MSP Compliance Made Easy
Written by: Charles Weaver, co-founder of MSPAlliance
For many MSPs, process is everything. Developing internal and external service delivery practices is what makes an MSP efficient and scalable. Most MSPs are very comfortable with a repeatable process, particularly when it comes to process related to delivering customer managed services.
Compliance, on the other hand, is something most MSPs are either unfamiliar with or have a negative connotation. In my opinion, compliance is something most MSPs could be doing quite easily if they only made it part of their daily process and procedures. Here are a few examples of compliance made easy as part of your daily managed services operational tasks.
Most MSPs understand the value of backing up customer data. As ransomware attacks continue to grow, MSPs should also be backing up their internal data to remain operationally resilient. To accomplish this task (and be compliant with industry best practices), MSPs can create a daily recurring ticket to validate that internal backups have successfully been completed and checked. You may even want to add a ticket to remind yourself to perform a periodic data restore, to make sure the data you backed up is usable.
MSPs hire people. It is essential to have a process for when you hire a new employee to make sure they are brought into your MSP organization safely and efficiently. How do you do this? Simple.
Create a checklist for onboarding new hires. The list can include steps such as doing a background check, employee training, distributing company equipment, and provisioning user access rights that match the employee’s job title. Having the checklist helps ensure that each step is followed and the user doesn’t end up with the wrong access rights. As you might guess, it’s just as important to have an off-boarding checklist, so when employees leave the company, their access rights are promptly and thoroughly turned off.
One of the best ideas I ever saw within an MSP organization happened many years ago, involving an internal ticket review meeting. The MSP had created a standing NOC/help desk meeting each week where they went through closed tickets to evaluate whether the proper procedures (including documentation requirements) were performed.
While it may sound insignificant, the MSP found that it helped a lot with training existing personnel. It also kept bad behavior to a minimum since the NOC staff were always prepared to discuss tickets they handled. The weekly training even let management know how compliant the managed services delivery team was every week.
These are only three examples but there are many more that apply to even the smallest of MSP practices. If you think compliance is something you can do in a day, you are wrong. The point is starting today and building your compliance until it evolves. Document your processes, create tickets to remind you of your compliance tasks (tickets are also a great way to provide evidence to the auditors if you are ever examined for an MSP Verify or SOC).
Once you have the process down, you can then shape your compliance tasks to virtually any standard that exists.