The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

• Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required.
• Require written documentation of all Security Rule policies, procedures, plans and analyses.
• Add specific compliance time periods for many existing requirements. It also adds an annual audit of security controls at least once every 12 months.
• Require the development and revision of a technology asset inventory and a network map at least once every 12 months.
• Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Require greater specificity for conducting a risk analysis. New express requirements would include a written risk assessment.

Why upcoming HIPAA policy changes matter to MSPs:

If you support healthcare companies, you will need to help them meet the new list of security, compliance and audit controls in 2025. Healthcare companies who historically have not seen an ROI on security or compliance are going to be forced to comply with the new HIPAA policy changes in order to remain licensed, get insurance, or be paid by Medicare/Medicaid.  Healthcare buyers are going to start asking about HIPAA, compliance services and security upgrades like penetration testing.

What should MSPs be doing to prepare:

This is the time to design and market a healthcare specific offering to meet your client’s needs, expand your business and manage risk. Evaluate your ability to properly assess network compliance and provide risk management solutions to your clients. Consider implementing solutions like Compliance Manager GRC to automate key components of compliance. Explore new security tools to help you design HIPAA compliant solutions for your customers, staying ahead of the trend before your competitors sell into your book of business.

Kaseya works hard to stay ahead of these changing regulations to make sure you can deliver automated and integrated solutions to meet these standards. Discover how you can master infrastructure audits, compliance and risk management with Kaseya’s Audit & Compliance Solutions.

The post Everything You Know About HIPAA Is Changing: An Early Look at How to Prepare Your MSP appeared first on Kaseya.

What is NIST?

NIST is a federal agency within the United States Department of Commerce. Its mission is to boost innovation and industrial competitiveness by advancing measurement science, standards and technology. When it comes to cybersecurity, NIST is famous for its guidelines and frameworks that help organizations protect their information and systems. These standards are designed to manage and reduce cyber-risk so organizations can protect their data and the trust of their customers.

When was NIST founded?

NIST, originally known as the National Bureau of Standards (NBS), was founded in 1901 to address the need for standardized measurements and promote uniformity in the scientific and industrial sectors. Congress established the agency to eliminate a significant obstacle to U.S. industrial competitiveness — a subpar measurement infrastructure that fell behind the advanced capabilities of the United Kingdom, Germany and other economic rivals. Since then, NIST has grown and expanded its focus. Now, it includes not just measurements but also cybersecurity, advanced manufacturing and other critical areas. NBS was renamed to NIST in 1988 to reflect its broader mission of enhancing competitiveness in the American industry.

Why is NIST important?

NIST provides equitable methodologies and guidelines that all organizations can implement easily. In cybersecurity, NIST guidelines give organizations of all sizes a standardized way to manage risk and strengthen their security.

One of the tools it offers is the NIST Cybersecurity Framework (CSF), which includes best practices for identifying, protecting against, detecting, responding to and recovering from cyber incidents. Following the framework allows organizations to harden their systems and data against threats and demonstrate a commitment to security.

Moreover, NIST guidelines help organizations comply with industry-specific regulations like HIPAA for healthcare, FISMA for federal agencies and PCI-DSS for payment card industries. Meeting these standards isn’t just about avoiding legal trouble; it’s about being competitive by following globally accepted best practices and fostering a culture of security and resilience against growing threats.

How to use NIST

NIST has a whole suite of standards, frameworks and controls that ultimately produce guidelines for implementing and managing cybersecurity. NIST’s guidelines are designed to be flexible so organizations of all sizes and industries can tailor the recommendations to their needs.

Organizations can start by conducting a risk assessment using the NIST Risk Management Framework (RMF) to identify and prioritize risks. From there, they can use the NIST special publication (SP) 800 series to get more detail on specific topics like access control (SP 800-53), incident response (SP 800-61) and cloud security (SP 800-144).

Let’s take a look at some of the standards, frameworks and controls.

Standards

NIST publishes standards and SP that provide detailed guidelines on specific aspects of cybersecurity. One of the most popular series is the NIST 800 series, which provides in-depth guidance on information security and privacy controls.

• SP 800-53: This publication provides a catalog of security and privacy controls for federal information systems and organizations to ensure the protection of the systems and the information processed, stored and transmitted by them.
• SP 800-171: It provides guidelines for safeguarding controlled unclassified information (CUI) in non-federal systems and organizations, ensuring that it is not disclosed to unauthorized individuals.
• SP 800-37: This publication is a roadmap for applying the RMF to federal information systems. It’s a structured process to integrate security and risk management activities throughout the system development lifecycle.
• SP 800-30: This is a guideline for conducting risk assessments. It outlines a process for identifying and assessing risks to your organization’s operations, assets and people.
• SP 800-115: Get guidance on information security testing and assessment, such as methodologies for testing security controls and finding vulnerabilities.
• SP 800-144: This document is designed to help organizations understand the security and privacy challenges associated with public cloud computing and to offer practical recommendations for addressing these challenges.
• SP 800-61: This publication provides guidelines for handling and responding to computer security incidents. It outlines a process for preparing for, detecting, analyzing and responding to security incidents.
• SP 800-137: This publication provides guidelines for continuous monitoring of information systems, a framework for maintaining ongoing awareness of security controls and risks.

Frameworks

NIST also has several frameworks that provide a structured approach to managing cybersecurity risk and protecting critical infrastructure.

• NIST Cybersecurity Framework (CSF): The NIST CSF is the go-to resource for private sector organizations in the U.S. to improve their cybersecurity. The framework was developed in response to an executive order by President Obama in 2013 to improve critical infrastructure cybersecurity. It provides clear guidance on how to assess and improve the ability to prevent, detect and respond to cyberattacks. It has FIVE core functions — Identify, Protect, Detect, Respond and Recover — each with categories and subcategories that help organizations build a robust cybersecurity strategy. NIST CSF is used by organizations of all sizes to improve their cybersecurity.
• NIST Risk Management Framework (RMF): This framework provides a process for integrating security and risk management into the system development lifecycle. The RMF includes steps such as categorizing systems, selecting and implementing security controls, assessing their effectiveness, authorizing system operations and continuous monitoring of security postures. By following the RMF, organizations can ensure security is considered from the beginning of system development through deployment and maintenance.
• NIST Privacy Framework: This framework is a tool to improve privacy through enterprise risk management. It was developed to help organizations protect individual privacy and guide them in identifying and managing privacy risks associated with their data processing activities. It aligns with the NIST CSF and is structured around three main components: Core, Profiles and Implementation Tiers.
  • Core: Provides a set of privacy protection activities and desired outcomes, organized into functions such as Identify, Govern, Control, Communicate and Protect.
  • Profiles: Allow organizations to align their privacy practices with business needs and regulatory requirements.
  • Implementation tiers: Offer a way to gauge the maturity of privacy risk management practices.

Controls

NIST controls are specific requirements or practices that organizations must implement to comply with NIST standards and frameworks. These controls provide a detailed blueprint for securing information systems and ensuring the confidentiality, integrity and availability of information.

• Access control: This control ensures that only authorized individuals can access specific information systems and data.
• Audit and accountability: This control ensures that security-relevant activities are recorded and can be reviewed for accountability.
• Configuration management: This control ensures that information systems are configured securely and managed consistently.

