be engrained within the culture of the organization. From senior management down to front line workers, compliance must be taken seriously. By following the process, policies and procedures can be developed, trained, maintained, and adjusted to keep the organization in compliance and out of trouble.
OTX Roundtable GRC
The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here.