Easy MSP Compliance Tips for Beginners
Written by: Charles Weaver, CEO of MSPAlliance
Many MSPs are heading into the summer months with internal projects to prepare for an increase in workload once the quarantine lifts. Some MSPs will be addressing internal controls, policies, and procedures, as they strive to achieve higher levels of security and scalability.
One of the excuses I hear from MSPs for why they do not begin working on internal controls is they do not know where to begin. There are many frameworks, standards, and laws that may influence the direction of your MSP practice. An obvious example would be following your regulated clients and adopting their control frameworks to be more appealing to them.
There are, however, some easy steps every MSP should be adopting, no matter what type of client they serve. These fundamental controls live within the Unified Certification Standard (the standard that is the foundation for the MSP Verify program). Here are a few examples of controls (and control families) all MSPs should be following.
These controls focus on internal users (your MSP employees and contractors) and the access they have to MSP and client data, systems, and networks. Specific attention should be placed on how the user is granted access and any safeguards around the process of giving users access.
Similarly, all MSPs should have an exit procedure dealing with how users are removed from systems and networks.
External Service Providers
Also known as vendor management, understanding the who, how, and when of third party entities access your MSP systems and networks is important. All MSPs should have an exact knowledge of all external providers who have temporary or permanent access to the MSP, especially when it comes to data access.
Developing a simple vendor access list can help in securing your MSP practice. During the MSP Verify process, for example, we have an application listing form everyone must complete. This form tracks all the vendors used in the delivery of your managed services, including where they are located, whether it is cloud or on-premise, methods of access, and the level of reliance the MSP has on that particular technology or vendor company.
Data Access – what you do and don’t manage
Frequently in MSP Verify projects, we spend as much time on data, systems, and networks the MSP does NOT monitor or manage as we do those objects they do manage. Many clients today are more concerned about knowing where the limits are with their MSP, especially as the data becomes more sensitive, valuable, and regulated.
MSPs should have a carefully articulated policy document of how far their managed services offerings extend into the client environment. For example, many MSPs explicitly refuse to manage certain types of user data, such as credit card information. If that is your MSP practice, then stating as such would help your clients and prospects make better and faster decisions about working with you than if they had to probe and ask questions because the MSP does not have these answers.
Finally, we spend a lot of time talking about the importance of documentation. MSPs need to document how they do things; these are often called policy or procedure documents.
I like the analogy of cooking. If the MSP is the chef, having a great recipe is only the beginning. If you want to scale the preparation of that meal, you must write it down so others can follow it, and so you can make sure others are following it properly!
Documentation may not sound like a fun job, but once it is done, maintaining it becomes much more manageable. And, having a properly documented MSP practice will make a world of difference in your efficiency, scalability, and security.
Try these simple tips out and see how much your MSP practice can improve.