What is NIST compliance?

NIST compliance means following the guidelines and standards set forth by NIST. To be NIST compliant means that an organization has implemented the necessary security controls and practices according to NIST to protect their information, systems and data. Compliance is verified through audits and assessments, ensuring that organizations meet the required standards.

Additionally, NIST certification can be pursued by organizations to prove their adherence to NIST standards. This certification process involves rigorous evaluation by third-party assessors who review the organization’s security measures and practices against the NIST criteria.

Additional Reading: IT Compliance: Understanding Its Purpose and Benefits

Is NIST compliance mandatory?

NIST compliance is not mandatory for all organizations, but it is required for federal agencies and contractors that handle federal information. Many private sector organizations voluntarily follow NIST guidelines to improve their cybersecurity and comply with industry regulations. Compliance with NIST is regulated through audits and assessments conducted by certified auditors.

What are the benefits of NIST compliance?

Following NIST standards gives you:

• Fortified security posture: Following NIST guidelines helps organizations build a strong security foundation that protects their information, systems and data from cyberthreats. This reduces the risk of data breaches and cyberattacks.
• Regulatory compliance alignment: NIST compliance helps organizations meet regulatory requirements and industry standards, ensuring that they adhere to best practices for cybersecurity and data protection. For instance, sectors such as healthcare, finance and government are subject to stringent regulations like HIPAA, GLBA and FISMA, which mandate robust security measures. By following NIST guidelines, organizations can align their cybersecurity practices with these regulations, reducing legal and financial risks.
• Enhanced trust and reputation: Organizations that are NIST-compliant show they care about cybersecurity, which increases their reputation and trust with customers, partners and stakeholders.
• Reduction of unwanted costs: Data breaches and cyberattacks can cost millions due to stolen data and disrupted business, reputation damage aside. Additionally, failure to comply with industry regulations can lead to hefty fines and legal penalties. Implementing NIST standards can help organizations minimize the likelihood of costly security incidents and avoid financial penalties, ultimately saving the organization money and protecting its bottom line.

How can Kaseya help with NIST compliance?

Kaseya offers a range of products and services to simplify IT management, and the star of the show is Kaseya 365. Launched this year, Kaseya 365 is designed to help IT teams and MSPs grow and overcome their IT challenges without breaking the bank. This all-in-one platform lets you manage, secure, back up and automate your endpoints for one affordable subscription.

What’s more, all the solutions that make up Kaseya 365 are integrated and designed to help you stay compliant with NIST standards. By leveraging this powerful platform, you can streamline your cybersecurity efforts, ensure regulatory compliance and protect systems and data effectively and affordably.

Endpoint monitoring and troubleshooting

Remote monitoring and management (RMM) solutions, part of Kaseya 365, offer robust endpoint monitoring and troubleshooting capabilities to detect and respond to security incidents in real-time. By continuously monitoring endpoints, organizations can identify and address vulnerabilities before cyber attackers exploit them, aligning with NIST’s recommendations for securing information systems and protecting sensitive data.

Security management

Kaseya 365 offers advanced security features, including patch management, endpoint detection and response (EDR) and antivirus protection. These tools help organizations implement the necessary security controls to protect their information systems and data, ensuring compliance with NIST guidelines.

Data loss protection

Kaseya 365 includes comprehensive backup and data loss protection solutions, safeguarding critical data against loss or corruption. By implementing robust backup strategies, organizations can ensure that their data is protected and recoverable in the event of a cyber incident.

Ready to see Kaseya 365 in action? Watch our on-demand webinar, Introducing Kaseya 365, to learn more!

Implement NIST standards and guidelines with Kaseya 365

You can cut your IT management costs by 70% while easily staying compliant with NIST frameworks. That’s what Kaseya 365 can do for you. This all-in-one platform streamlines the way you manage, secure, back up and automate your endpoints, making your job significantly easier.

No more jumping between different tools or subscriptions. With Kaseya 365, everything you need is integrated into one seamless experience within the IT Complete interface. It’s designed to help you effortlessly meet NIST compliance, ensuring your organization adheres to regulatory standards and builds trust with your stakeholders.

Curious about how much simpler your IT management can be? Request a demo of Kaseya 365 today and discover how our platform can protect you from cyberthreats, save you money and keep your data safe. Simple and secure with Kaseya 365 — your IT team will love you for it!

The post What is NIST Compliance? A Guide to NIST Standards, Framework & Controls appeared first on Kaseya.

What is IT compliance? 

Compliance guidelines outline the standards for IT infrastructure design, data sharing and storage, and digital communication to prevent unauthorized entities from accessing or manipulating confidential information. Regulatory authorities thoroughly explain each rule so that companies clearly know what they have to do to stay compliant.

The state, federal and international regulatory bodies develop these guidelines to ensure businesses follow the necessary IT best practices to maintain data integrity and the security of their IT infrastructure. Following these rules is mandatory and not complying is considered a violation of the guidelines, which attracts heavy fines and penalties.   

In this blog, we’ll explore the purpose of IT compliance, discuss various compliance regulations and standards, and understand the role and responsibilities of an IT compliance manager.  

What is the purpose of IT compliance? 

The goal of IT compliance is to maintain the safety and security of an organization’s digital assets. In recent years, governments have taken a hard stance on IT compliance in response to rising cybercrime and concerns about data security and privacy. As a result, companies are being asked to adhere to more and more compliance regulations every day to keep threats at bay. According to Refinitiv’s global risk and compliance report 2021, 64% of respondents said that they’ll focus more on being regulatory compliant rather than proactively trying to prevent issues.

Note: The increasing demand for compliance services has presented a new business opportunity for MSPs. According to Kaseya’s 2022 MSP Benchmark Survey, nearly 75% of respondents currently offer or are planning to provide compliance services to clients.  

Following these regulations does much more for a business than just protect them from heavy fines and violations. Companies are obligated to invest in a solid IT security infrastructure, which automatically minimizes the risk of cyberattacks and breaches. Today, many clients and customers will only do business with companies that adhere strictly to the compliance requirements for their industry. By staying compliant with regulations, you can earn the trust of your customers and win more business.         

What is a compliance standard?

Keeping up with compliance regulations isn’t as simple as it seems. To stay within the guidelines, you must test your systems and processes on a regular basis. Compliance standards are a set of best practices against which companies can test whether their IT framework meets compliance requirements or not. Compliance standards outline best practices as well as suggestions to address common problems to make your business more compliant.

Compliance is an ongoing process, i.e., you must run a compliance check every time you upgrade your IT infrastructure. This will keep you on the good side of both the law and your customers, and safe from potentially devastating cyberattacks.

IT compliance standards and regulations 

The compliance guidelines do not apply to your business as a whole. Instead, they apply to specific aspects of your business. Also, you won’t be subject to all the compliance regulations of a country or region.

There are a variety of compliance requirements, each geared towards different objectives. HIPAA and PCI-DSS compliance regulations are specific to companies in the healthcare and financial sector, and are intended to protect their customers’ personal information. Others, such as SOC2, are applicable to cloud providers who host critical data of other organizations. Then there’s a region-specific regulation like GDPR applicable to all companies doing business in or handling the data of European Union (EU) customers. 

Let’s examine some of the common IT compliance standards and regulations.

