Webinar: Cybersource Framework Compliance 101
Watch the recording:
In this webinar, Mark Jennings provided us with a look at what makes up a cybersecurity framework and what it means to be compliant. Compliance is a process. The six major steps to achieve compliance and best practices to implement those steps were reviewed. Additionally, a practical approach for an MSP to select a framework and map out a plan to achieve and maintain compliance was discussed. Be sure to listen to this recording.
NSITSP Webinar – Cybersecurity Framework Compliance 101
Wednesday, December 11 | 1PM ET
Steve Kazan: Record, but welcome everybody to the first of a series of cybersecurity presentations presented by the National Society of IT Service Providers (NSITSP). We are honored, blessed, lucky to have Mark Jennings with us from OTX Partners to do the presentation for us today. Before we get there, let me go through a few little logistical comments. My name is Steve Kazan. I’m the moderator today. I’m also a Board Member and happen to be the Board President of the NSITSP, and I’m very humbled at that role, anyway. Moving along. Please stay on mute. We want no background noise so we have a really good recording, and we’ll talk about the reasons why. Chat – You guys are filling up the chat. Thank you for that, you know. Introduce yourselves. Tell us where you’re from. Tell us what questions you have about cybersecurity. I suspect we have some experts on this call today on compliance. So you know, if you have an opinion, or if you have a question, the chat is where it’s at. Recordings – This is being recorded and we will have an audio recording that we will share. We will also have a summary in text. So that makes it easy for people just to read very quickly. We’ll send out copies of the slides. So, you know, if you don’t want to take copious notes, just understand that we’re going to email out those and the recording will be on the NSITSP website. So that would be the place to go get it. And I think that’s it for the cover slide. Let’s go to slide number 2.
Steve Kazan: All right. Oh, whoop! What.
Mark Jennings: Backup backup. There we go.
Steve Kazan: All right. So we want to thank our sponsors. The NSITSP has a number of sponsors for this particular session. Marma Security is a leader and very well focused and targeted on the MSP space. We are very grateful for them. We have a little more detail about them later in the presentation. I also want to talk about Cameron Brister. So Cameron is a member. I met Cameron on the Marketing Committee of the NSITSP. We became friends, and Cameron has made other friends and colleagues in the NSITSP and having him as an individual sponsor for this particular webinar, is a great showing. I would say to others, for a princely sum of $50, you can also be a sponsor. So thank you to Cameron for starting us off as an individual, and let’s keep going. Okay, here’s the slide.
Mark Jennings: All right. So thank you for kicking this off, Steve. I appreciate all of your contributions here, and thank you, everybody for joining us today. I am so excited to be kicking off this cyber series that we’ve been building for a couple of months. This is going to run the entire year. We’ve got a great webinar every month over the next year, and we’re starting with one today. This is Cybersecurity Framework Compliance 101. You’ll see what goes into one of these things, and then we’re going to do a deeper dive into a lot of the topics that we’re bringing up in today’s webinar.
Mark Jennings: So next month we’re going to go do an Introduction to CIS Security Framework, which we’re going to have with Phyllis Lee, who’s the Senior Vice President of the Controls at the Center for Internet Security (CIS). In February, we’re going to have the CMMC: What Does It Mean for MSPs? We have Joy Beland of Summit 7 coming in. She’s a CMMC Assessor, and they’re going through their CMMC Assessment in the next month or so.
Mark Jennings: We’re going to explore the Shared Responsibility Model. We’re going to look at the NIST Cybersecurity Framework. We have Wes Spencer from Empath coming in to do that one. We’re going to be looking at PCI DSS v4.0. What’s new in that? What’s up with PCI in general? We’re going to look at HIPAA. We’re going to look at the FTC Safeguards Rule. And then we’re going to look at selling cybersecurity. We’re going to be talking about making investments in your business. But why do it? If you can’t sell it, you need to make sure that your sales force can sell this stuff. So we’re going to go into that. We’re going to do legal risks in the MSP industry. What are some of the things you need to be aware of? There, we’re going to look at SOC 2 Type II Audits. And then finally, we’re going to look at what it takes to build a security focused culture around cybersecurity. So please, you know, join us in the next few, and keep these on your calendar as we go through these.
Steve Kazan: So let me just jump in on those real quick. So a couple of things to talk about one is think of those as a collection. Think of those as a curriculum. Think of those as if you have a new employee who you want to start on the road to a knowledge of cybersecurity, that particular package all grouped together on the NSITSP website where members have access to it and only members have access to it. This is the start, the foundation of that particular curriculum. Think about those topics as experts, as Mark said. He’s going to be, you know, finding the best of the best for each of those topics, and the information is going to be relevant to Msp specifically. So, you know, there are lots of things you could say about all those topics, but to focus them on MSPs and their business models is going to be very valuable. So with that, Mark, back to you. Let’s hear about your background.
Mark Jennings: Great, great thanks, Steve. Yeah, this is going to be a great resource for your people. But yeah, let me introduce myself. You know. Why would you even listen to me? Well, I was in the MSP Industry for 32 years. I was a partner in an MSP in Northern New England, and I had roles: I was a field engineer. I was the Director of Service. During the time we were building out our MSP services. I built out our vCIO practice and managed that. I was Cice President of Sales, and then I ended my career as the Managing Director for a major national MSP in the DC metro area. So I’ve been in this industry for a long time.
