Beyond Services: Compliance Management and the Managed Security Practice

Organizations are often required to follow one or more compliance requirements, ranging from the protection and handling of personal information, such as financial information and healthcare, to financial reporting and electrical grid system security. Companies that do not adhere to compliance standards—whether inadvertently or on purpose—are subject to punishment, including steep fines and jail time.

Beyond Services: Compliance Management and the Managed Security Practice
Beyond Services: Compliance Management and the Managed Security Practice

Managed service providers (MSPs) can expand their business by helping organizations implement and maintain compliance management.

Read this article that highlights key steps you can take to expand your compliance management services.

Content Summary

Context
Key Takeaways

  • Compliance management creates new opportunities for MSPs but requires a shift in the business model.
  • MSPs need to shift business models to support compliance management services.
  • As malicious activities continue to rise, adhering to compliance standards protects the business.
  • Businesses of all sizes and industries typically must adhere to at least one compliance standard.
  • MSPs can leverage available technologies to help customers achieve compliance.

Context

The speakers discussed the major shift in thinking that MSPs need to make as they add compliance management services to their portfolios. They also shared major regulatory compliance initiatives that organizations are likely to encounter, and the service functionality that MSPs can offer to address this client challenge.

[Some] compliance standards are more focused on proving that you’ve gone through the process to make sure you’re compliant than on whether you are actually secure.

MSPs need to shift business models to support compliance management services.
The shift in thinking:

  • Defines goals and services > Defines services only: Goals are defined in regulatory compliance standards.
  • Results-focused > Process focused: Compliance mandates are often more focused on proof that a process is available and can be followed than on results.
  • Specific execution > Generalities: Compliance mandates vary in specificity; they can include broadly written goals.
  • Well-defined > Less defined: Especially with generally stated compliance standards, MSPs are likely to be dealing with skeleton requirements.

Key Takeaways

Compliance management creates new opportunities for MSPs but requires a shift in the business model. Adding compliance management to the service portfolio opens up new opportunities for MSPs, both in selling new services to existing clients and in gaining new customers. However, compliance management requirements are significantly different from the services that most MSPs currently provide, meaning the business needs to be ready to shift its thinking.

As malicious activities continue to rise, adhering to compliance standards protects the business. Security is an increasing concern in today’s business environment. The number of malicious attacks continues to rise exponentially and shows no signs of slowing down. Adhering to regulatory compliance standards, which contain requirements impacting system and data security, can protect a business from costly data breaches.

Security Landscape
Security Landscape

Regulatory compliance—adherence to laws, regulations, guidelines, and specifications relevant to the business—help the business run more efficiently and with more protection. Violations of regulations are more damaging than just increasing the likelihood of a data breach; they can result in severe financial penalties and even jail time.

Businesses of all sizes and industries typically must adhere to at least one compliance standard. Regulatory compliance standards can apply to businesses large and small, in any industry. Three compliance standards affecting many businesses are Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX).

  • PCI DSS: This compliance standard, created by financial institutions to protect people’s financial information, affects any business processing payments. Compliance requirements include securing data from a process standpoint, as well as from a system architecture standpoint. PCI compliance is a challenge to maintain for many businesses; according to a 2015 Verizon PCI Compliance Report, only 1 in 4 organizations was fully PCI compliant less than a year after a successful PCI validation.
  • HIPAA: This is a U.S. law focused on safeguarding medical information, with provisions related to data privacy and security. Not complying with this law, which can occur through data breaches, can be costly. For example, in February 2017, Memorial Healthcare Systems paid a $5.5 million fine to the Department of Health and Human Services for a potential HIPAA violation.
  • SOX: This is a U.S. law enacted after corporate financial and accounting scandals, including accounting issues at Arthur Andersen and Enron. SOX must be followed by all public companies along with many private ones. SOX protects investors by improving the accuracy and reliability of corporate disclosures.

No matter what swatch of industry your customers live in, you’ve got something [related to compliance] that will be applicable to them and something that can help them achieve compliance.

Organizations may also need to manage compliance with other U.S. or global regulations, as shown below.

  • PCI DSS: Protects consumers’ personal financial information in payment processing.
  • HIPAA: Safeguards patients’ medical information (U.S. law).
  • SOX: Requires the accuracy and reliability of corporate financial disclosures (U.S. law).
  • Gramm-Leach-Bliley Act (GLBA): Controls how financial institutions handle personal information (U.S. law).
  • Good Practice Guide 13 (GPG13): Improves company risk profiles through protective monitoring (UK law).
  • ISO27001: Proves a framework of policies and procedures for an information security management system (ISMS).
  • Financial Industry Regulatory Authority (FINRA): Governs business dealings conducted between dealers, brokers, and all public investors.
  • Federal Information Security Act (FISMA): Protects government information, operations, and assets against natural or manmade threats (U.S. law).
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP): Secures cyber assets essential to the reliable operation of the electric grid.

The biggest challenge is making compliance part of your everyday process; making it business as usual.

MSPs can leverage available technologies to help customers achieve compliance. Implementing compliance management, and maintaining and integrating it so that it becomes part of the everyday business process, is challenging for MSPs and organizations alike. Common challenges include collecting relevant data on the state of compliance, determining which assets are in scope, documenting the state of compliance, and maintaining compliance processes.

MSPs can leverage technology solutions, like those offered by AT&T Cybersecurity, to provide the functionality necessary for successful compliance management.

Compliance management solution functionality:

  • Identify systems and applications that could provide attack vectors for malicious actors.
  • Document vulnerable assets, such as weak or default passwords, software not patched to the current version, and known vulnerabilities.
  • Find threats on the network, including threats as they occur in real-time.
  • Look for unusual behavior that can signify an attack.
  • Correlate the data and respond so that information can be used to identify threats.

While technology can help prevent and identify threats, once a threat is found, it requires IT staff to resolve the existing problem and develop a plan to prevent and handle similar threats in the future. This hands-on approach can be a differentiator for MSPs, especially if competitors do not offer similar white-glove service.

Source: AT&T Business

Thomas Apel Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.