GDPR (General Data Protection Regulation)

General Data Protection Regulation (GDPR) is a European Union (EU) compliance standard under which businesses are required to protect the personal data and privacy of EU citizens for all transactions that are performed within the EU member states. It is intended to reinforce and unify data protection for all individuals that reside within the EU and control the export of personal data outside the EU. There are two levels of penalties for GDPR noncompliance, with the upper level having fines of up to 20 million euros or 4% of the prior year’s annual revenue, whichever is higher.

HIPAA (Health Insurance Portability and Accountability Act)

Health Insurance Portability and Accountability Act (HIPAA) is a U.S. compliance standard designed to protect sensitive patient data. All organizations dealing with protected health information (PHI) are required to maintain and follow process, network and physical security measures in order to be HIPAA compliant. HIPAA penalties can be significant. The civil penalties for HIPAA violations start at $100 and go up to $25,000 for multiple violations. The minimum penalty for willful violations is $50,000 and the maximum criminal penalty for a HIPAA violation by an individual is $250,000. That’s not all. A violation of HIPAA can also result in jail terms of up to 1, 5 or 10 years. The maximum penalty is $1.5 million.

PCI DSS (Payment Card Industry Data Security Standard) 

Payment Card Industry Data Security Standard, commonly referred to as PCI DSS, is a regulatory framework designed to protect the personal payment data of customers whenever it is processed, transmitted or stored by companies they transact with. All merchants who accept payment cards are required to comply with PCI DSS. Fines for violating this regulation can go up to $500,000 per incident for security breaches.

SOX (Sarbanes-Oxley Act)

The Sarbanes-Oxley Act of 2002 was developed in order to protect investors from fraudulent financial reporting by publicly traded corporations. The early 2000s were filled with scandals relating to such matters. Under the Act, U.S. public companies and public accounting firms are required to keep financial records in an ethical and correct manner. Several provisions of the Act also apply to privately owned companies.

FISMA (Federal Information Security Management Act)

FISMA is a United States federal law passed in 2002. It requires government agencies, including their contractors, to implement a security framework to safeguard sensitive government information. This regulation requires that all federal agencies and their affiliates comply with information security standards and guidelines as well as mandatory NIST standards.

CMMC (Cybersecurity Maturity Model Certification)

The CMMC 2.0 is a comprehensive framework under development by The Department of Defense (DoD) to protect the defense industrial base from increasingly frequent and complex cyberattacks. As of November 2021, the CMMC 2.0 replaced the CMMC 1.0, keeping the goal of safeguarding national security information at its core. The framework involves a lot of moving parts which have not been finalized yet.

NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)

The NIST Cybersecurity Framework is a voluntary framework that consists of standards, guidelines and best practices issued by the U.S. Department of Commerce. It is a collaborative effort between the public and private sectors and academia. It was originally targeted at improving cybersecurity for critical infrastructure sectors in the United States. Those key sectors included finance, energy, healthcare and defense. It was also intended to be used by federal agencies as well as state and local governments.

SOC (System and Organization Controls) reports

Despite taking necessary precautions, many companies have fallen victim to cyberattacks due to poor cybersecurity at their vendor firms or any other company in the supply chain. To avoid being hacked or breached, clients prefer working with companies that comply with all the necessary security regulations and can provide proof of the same. A SOC report serves as proof of a company’s reliability. SOC examinations and reports are created by Independent Certified Public Accountants (service auditors) under the American Institute of Certified Public Accountants’ (AICPA) attestation standards. Because SOC reports are created by third-party auditors, they build credibility and trustworthiness in the organization. There are four types of SOC reports – SOC 1, SOC 2, SOC 3 and SOC for cybersecurity.

What is an IT compliance audit?

IT compliance rules are enforced to ensure that companies follow fair and ethical business practices that do not compromise the rights of employees, clients, customers and the continued existence of the company overall. However, just enforcing compliance is not sufficient. The regulatory authorities must periodically check whether the companies are complying with the rules and regulations. Without checks, companies could disregard the guidelines in order to maximize profits.

Let’s take the credit card industry as an example. Customers are at risk of losing their financial and personal information if credit card merchants do not follow mandatory cybersecurity regulations.

Compliance audits are used as a measure to determine whether compliance codes, guidelines and controls are being followed. Regulatory agencies require companies to conduct compliance audits regularly and report the findings. It is also necessary for companies to perform compliance audits when they make major changes to their IT infrastructure or policies. Regulatory agencies may also commission an audit to determine whether a company is compliant.

A regulatory authority may send compliance auditors to the company or request that the company hire third-party compliance auditors to conduct a compliance audit. 

Note: Unlike internal audits, which a company conducts to ensure compliance with its internal rules and policies, IT compliance audits are conducted by external parties to determine their accuracy. Companies should conduct an internal IT compliance audit before the final audit to ensure all is in place.

Auditors begin by defining the scope of the audit. The audits can be completed telephonically by asking the people concerned a series of questions. More often than not, auditors work from the office premises of the business being audited, inspecting infrastructure and the work environment as part of the process.

Following the audit, the auditor prepares a report and submits it to the management and the regulatory body. The report indicates which checks passed, which failed and where the company needs to improve. The appropriate measures for becoming compliant are also outlined as part of the report. Following an audit, companies are generally given 120 days to implement corrective measures. A fine may be imposed if there are grave and intentional lapses in compliance, or if corrective measures aren’t implemented within the 120 days timeframe.

Who is responsible for IT compliance?

Most companies have a compliance manager who oversees compliance activities. Smaller businesses can function well with just one compliance manager while larger organizations can have one for each department with a number of compliance officers reporting to them. With the government cracking down even more on compliance implementation, many companies have also created the post of chief compliance officer to ensure watertight enforcement. According to the Thomson Reuters Fintech, Regtech and the Role of Compliance Report 2021, 15% of respondent firms have invested in specialist skills for the risk and compliance function while 24% have not yet done so but know it is needed.

The regulatory bodies are also pushing boards to take an active role in compliance and holding them accountable when mishaps occur. The purpose is to encourage leadership participation in compliance activities.

A compliance manager is not the only person responsible for overseeing conformity to compliance rules. With regards to IT compliance, it is also the responsibility of the entire IT team to make sure all policies and rules are followed in full. Any company employee who notices non-compliance, whether intentional or unintentional, should notify the correct committee or bring it to the attention of the people concerned.

What does an IT compliance manager do?

A compliance manager’s role is similar to that of a third-party compliance auditor. Their primary role is to carry out regular internal audits to ensure the business and the departments concerned are in compliance with the stipulated rules and regulations. Additionally, they maintain reports related to compliance so that they are available when needed. 

Compliance managers also work with third-party compliance auditors and provide them with the documents and information they need to complete their work. Along with these operational tasks, IT compliance managers are also responsible for developing strategies that ensure IT compliance. In a nutshell, an IT compliance manager’s role is to identify and minimize the challenges that lead to non-compliance.

The following are the roles and responsibilities of a compliance manager:

• Ensuring conformity to compliance guidelines
• Compiling compliance documentation
• Setting up a self-audit and reporting schedule
• Managing audit and compliance requirements for various departments
• Developing strategies to prevent non-compliance with the guidelines
• Coordinating and strategizing with all employees that influence compliance rules directly
• Resolve issues related to compliance
• Provide leadership, management, and the board of directors with timely and comprehensive reports
• Filling out regulatory reports and other paperwork
• Implementing new or updated policies and directives, as necessary and providing training

What is IT compliance software?