Mark Jennings: In 2021, I created OTX Partners to help MSPs manage their risk. And as part of that, I created a peer group that’s really focused on allowing MSPs to help each other meet a cybersecurity framework, and really manage their risk as well. So, in addition to that, as a personal note, I’m an avid runner and former marathoner. Well, you know the emphasis on the former. My knees can’t take it anymore. But I do continue to run and love it. You can contact me at my website: www.otxpartners.com. Look me up on Linkedin, or you can email me at mjennings@otxpartners.com. So let’s move on. And let’s get into this.
Mark Jennings: So let’s start with the basics. What is a cybersecurity framework? Basically, it’s a structured set of guidelines. It’s a framework that you can follow of standards and best practices that are recognized, and they help you manage and reduce your cybersecurity risk. If you follow the framework, you’re going to cover all the bases that you need to cover, to really reduce that risk. They include specific controls that address known, vulnerable aspects of the computing environment. In other words, these are things that these recognized groups have gone and said this is a recognized vulnerability in most networks. This is the control that you need to put in place to manage that and mitigate that risk. So examples are access control – you know, basically, who can get into the network, what can they do when they’re in there. User training – What training do your users need and make sure that they’re doing their training? What protections do you need for your system, your antivirus, maybe your SEM system. Maybe it’s your SOCKS services. What is your incident response? What are you going to do if something does go wrong? Do you have a plan in place? We’ll be talking about all these a little further in the later discussion. But the thing to remember about cybersecurity frameworks is it’s all about people, process and technology. We tend to spend a lot of time looking at technology. We focus a lot on technology. But ironically when it comes to cybersecurity, frameworks and compliance, technology is one of the shortest legs. It’s really more about the people and the processes that you have in place to manage the framework.
Mark Jennings: So what are some of the common cybersecurity frameworks? And we’ll be going through these as the series goes on, as I mentioned. We’re going to be talking about the NIST or National Institute of Standards and Technology and testing their security framework. That’s a very broad framework. It can apply to any industry, any business. We’re also going to be looking at the Center for Internet Security. This is a non-governmental organization that does align with a lot of vendors to assist in helping you maintain that framework. So we’re going to be doing a deep dive in this. That’s our next seminar in January. There’s an ISO 27001 Series. So this is a global standard that many organizations that certainly do business globally. Manufacturers are required to meet the ISO 27001 standard in order to do business with certain manufacturers and certain other businesses. And then there’s a SOC 2 Type 2 framework that can be used to basically make sure that you’ve got a framework in place that you’re managing to and you can have a formal audit against that, a report against that that can tell you whether or not you’re meeting those controls. Then we’ve got the business sector frameworks. Now these are frameworks that are associated with some sort of regulation or with some sort of a law. So we’re all familiar with HIPAA. We deal with it every day. That is a framework that can be used when you’re working with medical practices and insurance health insurance companies. So you can look at that standard, and you can say, well, these are all the controls that need to be in place to be compliant and great. It’s very well understood that it happens to be a law. Then there’s the financial industry that has the Gramm-Leach-Bliley Act, which has been around for years, and the FTC Safeguards Rule which really became in effect last year, and has some detailed controls that you need to meet if you do any work in the financial industry or related to the financial industry. The Defense Industrial Base, the DIB. Any manufacturers or any businesses that do business with the DIB are potentially being governed now by the CMMC rule, which really applies to the NIST SP 800-171 standards which has been around for a while. But this brand new certification program, which will be going over in February is now a case where they need to certify under CMMC. And we’ll talk a little bit later about how you, as an MSP, have a defined role in that process. So we’ll get into that later. And then there’s the credit card industry that has the PCI standards. Now, those are governed by the credit card industry itself, and it’s basically anybody that processes credit card transactions needs to adhere to those standards and prove that they do. Failure to do so can result in the inability to actually process credit cards which can be debilitating for many customers.
Mark Jennings: We talked about this a little bit. It’s a set of controls, that’s what a framework is. So what is a control? It’s really a safeguard or countermeasure that’s implemented to protect the confidentiality, the integrity, and the availability of information that you’re protecting. Now, CIA principles – confidentiality, integrity and availability. You’ll hear this in most security webinars that you go through or seminars. So that means you’re protecting confidentiality. In other words, anybody that has access to this needs access to it. They’re only doing it. They only have access to it if they have a defined role within their job that gives them access to it, and they’re trained on how to keep that confidentiality. The integrity is when you know, basically, the information is as it was when it was originally written to disk. So it hasn’t been illicitly modified. It’s still there. It’s the way it was originally written. And then the availability is just that it’s available to users when they need it. So that’s why we put in these fault tolerance systems. That’s why we have disaster recovery plans to make sure that in the event that the data becomes unavailable, we have a quick way of getting it back. Now these controls are designed to prevent, detect, mitigate, or respond to security risks or or threats. So what does that mean? So that we’re going to have preventative controls? These are ones that are really geared to making sure that something bad doesn’t happen to begin with and then we have to assume that something will happen that requires our detection.
