Of course, that's a dramatic oversimplification of how an MSP works, especially because this description contains a rather substantial omission — security. As an MSP, you're handling the sensitive digital data from dozens of companies. Not only are you subject to well-known compliance regimes such as PCI-DSS and HIPAA, you might also be subject to newer regulations from the NY DFS or soon, the GDPR.
Some of these regimes are known quantities and others not so much, but if you fail to follow them, one thing is certain — your customers will quickly cut ties. How can managed service providers provide secure and compliant digital services?
MSPs Are Likely to Be Covered by Multiple Overlapping Compliance Regimes
Each managed services provider is likely to be covered by at least one of the following four compliance standards, based on who they do business with.
- If you touch PHI from a healthcare provider, you are subject to HIPAAand must execute a Business Associate Agreement (BAA) before you're allowed to start working with them.
- If you process credit card numbers, or store credit card numbers for another company, you are subject to PCI-DSS. Companies who process more credit cards are subject to stricter standards, so it pays to keep track of how many cards you're processing.
- If you work with a company that's under the jurisdiction of New York's Department of Financial Services, then you will be subject to compliance regulations recently laid down by the DFS. These regulations mandate a number of security controls, backed up by regular audits.
- If you work with a company that deals with the data of EU citizens, or do business with an EU company direction, then after May 25th, 2018, you will be subject to the GDPR.
These bullets are outlines, not guidelines. If you're unsure as to whether your organization is affected by one or more of these compliance regimes, it's best to talk to a lawyer. Also remember that it's extremely common to believe that you're unaffected by a particular compliance standard, only to receive a nasty surprise. For example, you might also be affected by the GLBA, FISMA, FERPA, or SOX, depending on your target market or business model.
Different Compliance Regimes will Affect Different Companies in Different Ways
Here's where it gets tricky. Many compliance regimes specify that companies secure their most valuable information in different ways, or follow different procedures in the event of a breach. HIPAA, for example, mandates that companies report data breaches within 60 days, but PCI-DSS and the GDPR both give companies just 72 hours to report breaches.
In 2010, the SANS institute recommended that companies affected by multiple compliance regimes adopt what they referred to as a Mother of All Control Lists (MOACL). The process of creating an MOACL is perhaps easier to describe than it is to carry out.
Step One: Understand all of the various compliance regimes that one is subject to.
Step Two: Understand the best practice recommendations of those regimes.
Step Three: Attempt to adhere to the strictest recommendation from every compliance regime. E.G., if HIPAA mandates a 60-day breach reporting schedule, but PCI-DSS mandates three days, then companies should plan on having three days to submit breach reports in every case.
The concept of an MOACL is a great starting point for MSPs (and any business subject to multiple compliance regimes) but the drawback is that it may take a great deal of time to implement. Fortunately, the MOACL can be replicated with tools that turn compliance into a turnkey service.