Compliance is not an easy process for businesses to manage. The ever-changing rules and the fear of penalties make it more difficult to manage than it seems. It’s a long-term project that requires coordination between multiple teams and employees. There will be failures and confusion if a streamlined process is not in place.

An IT compliance software simplifies the process and ensures that all stakeholders have access to all the relevant data and information whenever they need it. Many tools provide users with features and templates to create reports and capabilities to share them with the authorities concerned. Furthermore, the tool helps to identify challenging areas early on, so that stakeholders can make informed decisions and take remedial actions.

These are some of the benefits of investing in an IT compliance software:

Efficient compliance management: Documentation is an integral part of compliance work. IT Compliance solutions prevent creation of duplicate documents that can clog up workflow, thus enabling operational efficiency and streamlining compliance processes.

Cost management: Managing compliance without a compliance management tool in your tech stack can be time consuming and inefficient. You’ll need more hands to manage the task, and it isn’t the most efficient method. With a compliance manager solution in your tech stack, you can manage everything more efficiently and without hiring additional staff.

Streamline the process: With IT compliance tools, you can automate a number of smaller day-to-day tasks that take a lot of time. Additionally, the tool acts as a central hub for organizing work and storing documents, which helps eliminate information silos that prevent compliance.

Ensure compliance: The biggest step you can take to ensure full compliance with all regulations is to invest in an IT compliance tool. Based on the policies and rules applicable to you, you can develop a compliance management roadmap. Additionally, the tool will send you notifications and alerts when a certain area needs to be corrected or improved.

IT compliance and Compliance-as-a-Service with Kaseya

The Compliance Manager solution by Kaseya offers a host of useful features and capabilities, such as automated assessments, risk-based mediation and detailed reports of compliance-based activities.

It combines a wizard-driven workflow engine, automatic detection of network and computer data, a web-based management portal, and built-in compliance document generation to help you maintain and prove compliance. If you are an MSP, you can leverage the tool to offer Compliance-as-a-Service to your clients and unlock a new revenue stream.

Designed to meet your growing compliance needs, Compliance Manager will help you stay compliant with even the most complex guidelines and regulations. To find out more, click here for a free Compliance Manager demo.

The post IT Compliance: Understanding Its Purpose and Benefits appeared first on Kaseya.

MSP customers – and their customers’ customers – have seen enough headlines about security breaches to realize the problem is widespread. Nearly everyone has received worried emails advocating immediate password changes and free credit monitoring services, breaking the illusion that this only happens to other people and that, instead, it’s more likely just a matter of time until a breach hits them even closer to home.

But data privacy and data security aren’t the same thing, however often these terms get used interchangeably. Temporarily removing “data” from the phrase, it’s clear that these labels have quite different meanings.

“Privacy” is about keeping others from seeing your stuff. We close our window shades and put in our earbuds when we don’t want the rest of the world to know what we’re up to, creating a few barriers for the Peeping Tom and the overeager eavesdropper. But privacy doesn’t necessarily promise true protection from more inspired snoopers actively seeking this data.

“Security,” on the other hand, is about true defensive protection. It is not just designed to dissuade the casual interloper, but rather to actively defend against bad actors intentionally accessing things they shouldn’t get their hands on. It’s the keypad to enter the elevator and the armored truck ferrying cash to the bank.

Read the complete blog post at Channel Futures.

The post Walking the Data Security vs Data Privacy Tightrope appeared first on Kaseya.

What Is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a voluntary framework that consists of standards, guidelines and best practices issued by the U.S. Department of Commerce. It is a collaborative effort between the public and private sectors and academia. It was originally targeted at improving cybersecurity for critical infrastructure sectors in the United States. Those key sectors included finance, energy, healthcare and defense. It was also intended to be used by federal agencies as well as state and local governments. Version 1.0 of the NIST CSF was released in February 2014.

The framework has since been revised, with the goal of making it flexible enough to be used by small and large businesses across every industry sector. It also has broader applicability to not just IT but also the IoT— Internet of Things. The latest version of the NIST CSF is version 1.1, which was released in April 2018. The new version included updates on the following:

• Authentication and identity management
• Self-assessing cybersecurity risk
• Managing cybersecurity within the supply chain (including buying guidance for commercial, off-the-shelf products and services)
• Vulnerability disclosure
• Clarifications on the relationship between Implementation Tiers and Profiles

At the time of its release, the Secretary of Commerce, Wilbur Ross, said “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEOs.” This still holds true today.

The NIST Cybersecurity Framework consists of three components, which we’ll dive into next.

What Are the Three Components of the NIST Cybersecurity Framework?

The three main components of the framework are:

1. Framework Core: A set of desired cybersecurity outcomes organized in a hierarchy and includes five functions of a cybersecurity program – Identify, Protect, Detect, Respond and Recover.
2. Implementation Tiers: The Tiers that range from Partial (Tier 1) to Adaptive (Tier 4) provide a qualitative measure of the cybersecurity risk management practice in the organization.
3. Profiles: Profiles are an organization’s alignment of its requirements and objectives, risk appetite and resources using the desired outcomes of the Framework Core. These identify opportunities for improving cybersecurity posture by comparing a “Current” Profile with a “Target” Profile.

Let’s take a deeper dive into each of these components and see how they make the framework whole.

Framework Core

The Framework Core consists of three parts — Functions, Categories and Subcategories, and as mentioned earlier, includes five high-level functions: Identify, Protect, Detect, Respond and Recover. The Categories cover the cybersecurity objectives of an organization and the Subcategories are outcome-driven statements that provide considerations for creating or improving a cybersecurity program. The three components of the Core work in concordance to help an organization manage its risks by organizing information, addressing threats and learning from previous incidents.

The image below depicts the categories in each function.

Implementation Tiers

The Implementation Tiers are composed of four tiers – Partial, Risk-Informed, Repeatable and Adaptive. These tiers describe different degrees of sophistication in the measures taken by an organization. The cybersecurity risk processes that collectively indicate a tier are:

• Risk Management Process: The functionality and repeatability of cybersecurity risk management
• Integrated Risk Management Program: The extent to which cybersecurity is considered in broader risk management decisions
• External Participation: The degree to which the organization benefits by sharing or receiving information from outside parties

While tiers do not represent maturity levels, an organization must determine the desired tier and ensure that it meets the goals of the tier by implementing necessary actions and reducing cybersecurity risk.

Profiles

This component of the NIST Cybersecurity Framework enables organizations to establish a roadmap for reducing cybersecurity risk by chalking up their organizational goals, aligning any potential cyber risk to these goals, and following industry standards and best practices to avoid these risks.

An organization can map its cybersecurity requirements, mission objectives and operating methodologies, along with current practices against the subcategories of the Framework Core.

In the above image, when comparing a “Current” Profile with a “Target” Profile, the analysis of the gap between the profiles allows organizations to create a prioritized implementation plan.