Mark Jennings: Whoops. Button is crazy here. All right.
Mark Jennings: We need to make sure that we have controls in place to detect things when they go wrong. So we want to be able to say, yes, something went wrong. Somebody got into the system unauthorized. Then we have to have controls that correct that situation. What do we need to do to make sure that we plug that hole, or that we eradicate that threat? There are physical controls. These are things like, you know, making sure that your servers are behind a locked door, making sure that you know your files are in a protected area. And then there’s administrative ones around HIPAA that essentially everybody’s got their BAA agreements with their providers. When you go into your doctor’s office you have to sign your form, so those would be administrative controls that are in those frameworks.
Mark Jennings: All right. So we’ve looked at what a framework is. We’ve looked at what controls are. So what does it mean to be compliant with a framework and individual controls? Well, compliance is a process. So you need to make sure that you’re following this process. We’re going to go through the 6 steps, and you have to do every one in order to consider yourself compliant.
Mark Jennings: So we’re going to start. We’re going to use the process of access control. Every framework has access control as one of the controls that it that you need to meet, so we’re going to look at that one, and we’re going to say, well, access control. You have to define a policy. What is your policy around access control? Now, this is going to be a very broad statement that says, well, you know, we manage our users according to their role. We give them access to permissions based on their role – very, very generic comments. In some cases it may be really just parroting back what the framework is asking for in the control. Because you want to keep these general. You want to be able to make changes without rewriting the policy, and we’ll talk about that a little bit in a minute. Basically these have to be signed off on by executive management. So your CEO or somebody in the C-suite needs to sign off on these. You don’t want to have to go back to them and say, Oh, we made a minor change to the policy. Can you sign the new one? Keep these very general. We’ll move on.
Mark Jennings: Then you’ve got to put in controls to help manage that policy. So for access control, we’re going to put in things like an active directory. So when we create a new employee, we create their account in an active directory. We’re gonna put in MFA so that they need MFA to get remote access. We’re going to put in things like single sign on to make it easier to manage all of those permissions and controls. And then we’re going to put in some audit tools to make sure that we can see what’s happening on the backside so we get all the controls in place.
Mark Jennings: Now that we’ve had the tools in place. We need to document how those tools are used. So we’re going to basically document our process for onboarding a new employee. So when we bring on a new employee, this is how we add them to the active directory. This is how we assign their permissions. This is how we manage those permissions when we off board the employee. This is how we terminate their access to the system. This is how we make sure that they’re locked out of the system. And then, if they change jobs where we make sure that all of those permissions that were there for their old job are removed, and anything for their new job are added. Nothing extra, nothing over and above.
Mark Jennings: So the policies – that’s what we do. The processes are how we do it. So you’re documenting what we do and how we do it. Now that we’ve done that, we need to educate our staff. We need to make sure that everybody that’s working for us is using those tools in the proper way. They’re actually following those processes. So we’re going to do that with orientation. We have all of our policies in our employee manual. So new employees see what the policies that apply to the employee or to their role. We have the processes. We’re going to train them on their processes and then ongoingly, we’re going to put that into our, into our staff training. We’re going to keep that as an ongoing process, so, you know, we might do refresher courses for anything new that’s added. We make sure that there’s formal training associated with that.
Mark Jennings: Now with access control. There may even be a client training portion of this, because you, as the MSP, may be in charge of adding employees or removing employees from your clients active directory. So what would client training look like? Well, the client needs to understand that first of all, it’s their responsibility to let you know when one of their employees leaves the company, so make sure that they’re trained on when anybody leaves the company, whether you fire them or whether they leave on their own volition, they need to contact you to make sure that their account is locked out, that their access is terminated. You’re going to see a lot of MSPs, if they look at their clients’ active directory, they’re going to see a lot of accounts that don’t exist anymore, or the employee no longer works for the company. They’re still active accounts. That is not an uncommon scenario, so make sure you train your clients on that process.
Mark Jennings: Then you need to go in and look at your audit, your processes. You need to inspect what you expect. You can’t just assume that they’re going to go in and follow these processes and do everything as you’ve trained them to. So you need to have some sort of a process for auditing. And again in access control. That might be a process where you sit down with HR once a month, and you go through all the new hires. Make sure that anybody that was hired in the last month that their account was created properly, that MFA has been enabled on it, that you know their single sign-on is correct. Or who’s left the company in the last month – Are their accounts terminated? Has access been removed? You can look at a log review. Make sure that there aren’t a lot of, you know, failed login attempts going on, something like that. Then you define the frequency. How often are you going to do this audit process? Is it once a week? Is it once a month? Is it quarterly? Just define that within your processes. And then, finally, again, this is a living process. You need to make sure that this is an ongoing thing. So, at least annually, you want to go back and you want to assess and revise. Make sure that you know. Are there any policies that are irrelevant? We’ve stopped doing things like that? Or are there new policies that need to be made because we’ve changed some things within the organization or processes or procedures, so that that might be an annual review that you go through, you know, either formally or informally. You go through all of your policies and processes and go through that process. It could be one of these SOC 2 Type, 2 reports. We have somebody come in and actually create a report for this SOC 2 Type 2. Now, again, this is a report that could be good, could be bad. They can come in and say, look, you know you’re failing miserably, because you know, you’re not doing all these things. But you still had a SOC 2 Type 2 report.
