Common Security Standards for MSPs and MSSPs
Managed Service Providers are facing challenges like never before. In recent years, MSPs have become not only the protector of their client’s network but the target of bad actors as well. Hackers have turned to the MSPs and the vendors of tools used by MSPs as a conduit by which to extort victims. Recent exploits within Solar Winds and Kaseya have brought to the forefront just how vulnerable MSPs can be. The Managed Service industry remains unregulated and thus it is up to each MSP to determine which measures to take to safeguard their business and that of their clients. It is no longer enough to an unstructured approach to assessing your own security. MSPs must adopt established standards to ensure they are not missing key elements in their security posture. At a minimum the MSP should choose the standard, perform a self-assessment against the standard, and remediate any non-compliant practices. MSPs should also be aligning the services they offer with the standard they follow.
Standards compliance will not only ensure that you are doing all you can to protect yourself and your clients, it will also help when there is a breach. The more controls you have in place, the better you chances are of thwarting an attack. However, there is no perfect defense, so when a breach does occur and you face potential legal challenges, showing compliance with a recognized standard will help with any legal and insurance claims.
The good news is that there are several to choose from. Depending on the typical client profile, the MSP may choose different standards. For instance, an MSP running their own cloud services might opt for SOC 2 certification, whereas one that works with a lot of defense contractors would likely select NIST 800-171. In the end it, any of the broadly recognized standards will suffice.
The section below is intended to be a resource for MSPs to use to determine which standard is right for them and gain insight into the process of assessment, compliance, and certification.