Using the NIST Cybersecurity Framework

Here are 7 steps you should follow to implement the NIST Cybersecurity Framework in your organization:

1. Prioritize and Scope – Identify organizational objectives and priorities and identify the IT systems and assets relevant to these objectives. These assets are to be prioritized to be protected at all costs.
2. Orient – Identify related systems and assets and regulatory requirements pertaining to these systems. Then identify vulnerabilities of these systems and assets and the threats these could face.
3. Create a Current Profile – The Current Profile of your organization should integrate every control found in the NIST Cybersecurity Framework in order to determine which control outcomes are being achieved.
4. Conduct a Risk Assessment – Determine the likelihood of cybersecurity events and the impact they could have on your organization.
5. Create a Target Profile – Determine where you want your organization to be in terms of cybersecurity posture. Create a target maturity score that incorporates the framework’s Categories and Subcategories assessment and work towards the desired outcomes.
6. Determine, Analyze and Prioritize Gaps – Close the gaps between the Current Profile and Target Profile. Create an action plan that involves determining the budgeting, risks and the tasks to be implemented to address the gaps in the Current Profile.
7. Implement the Action Plan – Take the steps required to close the gaps as discussed above. Adjust your cybersecurity practices to achieve your Target Profile.

The NIST Cybersecurity Framework, although voluntary, is highly recommended as a way to formulate and manage your cybersecurity programs and processes. The framework:

• Ensures you have robust security policies and standards in place
• Helps your organization enhance its overall security posture against ever-evolving cyber threats
• Provides a process for continuous improvement of your organization’s security practice

Kaseya Compliance Manager enables organizations to demonstrate NIST Cybersecurity Framework compliance with ease. It gives users a high-level overview of how well their organization complies with the framework, identifies gaps in an organization’s protection and compliance, and produces a list of issues users must remediate to ensure compliance.

Users also receive a risk scoring matrix that can be used to prioritize risks and appropriately allocate money and resources to ensure that identified issues are resolved. You can learn more about Kaseya Compliance Manager for NIST Cybersecurity Framework here.

*All images are from the NIST website.

The post NIST Cybersecurity Framework – Everything You Need to Know appeared first on Kaseya.

Most industry regulations deal with the electronic storage and transfer of customer data. As organizations grow, so does their volume of data, bringing with it the constant effort to comply with the regulations.

Companies, therefore, need to create compliance reports, either as a part of an audit requested by regulatory agencies or for their own reference, so as to not violate standards.

What Is Compliance Reporting?

Compliance reporting is the process of presenting information to auditors that show that your company is adhering to all the requirements set by the government and regulatory agency under a particular standard. It is often the IT department’s responsibility to generate these reports.

Compliance reports typically include information on how customer/company data is dealt with – how it is controlled or protected, obtained and stored, and how it is secured and distributed internally and externally.

Compliance is a never-ending journey, and as standards evolve, so do the reporting requirements. Many companies use compliance reporting tools that generate the necessary reporting to meet the requirements of various compliance bodies that they deal with.

Why Is Compliance Reporting Important?

As mentioned earlier, compliance reporting is important for businesses that regularly deal with the collection and storage of people’s personal and sensitive data. With regulatory requirements constantly changing, industry experts advise that compliance be integrated into business strategy and processes. Furthermore, companies should review their business processes to evaluate compliance risks at least once a year and keep up with changing laws and regulations.

Failing to comply not only leads to hefty penalties in some cases, but might also damage the reputation of a business, leading to loss of customers.

Which Industries Require Compliance Reporting?

Some regulations and the industries to which they apply are as follows:

What Are the Benefits of Automated Compliance Reporting?

In small and midsize businesses with limited IT staff and an increasing number of employees working remotely, maintaining compliance using manual processes can be very difficult. It’s more likely to increase the risk of a regulation breach due to human error or bad data.

Automating compliance reporting involves automated data collection and report generation that adheres to the requirements of a given standard. It standardizes the reporting practices for all the departments in the organization to follow, thereby increasing speed, accuracy and efficiency of the process. Moreover, it also provides valuable business insights with regularly generated analytics.

You can leverage tools like Kaseya Compliance Manager, a compliance automation platform that:

• Streamlines data collection
• Identifies and prioritizes risks
• Provides remediation plans and
• Automatically generates the required documentation

Kaseya Compliance Manager helps you maintain and prove compliance for HIPAA, GDPR, NIST and Cyber Liability Insurance.

Learn more about Kaseya Compliance Manager by downloading the product brief here.

The post What Is Compliance Reporting and What Are Its Benefits? appeared first on Kaseya.

There are many reasons why HIPAA compliance is so critical. One, a data breach exposes patients’ confidential records. This not only breaks the trust, it is a major privacy invasion. Not only that, if the breach is somehow made public, the health care provider’s reputation is damaged.

There are also serious financial consequences. In fact, both the health care provider and their MSPs could be on the hook for fines and penalties.

Roy Herron, systems analyst for the Methodist Healthcare Ministries (MHM) in San Antonio, was well versed in HIPAA and the compliance benefits of VSA by Kaseya. Prior to working for the healthcare organization, Herron had worked for a managed services provider (MSP), where he became acquainted with the remote monitoring and management (RMM) solution. He knew the software would be able to bring IT efficiency and compliance to the fast-growing healthcare system.

Compliance and Security

As a healthcare concern, MHM has serious compliance regulations to meet. “VSA is a big help in keeping costs down and allowing us to stay in compliance with HIPAA and the HITECH Act,” Herron said. While complying with these regulations takes a lot of effort, it also creates a safer environment. “The HITECH Portability Act is a big component of our security checklist. It helps keep everything up to date, which is a big thing to protect from breaches,” he added.

VSA also comes in handy when dealing with breaches. “I use it to correlate data if we have a suspected breach. I correlate between our Active Directory, DNS, who logged on to the machine, and what is going on,” Herron said.

Value of Auditing

Auditing is important to understand where your IT infrastructure has been and to protect the network. It is also absolutely critical for compliance. “Auditing allows me to change local usernames and disable them to keep well-known usernames from being used against our system for breaches. Instead of having to change the administrator password, I send out a bulk one and it is done like that,” Herron said. “I have auditing trails on every one of our computers and see who is logged in currently or who logged in.”

Remote Control and Management

MHM employees are scattered throughout rural areas in South Texas. With “half of our people in San Antonio and 100 to 120 users in remote very rural areas,” according to Herron, sending technicians to these sites was becoming unwieldy.

VSA has been a total game changer. “VSA has made it way more efficient. I do not have to take four hours out of my day where I cannot take calls, do tickets, or help anybody out,” Herron said. “VSA keeps us from having to send a technician out to fix their computer. I remote-on to it to help them with whatever they need, such as email or our next-generation health system, and fix it in five to 10 minutes.”

The Power of Patching

With most breaches impacting unpatched computers, keeping machines up to date is an essential safeguard. “I use VSA  for Windows patch management instead of having to have three or four different servers just to manage the patches. Everything is agent-driven right now. I have about a 92 percent patch rate within a week of when a new Microsoft patch is released. It is easy to set up. I did not have to tie in with everything else. You set up your policies and automation — and let it go,” Herron said.

Multiplatform is also essential. “It patches third-party software, not just the Microsoft Windows updates. I patch Firefox, Java, and some Flash. That is a big help. Otherwise, you probably have to send somebody out to physically patch each system, or spend tens of thousands of dollars on SCCM or SCE from Microsoft,” he said.