Mark Jennings: Then there’s certification. This is where you can go through a formal certification process, and there are a few out there that, you know, people can come in, and they can do a formal certification for you. So these are all ways that you can make sure that your compliance process stays live, and stays fresh.
Steve Kazan: So one quick question popped in was the timing. So one is, do you have a recommendation, you know, for how often you do these things – monthly, quarterly? Because the MSPs you know have full calendars. They’re very busy, and their clients are.
Mark Jennings: And it’s a great question, because, you know again, this, you know, these frameworks have many, many controls, and some of them probably have more frequent requirements in terms of how often you want to audit those, right? You know, something like a new employee audit. Maybe once a month is fine, but we’re going to talk about one in a minute, it’s like, well, you know, vulnerability management, or something like that. You need to make sure you get on this stuff quickly. So they’re all going to have different frequencies, and it may even vary by MSP or by client. How often do you want to go in and do this because maybe someone’s in a more sensitive industry than others, or something like that. But so there’s really no one answer to that. You have to go through the process of identifying. This is the audit process and this is what makes sense for the frequency, for that, for that control.
Steve Kazan: Great, perfect. Thank you, Mark.
Mark Jennings: Yeah, good question, though.
Mark Jennings: So we’ve gone through the compliance process. We’ve done everything. We’ve gone through all the 6 steps. How do we prove that? How do we say, yeah, we did that. Well, that’s done through evidence and artifacts. So for each of those controls, you have to have all of these. You have to have your written policies. We talked about documenting your processes. Make sure you can produce those. This is the written policy here. This is the written procedures that we use when we add a new employee. What are the log files that we review? Whether that be, you know, a manual review of failed login attempts, or something out of your sem system, where you know these are all the events that we saw. This is an example of the log files that are held. These are the logs of all of our backups. Your audit reports – Again, you need to prove that you’ve been auditing this stuff. So you have to have proof that you’ve gone through these processes of whatever frequency you defined. And again, if your policy says you do it this often, or if your procedure says you do it this often, just make sure you’re doing it that often, and then provide the report that proves that.
Mark Jennings: Training records. So, you know, are your employees taking security awareness training? Are they actually taking the courses? Are they failing their phishing tests? What is the compliance of that level configuration? Files of servers, firewalls, all of that stuff that’s going to go into your it glue system, or whatever you’re using for your documentation.
Mark Jennings: What are your incident response plans? Do you have a written incident response plan? Have you defined your incident response team? Do they know the rules of engagement during incident response and then risk assessments? Have you gone through a formal risk assessment to identify what your known risks are? Identified the likelihood of that happening? What is the impact on the organization? Have you addressed those risks? And maybe there are some risks that you saw that you were like, you know what? Yeah, it’s a risk. Yep, we get that. It’s, you know, the likelihood is relatively low or the impact is relatively low. Therefore we’ve decided to accept that risk. We know that it’s a risk. We’ve accepted it, and we’ve documented that as long as you’ve documented it, and you have good rationale behind it, that’s okay. Now, obviously, you don’t want to be too cavalier about it. But make sure that you’ve gone through this assessment, identified what the risks are, and how you’re preventing those risks or mitigating them.
Mark Jennings: So what about an assessment? So the probably the easiest thing to do is you can do a self-assessment against any one of these frameworks. You can basically look at your policies. You look at your procedures. Compare those against each control. Do we have a policy? Yes, written policies right here. Do we have procedures? Yep, they’re written right here. Does the tool that we’re using meet the requirement? Yes, the tool that we’re using does meet the requirement. Are we auditing that process? Are we training our people? You can just do that for every control. You can go through a self assessment process and feel good at the end of the day that, yeah, you’re doing the right thing. Now, that may not be enough for you. So you can do things like using one of these SOC 2 Type 2 reports. Again, external people coming in doing the SOC 2 Type 2 report. You can do an external audit on pretty much any one of these frameworks. There are organizations that will come in and do an external audit, control by control, having you present your evidence.They will provide an opinion on whether or not you are meeting that control.
Mark Jennings: Then there’s certification. We talked about this a little bit earlier where there are formal certification programs associated with some frameworks, not everyone, but some of them, and ISO 27001 series is an example of a formal certification that you can get that proves that, yes, in fact, you do it. Therefore, anybody demanding that you can just basically send them your certificate or tell them, look, this is our certificate. We are, you know, compliant with ISO 27001. The same is true for CMMC level 2 and 3. There’s a formal certification process. In fact, the 1st certification assessments for this are starting next week. So you know, there have been some what are called joint surveillance ones, done so far, but the formal ones that can be done by an outside organization are starting next week. This is going to be a requirement of companies doing business in the DIB where the contract specifies you need to be CMMC certified level 2. And we’re going to talk in a minute about what impact that might have on you as an MSP.
Mark Jennings: On that, then CompTIA has got their trustmark, cybersecurity framework that they are rolling out. Now it’s largely based on the CIS control set so you can have them come in and do that and put that badge on your website and say, Hey, you know we are CompTIA certified.
