Understanding compliance for MSPs
MSPs searching for ways to differentiate and grow can often do so by providing solutions for vertical markets like government, defense, healthcare, finance, education, and others. However, to successfully gain business in such verticals, MSPs need a good grasp of the standards, frameworks, and other compliance issues specific to those markets.
Standards and frameworks are not the same thing
While they are often used interchangeably, there’s a difference between a standard and a framework for compliance. Standards are a set of controls a company needs to achieve to be considered compliant with a regulation or requirement. The best practices followed to meet the standard are called frameworks.
In other words, frameworks serve as a guideline. For MSPs, the good news is that while these standards and frameworks may be pretty specific in their security requirements, service providers can tie these requirements to other security measures and technologies that would benefit clients beyond simply achieving compliance. Remember, compliance standards represent a minimum requirement, not a complete security program.
The security framework that may be most familiar to many MSPs would be the National Institute of Standards and Technology (NIST) Cybersecurity Framework. However, different organizations may have to follow different standards and associated frameworks. For example, organizations dealing with the U.S. Department of Defense must comply with the Cybersecurity Maturity Model Certification (CMMC) framework. In addition, there are several others, such as:
- Service Organization Control (SOC) Type 2, a cybersecurity framework and auditing standard for accounting/financial operations
- The North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP) cybersecurity standards for utility providers
- The Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry
- The Federal Information Security Management Act (FISMA) cybersecurity framework for federal government agencies
Compliance management best practices
Compliance management can be complex for many companies, particularly small and midsize businesses. As a result, there’s an opportunity for MSPs to take on the compliance management role as part of their security services, but doing so requires that the MSP be fully educated on those standards and frameworks, and ensure their systems are also compliant.
MSPs should follow industry frameworks such as NIST and ISO internally and within their security and services portfolio. That should also include continuous monitoring and reviews to maintain compliance as the solution portfolio evolves.
Staff should be educated on the specific standards and frameworks for the targeted vertical market, including ongoing training to stay current with industry best practices. That background will be critical for demonstrating to clients that the MSP can help with their compliance management needs.
To that end, MSPs will need to research those pain points and how their services and technology offerings could help. For example, compliance is generally not a core competency for smaller businesses. Still, they may have particular needs when it comes to compliance, such as records retention or meeting response and reporting requirements related to data loss or security breaches.
Centralized security management and monitoring technology will also be necessary for compliance, as most standards require a greater level of visibility than many SMBs can achieve on their own. For security-centric MSPs, that type of cybersecurity framework is also essential for meeting their service level requirements.
MSPs should conduct regular internal audits to ensure their internal systems are adequately secured and that their service and technology offerings to clients are still fully compliant with industry standards.
Compliance management also comes with risk, so MSPs should evaluate insurance options that can protect them if they were subject to liability related to regulatory fines or penalties levied against a client after a security incident.
Providing compliance services to clients in new vertical markets presents a profitable opportunity for MSPs, offering a way to build on their security solutions portfolio. Moreover, vertical specialization can pay big dividends for those who can invest in the technology and education required to take on compliance management.
This article originally appeared in Channel Futures.