Meanwhile, the unified interface makes tasks easier to perform and manage. “The single pane of glass lets me see a group of our users and patching states. I can push everything out from my desk. Over the course of the day, it saves me probably two to three hours walking around,” he said.

Role of Reporting

Reporting is another key VSA attribute. “VSA lets me do reports to see which machines don’t have a service running or if something’s wrong. It tells me if they have not been patched, or how many patches are missing. That is big for compliance. One of the big factors in keeping your environment secure is patching,” he said.

Connecting with Live Connect

VSA’s Live Connect brings remote access to a completely new level, providing fast access to the computer even while an end user is working. “I am a heavy user of Live Connect, using it for command prompt scripts or VBS scripts that need to run, and to transfer files between computers. I also see in real time the processor usage and memory usage so I can tell that a machine may need more memory, or something on the computer is eating up the processes,” he said.

VSA and Live Connect are a big part of the IT efficiency story. “The time savings is plus or minus 20 to 30 minutes on a single call. It keeps call volume down, and our throughput has gone up significantly — probably by as much as 75 percent,” Herron estimated.

Two Factor Authentication Adds an Extra Layer of Protection

MHM has just acquired AuthAnvil by Kaseya, which offers two-factor authentication (2FA). Herron is contemplating ways to put it to work. “We are looking at use cases like tying it into our electronic health record system and using it for sign-ins and sign-outs,” he said.

Herron also likes the idea of password cycling. If a password changes every five minutes, even if an intruder gets the password, it will change in a matter of minutes – blocking access.

Read the full case study here.

The post VSA by Kaseya Keeps Methodist Healthcare Ministries HIPAA Compliant appeared first on Kaseya.

Penalties for violations can be huge, and non-compliance is practically a welcome mat for cybercrime, resulting in loss of reputation and financial disaster.

Whether you are an IT pro or service provider, you cannot create a compliance plan unless you understand the current state of your business. That requires an in-depth and disciplined assessment.

RapidFire Tools Inc., which supplies HIPAA-compliance assessment tools, surveyed MSPs about the value of assessments. It found that service provides use these assessments to start conversations with new prospects, and ultimately gain new clients. One MSP respondent increased revenue by over $12,000 a month.

According to the Kaseya 2018 MSP Benchmark Survey,  52 percent of MSPs worldwide (and 55 percent in EMEA) offer compliance assessments. These assessments benefit the MSP and its customers, providing the MSP with opportunities for new revenue streams as well as awareness of changes that must be implemented to protect both businesses.

Accounting, consulting, and technology firm Crowe Horwath has a step-by-process that starts with defining the goals. “Assessments work to determine the scope of compliance activities throughout the organization, the effectiveness of the compliance program, and to what extent the organization’s culture is conducive to compliance activities. An assessment can give the organization an idea of its compliance program’s strengths, weaknesses, and areas in which it can improve,” the firm explains.

Assessors should have to start from scratch but rely on existing documents related to compliance. “Examples of relevant documents that typically are collected and reviewed during an assessment include:

• Organizational charts of executive leadership and the compliance office
• Policies and procedures related to the compliance office or high-risk areas
• Examples of employee compliance training exercises and samples of communications made to employees about compliance code of conduct
• Samples of compliance monitoring and compliance work plans
• Previous compliance program assessments
• Compliance risk assessments and compliance risk assessment policies”

Getting to Know the Players

Assessors need to not only understand the organization’s structure and roles, but also get to know the people themselves. This can be done through interviews. The document review helps prepare assessors for these conversations. The goal is to understand how well key players understand compliance and if they are able to define their risks and take action to mitigate them.

Individuals who might be interviewed include people directly responsible for managing compliance, employees whose jobs requiring following compliance guidelines, and business leadership.

Conducting Gap Analysis

A Gap Analysis will show where the organization is already in compliance and what steps need to be taken to ensure complete adherence. The analysis “should reveal existing compliance program trends within the organization, including program strengths and opportunities for improvement. In addition, the assessor should make recommendations to the organization based on best practices observed in leading organizations that are of a similar size and structure to the one being assessed,” the firm explains.

This should all be codified in a final report that defines what is good and recommends specific improvements.

Financial advisory firm Deloitte explains why compliance assessment isn’t enough in its whitepaper, “Compliance risk assessments: The third ingredient in a world-class ethics and compliance program.”

Many organizations may think they are all set with compliance because they have performed a risk assessment. However, compliance and risk, while related, require different processes. “How is a compliance risk assessment different from other risk assessments? Organizations conduct assessments to identify different types of organizational risk. For example, they may conduct enterprise risk assessments to identify the strategic, operational, financial, and compliance risks to which the organization is exposed. In most cases, the enterprise risk assessment process is focused on the identification of “bet the company” risks – those that could impact the organization’s ability to achieve its strategic objectives,” Deloitte explains.

“The compliance risk assessment will help the organization understand the full range of its risk exposure, including the likelihood that a risk event may occur, the reasons it may occur, and the potential severity of its impact. An effectively designed compliance risk assessment also helps organizations prioritize risks, map these risks to the applicable risk owners, and effectively allocate resources to risk mitigation.”

Who Does What?

Once you identify who is who and who does what, you can define clear assignments. “Establish clear risk ownership of specific risks and drive toward better transparency: A comprehensive compliance risk assessment will help identify those individuals responsible for managing each type of risk, and make it easier for executives to get a handle on risk mitigation activities, remediation efforts, and emerging risk exposures,” Deloitte advises.

Part of this is an assessment that calls for clear steps. “Make the assessment actionable: The assessment both prioritizes risks and indicates how they should be mitigated or remediated. Remediation actions should be universally understood and viable across borders. Be sure the output of the risk assessment can be used in operational planning to allocate resources and that it can also serve as the starting point for testing and monitoring programs,” the firm concludes.

Compliance work is never done, Deloitte cautions. “Treat the assessment as a living, breathing document: Once you allocate resources to mitigate or remediate compliance risks, the potential severity of those risks will change. The same goes for events in the business environment. All of this should drive changes to the assessment itself,” Deloitte writes. “Periodically repeat the risk assessment: Effective compliance risk assessments strive to ensure a consistent approach that continues to be implemented over time, e.g., every one or two years. At the same time, risk intelligence requires ongoing analysis and environment scanning to identify emerging risks or early warning signs.”

Learn More

To discover more best practices for surviving a compliance audit, download the whitepaper, “Compliance: How a Layered Approach Helps you Breeze Through Audits,” and to see how MSPs can turn assessments into a revenue stream,  attend the on-demand webinar, “Compliance Audits: The Opportunities and Risks for MSPs.”

The post The Importance of Compliance and Risk Assessments appeared first on Kaseya.

You must be provably HIPAA-compliant. An MSP can’t do any HIPAA-related work without being HIPAA compliant. The good news is that once you are certified you can vie for HIPAA contracts, and because you are credentialed and knowledgeable, you can charge a premium for your services.

1. Penalties are serious.

Huge healthcare operations all know HIPAA. They have to. They are the ones most impacted by the rules, and most likely to be subject to frequents audits. Smaller operations aren’t always prepared for the risks. But penalties are more than serious.