Steve Kazan: So mark quick question on the timing. Any rough idea how long it takes? How many months or years to get CMMC or trustmark?
Mark Jennings: Well, I mean to prepare for CMMC, there are different ways to do it, but if you want to go through full certification, plan on 12 to 18 months, if not longer, and then the assessment itself, you know, it’s probably, you know, could go a week something like that. But the preparation is the big deal. I mean. You have to go and make sure that you’ve got your ducks in a row, and that, and you know all of these frameworks. Takes time. I mean, you’re not going to just start, you know, 1st of the month and say, by the 30th you’ve got it done. It’s not going to happen that way, and you know, fortunately, and as we go through this series. You’ll get a really deeper dive into each one of these and you’ll get a sense for well
Mark Jennings: and you’ll get a sense for well, this one is going to require this or whatever, therefore it should take about that long and the different levels that you can comply with. So that’s a key function of this, that there are different levels, certainly within CMMC and CIS.
Steve Kazan: Great.
Mark Jennings:
So, as I mentioned within CMMC, there is this, con. This, that your services are directly related to your clients’ assessment. That’s where we start talking or looking into this shared responsibility model or shared responsibility matrix, where you have a certain amount of responsibility for the controls that your client’s responsible for. This is true of any regulated industry. So you know, we’re going to use CMMC, when we look at the example. But the 1st thing you want to do is you want to identify the control requirements for your clients in a regulated industry, you know, if they’re in HIPPA, what are the controls that are required that they follow? Make sure you understand those again. CMMC in FTC safeguards rule, understand what controls are required, and then identify those controls in those regulations that are fulfilled by you, the MSP. So make sure you understand, okay, if we’re doing this service for them, then that maps to this control. Therefore, going back to that compliance process. If we want to consider our practices compliant with that particular regulation, we need to go through that whole process, the compliance wheel and make sure that we’re doing all of those things for those services.
Mark Jennings: And then you want to define what the responsibility is for the client for this. There are certain controls that are shared responsibility. You’re doing this as the MSP, but the client has certain things that they’re responsible for in order to maintain that compliance. So, being clear about that with your client, it’s only fair to them. And making sure that you’re bringing them up to speed on what that is, you know.
Mark Jennings: So we’re going to take a look at one particular example. This would be in a CMMC environment. So where you may have, let’s say, like every MSP in the world, pretty much is now patching under the CMMC or the NIST SP 800-171 requirements. That is the control called flaw remediation. Now. So that means if anything that’s discovered within your RMM, that says that a patch is missing. We know we know it is patching. Or your vulnerability scans uncover a vulnerability. So how do you handle that? Now? Notice? In this case, if you look under the assessment objective column. Not only is there a single control, but there are 6 assessment objectives. These are 6 things that you need to meet in order to be compliant with this particular control, and they’re very granular. So 1st of all, you have to declare how much time it is before we identify flaws. So how often do you do your scanning?
Mark Jennings: Do you do your scanning real time? Do you do your scanning once a week? Do you do it? You know, whatever that is, you need to declare that. And then you need to basically declare that, yes, that’s exactly what you’re doing, so all 6 of these kind of have these same things about it. What’s the time between when it’s detected and when it’s corrected? All these things.
Mark Jennings: Now, the MSP. Let’s say you have a case where you are doing their patch management, and you have a policy that says, well, yeah, patch. Tuesday comes along. But we don’t want to be in a crowd, strike type situation. So we usually do a 24 hour delay before we roll out all these patches to everybody, because again, we don’t want to shut them down because of a flawed patch. But you’re going to declare that in your policy, and then you’re going to prove that that’s in fact, what you’re doing. Same thing with vulnerability scanning if you scan every so often, whatever that frequency is. So this is, you know, we detect the flaw, and then we decide how long it is before we correct the flaw, because we may say, well, you know, criticals and highs we go within 24 hours, mediums we do within 72 h, then lows, we might even say we do it on a case by case basis. But these are all things that you need to declare.
Mark Jennings: You need to have a policy and a procedure around and and put that into this shared responsibility matrix. Now, in a CMMC world, this is a requirement. So your companies that are doing business in the DIB, they’re going to be coming to you if they haven’t already, and said, we need to fill this out together, so that we understand that for all of these controls that you have a responsibility for MSP. You can produce all the evidence that we went through in that compliance wheel, so that when the assessor comes and they say, look, so the MSP does this for you, I want to see their evidence. The Assessor is going to ask for the MSP’s evidence in this case, not the client. The MSP’s evidence that the client either provides or you may be sitting at the table with the Assessor. If you’re not prepared at that point, you’re putting your client at risk of failing their assessment. So this is critical in a CMMC environment. But imagine doing this even as a HIPAA environment, sitting down with your client walking in, sitting down. Mr. Customer. This is the shared responsibility matrix. This is what we do for you to keep you compliant. HIPAA. This is what your responsibility is. Instantly you’ve gained credibility. You now can speak their language, what’s required of them and tell them, you know, look, this is what we’re doing. We’re very clear about what we’re doing. You have some responsibility here, too. You would have much more credibility than many of your competitors walking in the door, so shared responsibility makes it a really really powerful tool.
Mark Jennings: All right. So we talked about a lot of stuff. You know, there’s a lot here. Sounds like a lot of work. Sounds like a lot of effort. Sounds like a lot of money. Well, it can be so. Why would you do this? Why follow a cybersecurity framework?
Mark Jennings: Well, first of all, the structured approach will avoid gaps. You’re probably doing all of this stuff already. It’s not, you know, this is not new, most of it. But there’s probably gaps. There are probably some things that you’re not doing that you really need to be doing, or you should be doing in today’s cybersecurity landscape. So a cybersecurity framework is going to show you where those gaps are and it’s going to give you guidance on how to plug those. These are recognized standards. We’re going to talk a little bit in a minute about why, that’s an important thing. But this will basically give you the roadmap to implement good cybersecurity.
Mark Jennings: It should give you a competitive advantage. You can speak to your client from a position of knowledge and experience. Mr. Customer, this is why we do this, you know. Yeah, we do patch, manage. We do all these things. Well, you know. What if you can map this back to a known standard? This is best practice as recognized by the Government or CIS, or whatever you’ve got instant credibility when you start talking that way, and if so, you can say, Well, this is why our rates are higher. This is why, you know, we do things better than so and so down the street. Basically with higher rates, they’re going to go to the bottom line. You should be able to increase your margins. So this has a, as you know, you take the investments you’re going to make in this. They should pay back dividends.
Steve Kazan: So it all comes down to the money right? The more value you’re providing, the more you can charge, the greater your margins, the more valuable your business.
Mark Jennings: Always, always
Mark Jennings: Now, and the last thing here, or one of the last things, is this concept of safe harbor laws. So far 5 States have implemented these, and there’s a couple of Attorney General’s decrees that kind of follow this as well, that have passed these safe harbor laws. Well, what does that mean? Well, these are legal protections that if you do find yourself, let’s say you find yourself in court because one of your clients thinks you didn’t do things right. You made an error, and it cost them a lot of money, and they want retribution. Well, these safe harbor laws basically allow a judge to understand what you did in a way that makes sense to them. And there’s this thing called reasonableness. Now, that’s a legal term. What is it? What is reasonable? You’ll see it in crime, dramas, and everything. You know. What would a reasonable person do? You know, in this case that’s a legal term. It means – Did the person that’s being accused act in a reasonable manner? Well, in cybersecurity, and in really, technology, in general, reasonableness is a very, very difficult thing for judges to understand as having been an expert witness on a stand before in a technical case. Trust me, they do not understand technology. They do not understand the underlying things they do bring in expert witnesses, but they still have to understand what the expert witness is saying. What this does is, it puts reasonableness to a standard. So, in other words, the laws are written so that if you follow one of these cybersecurity standards, and they are specifically called out in these laws, CIS, NIST SP 800 171, CMMC – All of these are called out directly in the law. So if basically, you go in and you’re being accused of doing something and you say, well, Mr. Judge, I follow this standard, and I’ve had an audit that says I follow this standard. The judge just looks it up. They say, yep, that’s 1 of the standards that’s in. That’s in the law automatically. You’re considered to have done something reasonable. You’ve taken reasonable actions to mitigate the risk that somehow bit your client. So there’s a lot of protection that’s based on this.
Steve Kazan: And Mark quick question on that – Which 5 States have the safe harbor law?
Mark Jennings: Oh, yeah, I’ll give you a couple that come off the top of my head. It’s Utah, Ohio, I think. Connecticut, and the last 2 escaped me. But if you Google this or something, you’ll find which ones they are. Yeah, I probably should have called those out. But I think you’re going to see more and more states going down this route. You know. It’s kind of a carrot instead of a stick, you know. Do this, and you’ll gain protection versus. If you don’t do this, you’re going to suffer all kinds of consequences. So all right.
Mark Jennings: And then, of course, you know, the last thing is, you know, there are regulatory requirements, and when we do get into the CMMC Webinar in February, Joy Beland is going to go deeply into that in terms of you as an MSP. What are your requirements? How do you address those?
Steve Kazan: Yeah, I mean, this is sort of the why should you care slide. Why should MSPs care? And I mean, yes, it’s about money, and it’s about requirements. But it’s also about doing the ethical thing which is protecting your clients’ rights, making sure that their businesses are ongoing and safe and secure, they don’t have outages and downtime, they don’t have ransomware, and that they are educated on cyber insurance. So there is a, you know, sort of a do gooder, do good work, add value to your clients reason why we all should care about cyber security.
Mark Jennings: And I personally look at it as, you know, you as an MSP, it’s part of your responsibility. I mean this. Yeah, just going in. We’ve all been guilty of it in the past. No doubt about it. In my past experience there were times when we’d be like, you know what we’re doing the basics. But there are some things, some areas that we could do better. And you know that’s always going to be the case. But you know this is really going to show you where you can do better and give you the roadmap on how to get there.
Mark Jennings: So yeah, so what are the key takeaways I want you to walk away with today following that? A structured approach improves your overall security. So again, you won’t have those gaps. You’re going to be fulfilling your responsibility to shore up those gaps, or figure out ways to shore up those gaps in some cases. Like, look, we can’t do that service, but we may, you know, have to partner with somebody else that can provide a full featured cybersecurity. Package partnering is great these days. I think there’s a more need than ever.