Here are just a few of the fines dished out in the United States in recent years:

• Affinity Health Plan paid $1.2 million because it didn’t erase the drives on its advanced photocopiers before returning them to the company that leased them.
• WellPoint didn’t secure an online health database and paid $1.7 million.
• The Massachusetts Eye and Ear Infirmary failed to encrypt physicians’ laptops and was hit with a $1.5 million fine.
• Phoenix Cardiac Surgery posted patient appointment on an online calendar and paid $100,000.
• A Walgreens in Indiana breached a single patient’s privacy and paid her $1.44 million.
• An Idaho-based hospice lost a laptop due to theft. The fine was $50,000.
• A medical practice in Phoenix sent patient data over insecure email, and was fined $100,000.
• A pediatric practice in Massachusetts lost a flash drive and settled for a $150,000 fine
• Another stolen laptop in Boston had the doctor paying $1 million.
• A lost backup drive cost the Alaska State Health Department $1.7 million.

This only scratches the surface. The HSS keeps an extensive list of violations.

2. Encryption is your friend.

HIPAA calls for all PHI data that is transmitted electronically to be protected, which is best done by strong encryption. In fact, if the data is strongly encrypted the MSP and client are pretty much immune from penalty if that data is somehow breached, or a lost device is already encrypted.

3. MSPs are responsible when clients run afoul of HIPAA.

Clients are known as covered entities and by definition are responsible for being in compliance with all aspects of HIPAA. MSPs that work with healthcare are called Business Associates and are just as responsible as the client themselves.

4. Your potential clients probably don’t care about HIPAA nearly as much as you do.

Very large hospitals and other big healthcare organizations care about HIPAA. And they can most afford to take HIPAA seriously, pay for the technology to support compliance, and train their workers. Unfortunately, the majority of small practices don’t much care about HIPAA – they haven’t been audited and don’t expect to.

Your job is to convince them otherwise. They need to know that a HIPAA fine could be financially devastating and ruin the trust between them and their patients – a real business crusher. Smaller healthcare organizations are most in need of MSP HIPAA services since they aren’t closely aligned with large insurance companies and hospitals.

5. The security assessment is the first major step in an MSP HIPAA engagement.

In some cases, an MSP may do a basic security assessment to convince a healthcare prospect that HIPAA compliance is actually important and they need outside help to achieve it. Once a client is hooked, a deep-dive security assessment will define what needs to be changed immediately, what new technologies should be put in place, and how MSP services such as RMM and authentication and access management can help achieve HIPAA compliance. With a rich-enough set of offerings, you’ll be able to sell Compliance-as-a-Service to healthcare – and hopefully beyond.

6. It pays to document.

HIPAA rules require that MSPs, as business associates, must document the protective measures in place for ePHI. These documents must be given to all staff and they should understand what they mean.

7. You need a HIPAA Business Associate Agreement (BAA).

The HIPAA Omnibus Final Rule required that Business Associates get BAAs with their clients, the covered entity. This basically says that the BA promises to stay in compliance with all HIPAA regulations and keep ePHI safe.

8. Encryption is a confusing aspect of the rules but errs on the side of caution anyway.

Encryption is one area where HIPAA isn’t completely explicit. Instead, the HHS talks about doing “what is reasonable and appropriate” to protect ePHI, and then says:

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:

• Implement the addressable implementation specifications
• Implement one or more alternative security measures to accomplish the same purpose
• Not implement either an addressable implementation specification or an alternative

This basically says the healthcare player or BA must find an effective way to secure data. One of the biggest issues is data in transit. Here the only way to know the data is protected is to strongly encrypt it. So while HIPAA doesn’t specifically require encryption, encryption is the only reasonable and viable way to meet HIPAA demands that ePHI is always protected.

9. Why you want encryption anyway.

Chances are your risk assessment, even an early stage assessment, called for encryption. That makes it a need. Encryption can keep you out of trouble. Many HIPAA fines are due to lost or stolen devices containing ePHI. The good news is there are no fines for lost or stolen devices if the device is encrypted – you don’t even have to report it.

10. The risk assessment is your friend.

This is another great idea that is codified by the HIPAA Omnibus Ruling. The assessment is required for covered entities and Business Associates.

The assessment covers:

• Security policies relative to HIPAA
• An analysis of vulnerabilities, risks and system threats
• A plan for protecting and securing ePHI no matter where it is

11. You must have a security incident response plan (SIRP).

Also, a HIPAA need-to-have, SIRP details, and documents what will be done in the case of a security breach or other security events. Part of this is tracking security events, hopefully, to prove no successful exploits have taken place. In the event of an attack or breach (even just an attempt) you should document what happened, and the incident’s severity. Attacks of organizations with more than 500 employees, patients or partners must report the incident to HHS.

12. An MSP is the best defense in the case of an audit.

An audit is when a healthcare organization is vetted to make sure it is in compliance. The aim is to define the state of the organization and see what steps are needed to improve performance. These are supposed to be annual. Most healthcare organizations, even large ones, are not generally equipped to handle an audit, with all its complexity.

An MSP is best equipped for an audit because the MSP has put in place all the needed security measures. The MSP has all the event logs and reports on who accessed what and when through Remote Monitoring and Management (RMM).

13. Access safeguards and controls require a new approach to authentication and access management.

One of the biggest issues, in fact, the crux of the HIPAA matter, is making sure only those with the proper authority can access ePHI and the systems that contain it. Information access management policies and procedures are key to locking down unauthorized access to ePHI and other health data.

Download the ebook “The IT Pro’s Guide to Minimizing Healthcare Compliance Risk” to discover the functionalities essential to an IT management system that will help ensure your compliance needs are met.

The post 13 Things Every MSP Should Know About HIPAA appeared first on Kaseya.

Mastering Master Service Agreements

Many MSPs prefer a Master Services Agreement (MSA), which is a more detailed style of contract. Because MSAs tend to be highly technical, some half of these contracts are prepared without help from an attorney, according to the MSP Alliance. The main issue is the cost of legal counsel.  However, MSPs sometimes believe these MSAs are good to go because the MSP professionals who wrote them understand their business and technology.

But a good MSA also covers many legal issues not normally dealt with in simpler contracts – which is another reason legal oversight is critical.  These legal issues are far beyond purview of MSP staffers.  Consequently, whether it’s a simple contract or a richer Master Services Agreement, a lawyer and an experienced accountant should take a deep look at the documents before any signatures are placed.

In addition, MSAs and Service Level Agreements (SLAs) don’t just help the relationship run more smoothly ─ they can be a key part of the sales process. That’s because they should detail for the clients the precise value they will obtain from your services as well as your commitment to deliver them.

Contracts such as MSAs are also a key way to build and sustain revenue, and increase the value of your business. “The contracts an MSP has with its customers represent the primary component of the business’ value. The reason the contracts are so vital is the value of the business is determined by some multiple of the monthly recurring revenues,” wrote attorney Robert J. Scott in A Legal Guide to Managed Services. “Strong monthly recurring revenues generated under sound contracts are the key ingredient of business valuation.”

Scott & Scott detailed key items that should be in the MSA’s Statement of Services, including:

• Term of Agreement
• Holiday Availability
• Proprietary Rights
• Intellectual Property Rights
• Independent Contractor
• Client Covenants
• Insurance
• Taxes
• Non-Solicitation
• Warranties
• Limitations of Liability
• Termination of the Agreement
• Integration Clauses

Here is one example of a provision that could or should be in your MSA, according to the law firm:

MSP will provide the following services:

• Perform necessary remediation steps associated with the daily alerts and tickets
• Prepare and implement a maintenance checklist.
• Make recommendations based on weekly reports
• Review and maintain all network related documentation
• Review monitoring scripts/tools required for daily review and make recommendations for improvements

The Importance of a Rigorous SLA

SLAs are the other key contract an MSP may have with a client. Because the MSP is committing to a particular level of service, and penalties are attached, these contracts should, obviously, be well thought out.

Partner advocacy organization CompTIA agrees. “One of the most contentious issues in managed services is availability. No matter what you think the verbal agreement was, don’t be surprised if the customer later develops a different understanding about your availability. Maybe they’ll want 24/7 support, or have unrealistic expectations about response and resolution times,” CompTIA explained. The only answer is a contract that clearly establishes SLAs and protects both parties.

Meanwhile, here is a quick legal SLA checklist from Robert J. Scott:

“There are a number of ways to calculate a service level for purposes of an SLA. Successful availability provisions will include:

• The definition of availability, including any exclusions
• The time period that will be used to measure availability (e.g., monthly, quarterly, etc.)
• The method in which the availability will be calculated, and what, if any computers will be excluded from the calculation of availability
• The percentage of availability the MSP is promising
• Consequences for availability failures
• If monetary credits are available for availability failures, the method by which the credit will be calculated and the maximum credit available for the applicable time period”

May the “Force Majeure” Be With You

Projects are not always 100% predictable. You could make a good faith effort to complete a project, and have the effort delayed through no fault of your own. This, in legal terms, is called “force majeure” and if your contract has this provision, you should still be paid for the work despite the unforeseen delay. Of course, the best approach is to keep the client in the loop –they probably want the work done at least as much as you.

Protecting Your Intellectual Property

You may not realize just how much of your intellectual property ends up in clients’ hands. It may be as simple as scripts to drive automation, or larger pieces of software your team has developed. Some of these items could, or may already, be patented.

To protect this, the contract should specify that that intellectual property belongs to you, and you alone.

Protecting Confidentiality and Trade Secrets

The same protection is critical for trade secrets such as pricing, discounts, SLA terms, warranties, and special technologies. Your contract should include a non-disclosure clause to protect these secrets. And since fair is fair, you should consider a similar clause protecting client confidentiality if asked.

CompTIA Lends a Hand

CompTIA has significant resources to help service providers with contracts, with some free and others, such as contract templates, available to registered or premium members.

 The partner organization also has a useful free overview of why you should use contracts (many MSPs don’t and usually come to rue that decision) and the basics of how to go about it in How Written Contracts can Help your Business.

CompTIA argues that contracts are essential protection for MSPs, and should be dispensed with only in limited circumstances – such as ultra-simple engagements. Partly, this is because of the implied contract in doing work for another party. “Most people believe there is no contract if they didn’t sign something. But there is. It is called an oral agreement and they are just as enforceable as written ones. The problem is you won’t necessarily be the person deciding what the terms of an oral contract are if there is a dispute. A judge or jury will do that for you. The question is:  do you really want to accept that risk?” the group asked.

Another issue is that if you don’t craft a contract, your customer may do so anyway in the form of a PO. “You may have been in the position of agreeing to provide services to a customer, and shortly thereafter the customer sends you a purchase order. You turn it over and notice a full page of legal terms on the back,” CompTIA mused. “You now have a written contract whether you wanted one or not. It’s highly unlikely the terms on the PO are to your advantage. They were drafted from the customer’s perspective. But if you had a written agreement it wouldn’t be an issue.”

Such a contract, crafted by you and representing your interests, can negate and void the items listed in legalese on the client PO.

A contract should not be one-sided. Instead, it should treat clients with respect, spelling out what you are responsible for, where those responsibilities end and do so in a multifaceted way.

Here are some areas CompTIA suggests your contracts cover.

• “If you install software how long is it expected to function?
• If you do break/fix work, how long will the equipment remain up and running?
• What level of service are you guaranteeing? Are you promising absolute perfection, or merely that the work will be in accord with generally accepted IT standards?
• What happens if the customer starts doing things that you feel should void the warranty? For example, what about customers who decide to tinker with software or hardware you installed, and wind up making a problem worse?”

How to Say Goodbye

Breakups can come from either side, and either way you want to be protected. Sometimes you are the one to call it quits, and you want to make sure there are no negative repercussions. Your contract should specify under what circumstances you can break it. Maybe the client is slow in writing checks or refuses to pay, implements their own conflicting technology, or has employee behavior that works against your efforts. Or perhaps they demand work that isn’t called for in the contract.

On the hand, you also need to be protected if the client breaks the contract. They may back out before the duration of the contract is complete, and you are holding costs related to the entire duration. Or maybe you started a major project, made investments, and the contract was broken before the services were rendered and paid for.

Here CompTIA weighs in. “You’ve just booked new business. Say you have to make some up-front investments before you can begin the work. Maybe you need to buy equipment or perhaps license new software. Maybe you need to hire additional help, or get some additional training. What if you make these investments, and then receive a call from the customer stating he’s decided to go with another provider. You can’t demand payment for the work because you didn’t do it yet,” the organization argued. “What are your options? Without a written contract there are not many. A written contract will specify what expenses you are entitled to be compensated for. More importantly, a written contract gives the road rules for how, why, and when a party is allowed to back out of a deal.”

Don’t Make These Mistakes

Gary Pica, an MSP veteran and leading pundit, has been through countless client engagements, and highlights mistakes you must avoid. The first is setting the wrong price. “If you incorrectly price and package your services, there are going to be negative ramifications for your employees and the client you’ve just signed. You may over-promise on what your employees can actually deliver, or you could end up in a situation where the client isn’t getting the level of service they were expecting,” Pica, president of TruMethods, an MSP consultancy, wrote.

Pica also believes that less is more. “Transparency is key to avoiding future lawsuits that may arise from broken MSP business agreements. The longer and more complicated your agreement is, the less your client is going to trust you. Don’t create a 10-page agreement that deals with a variety of items that will never happen or that you can’t control,” Pica argued.

While Pica advises a bit of brevity, don’t take this too far. “Sometimes an agreement covers a lot but misses a few critical items for protecting your MSP. The most important role of a business agreement is to safeguard your MSP from liability in the event that things go wrong, so including a liability clause is essential. Protecting your employees is also important, so it’s a good idea to formulate a non-compete clause. Start with the most important items to protect you and your business,” Pica wrote.

Which Brings Us Back to the Beginning

I started this blog by highlighting how essential contracts are to the ongoing health of your MSP.  Crafted well, contracts are the building blocks for successful, ongoing business engagements with your growing list of clients.  Clear, well-documented expectations on both sides mitigate confusion on service levels, and point to solutions when problems, inevitably, arise.

Contracts are not the place to scrimp – make sure your contracts, MSAs and SLAs are carefully thought out, and fully vetted by legal and financial counsel.

If you’re interested in other building blocks for a successful MSP, check out Kaseya’s whitepaper, “Your Roadmap in an MSP 2.0 World.”

The post How to Craft Contracts, SLAs and Master Services Agreements for MSPs appeared first on Kaseya.