Mark Jennings: Compliance is a formal process, simply doing the things that you’re doing today and say, yeah, let me prove it. Look over my shoulder. I’ll show you exactly how we do it. That’s not enough. It’s not going to cut the mustard with an assessor or anybody coming in to gauge your compliance. And then again, just what we were talking about as an MSP. You have an impact on your clients. Compliance, you know. You could be the make or break between them, being compliant or not suffering the potential impact of a breach that then turns into financial penalties. Things like that, you know. If it’s something that you’re doing for them.
Mark Jennings: The regulating body may not come to you directly as the MSP. But you’re responsible. You should really be making sure that your clients understand what their responsibilities are under these compliance requirements, and making sure that they’re taking care of them.
Steve Kazan: Right, and sometimes it’s revenue impacting. So if you do not have the certifications, sometimes you don’t qualify for an order or a bid or something. So you have to get the compliance framework and audit done.
Mark Jennings: Yeah. And again, we’ll dig into this deep on the CMMC. Joy Beland will go into that deeply. But you know, within the CMMC law, just briefly, you’re not required as the MSP. you’re not required as the MSP to certify under Level 2. If that’s what your client requires. You just need to make sure that any of the services that you provide that fall under those controls are, you know, follow those compliance requirements. However, you’re going to start seeing a lot of manufacturers in the DIB, or anybody that does business in the dib that does have those requirements. CMMC, level 2 or even 3, they’re going to say, look, you know, we’re not going to take the risk of you not showing up prepared for our assessment. Therefore we’re going to require you. If you want to be our MSP, you need to go through full CMMC certification and prove it to us. That has benefits both ways. Because you know what that becomes, you know your standard. Obviously, you’re going to get the business. But also, it’s going to be easier for you, because all you have to do is just say, Yeah, we’re certified. They tell their assessor that you’re certified. You don’t have to go through the process of proving all of those things again and again and again, for every client you have in the DIB. So there and again, Joy is going to go over all this in her webinar.
Mark Jennings: So what are the 3 things that you can do tomorrow, based on this? Well, first of all, mark your calendars because we got the next 2 webinars scheduled. January 22nd, at 1PM, we have Phyllis Lee, again, Senior Director of Control. She’s an expert in the field when it comes to CIS. And then the CMMC: What does it mean for MSPs?, February 25th at 12 noon. Joy Beland again Vice President of Cybersecurity, Compliance. And she’s an assessor herself, and they’re going through their assessment at this point. So she’s going to have hands-on experience with all this stuff. She’s probably going to be the one of the most qualified people to give that webinar in February.
Steve Kazan: Yeah. So on that particular topic, the link to register for those sessions is in the chat. So go to www.nsitsp.org/events to find the login for that.
Steve Kazan: Cameron says he’s already registered. And for all those future sessions – we do have some sessions later in the year that we’re looking for speakers, as well as sponsors. So if you happen to know a security vendor that would be interested in sponsoring one of those sessions. Please let us know. Go ahead, Mark.
Mark Jennings: Yeah, great. So what else can you do tomorrow? Well, the first thing you know, we went over a ton of stuff. These frameworks are very detailed. But one of the first things that you can do is just look at what you’re doing today. You don’t have to change anything. You don’t have to add anything. Just look at what you’re doing today and ask yourself – if we look at that compliance wheel, could we say that those practices that we’re doing today are compliant? If not, just start documenting those, get them documented. If you don’t have an audit process in place today, come up with one. Make sure that you’re auditing those things that you’re doing today. And then, you know, ask yourself, are they consistently applied? Theoretically, if you’re going through the process wheel, the compliance process wheel, you’re training your staff and you’re auditing them. You should be able to identify that they are consistently applied.
Mark Jennings: Another thing we haven’t really talked about is automation. That’s another big trend within the MSP industry. Use automation to start getting these things going. But again, with what you’re doing today, just make sure that you know what you’re doing today could be put up against an assessment and pass muster. Then you can start looking at the frameworks that we’re going to be going over and doing a gap analysis. Okay, this is what we do. This is what we don’t do. And here’s the gap. Let’s fill that in.
Mark Jennings: Then talk to your clients – especially anyone that’s doing business in the DIB. If they have not come to you already and said, look, we need to be on top of this CMMC thing, make sure you’re talking to them. Ask them, are you doing business with the DIB? Are you a subcontractor to either a prime, or one of the ones down in the supply chain? What are they telling you? What are your needs going to be in HIPPA? Do they even understand the compliance requirements in many cases, especially small medical practices? And maybe some small health insurance companies that deal with them may not even understand what their responsibilities are. If you can help educate them, it’s great. It builds credibility. It helps you expand that relationship. So just get talking to your clients about this stuff.
Mark Jennings: So yeah, so basically, that’s what I’ve got. And if you have, I don’t know if there are any questions in the chat… there are. There are some good questions in the chat. Excellent.
Steve Kazan: Let’s go through them. So one is in kind of overlapping frameworks like, is there a spreadsheet somewhere? Is there a document somewhere that shows which framework has which and where they overlap. And there’s 1 suggestion that CISA has a good one with NIST. But are there others.
Mark Jennings: Yes, absolutely. You can see. That’s what’s called crosswalking. When you’re cross walking across these standards, they do mappings between them. Okay, this control in 800 171 maps to this control in CIS or NIST, or whatever there’s dozens of them out there. CIS, I believe, has multiple spreadsheets that will show you how they map to other standards. Yeah, there’s a lot of them out there. So for that. Probably your best tool is to Google it. But if you just do a crosswalk between 2 standards, you’ll get all kinds of hits.
Steve Kazan: Okay, so question from Dashika about automation tools and on the NSITSP website, there is a forum… right where people can log in, write questions down and get responses. So what I would suggest is, if you have a specific type of product that you’re looking for, one of the good places to go is to that forum to fill out the question and have the members be able to respond to that. The NSITSP does not recommend any specific products, but I think our members all have lots of opinions on which products work.
Mark Jennings: Before you jump in. What I would like to say is.
Steve Kazan: Mark, back to you. What automation tools are you aware of? And where should you go to find information on them?
Mark Jennings: Yeah. So you know, disclaimer, I’m not getting behind any particular tool, you know. And frankly, that’s not necessarily one of my areas of expertise. But I do know Roost gets a lot of press. That’s probably one of the ones that gets the most press. But there are other ones out there that provide different levels of automation. Again, I think I’ll go along with Steve and say, I don’t have any particular product that I would say, this is a must use, or whatever but yeah, if you go up on that forum, post it. And that’s going to be your best bet.
Steve Kazan: Yeah. Quick question from Dennis. Are there particular vertical markets that are requiring more compliance than others? And the recent past, which ones are growing in terms of requirements?
Mark Jennings: Well, the financial industry. I think we saw the FTC safeguards rule came out last year, which really, that applies. The poster child for that one is car dealerships like, you know, why would you think car dealerships have got compliance requirements? Well, it’s because they do consumer leasing. So they collect a lot of financial information about their customers. So now they are responsible for meeting FTC safeguards rules. So that’s a good example of one that’s really ratcheted up recently. And you know, if you’ve done business with car dealerships, you know, security is not their number one thought. They’re out there to sell cars, which that’s what their business is. So you can be a good samaritan to them, and bring their attention to the fact that, look, you know, you are compelled to meet this.
Mark Jennings: So that’s 1. Obviously, I mean, HIPAA has been around for years. I still think that there’s a huge gap between what Hipaa requires and what most certainly, what the smaller practices are doing. You know, my understanding is, there’s an updated version of that that’s being worked on. So that’ll come up. That’s going to ratchet it up. But yeah. And the other thing. I didn’t mention this earlier. But almost every industry today is regulated at some level. And the reason for that is because almost every State now has data, privacy laws. So your clients and you, even as an MSP, have responsibilities to protect any personally identifiable information that you hold about residents in certain States, and they’re very vague. They’re not frameworks, but they are requirements. And a lot of them come down to that thing that we talked about earlier. This reasonableness thing, you know, you have to take reasonable steps to protect. You know your PII that you’re in charge of. So almost every industry is falling under those and and and the penalties for letting that, or suffering a breach and letting that information out can be significant.
Steve Kazan: Great. All right, let’s wrap up a couple more slides, and we’re all through. Thank you, everyone, for your patience. We really appreciate it. All right, just some information from the sponsor, Marma Security. They do lots of things, and they protect both small businesses and homes. And from an MSP’s perspective, they’re actually a good fit for small businesses. So again, we don’t plug any particular one product, but we are grateful to our sponsors, and we’re grateful to Marma. So if this fits what you’re looking for, then please take advantage and have a conversation. Next slide, please.
Steve Kazan: All right. We talked about the next 2 sessions. Some of you have already told me you’re already registered. So that’s great.
Mark Jennings: Great sign up for those, and let’s watch those.
Steve Kazan: Yep. if you’re not a member yet, shame on you. If you are not a member, there’s the link – Go over onto that link like I said, the recording and the and the materials. By the way, we had a request for a glossary mark.
Mark Jennings: Oh yes!
Steve Kazan: We need to create the acronym glossary and get that up there. So for you know, a meager, I think $125. It is a pittance for the value and the education that we’re providing here.
Steve Kazan: All right, I think we have one more slide.
Mark Jennings: It’s basically just the thank you for coming.
Steve Kazan: Thank you for spending an hour with us. We really appreciate it. We look forward to lots of conversations on lots of different cybersecurity topics. You know, the year’s coming to an end. We know you’re all busy with your holidays, but if you have a chance to stop by the website, take a tour around, we really would welcome you and appreciate that. And with that Mark, thanks so much.
Mark Jennings: Well, this was, thank you, Steve, and thank your everybody for joining. I think this has been a lot of fun.
Steve Kazan: All right. With that. We’re going to sign off.
In this webinar, Mark Jennings provided us with a look at what makes up a cybersecurity framework and what it means to be compliant. Compliance is a process. The six major steps to achieve compliance and best practices to implement those steps were reviewed. Additionally, a practical approach for an MSP to select a framework and map out a plan to achieve and maintain compliance was discussed. Be sure to listen to this recording.