20 Ways MSPs Can Be Security Heroes

The role of an MSP is an important one. MSPs want to help their clients create and maintain a strong security posture – that’s why, as an MSP, your clients come to you with information security problems that need to be fixed, ranging from disaster recovery to risk assessment services. Who finds those problems? Auditors and pen testers. Who determines if those problems are risky gaps in the client’s security posture? Auditors and penetration testers. When your clients go through information security audits for the first time, they should also go through a gap analysis – a process that identifies any operational, reporting, and compliance gaps. Once an organization knows their gaps, they can begin the remediation process. That’s where you come in.

As an MSP, when you can interpret gap analysis results, you can typically find more opportunities to grow your business with that client. How? By fixing the issues found during the gap analysis. Your clients walk away from audits and pen tests with information security problems that need to be fixed. Additionally, by encouraging your clients to undergo security testing and having a recommended vendor, you are seen as their trusted information security advisor. If you can speak from experience and have gone through an information security audit before, that’s even more valuable for your clients. They can trust your experience and be assured that you won’t bring more risk into their environment.

Clients trust you to cover their IT and information security needs – are you not serving them well by not understanding a gap analysis report or remediation plan? KirkpatrickPrice is here to educate and empower you to serve your clients better. Let’s take a look at 20 gaps that the average MSP could mitigate.

Download Now

Have more questions after reading? Contact us today, and we’ll connect you with an expert on MSP services and partnerships.

Preparing for a CCPA Audit

The California Consumer Protection Act gives consumers more rights related to their personal data and requires businesses to be more transparent about the way personal data is used and shared. The law applies to certain businesses that collect, use, receive or transmit the personal data of California consumers. Specifically, this law applies to for-profit businesses that do business in California and have annual gross revenues of over $25,000,000, buy, sell, or share the personal information of 50,000+ consumers per year or derive 50% or more of their annual revenues from selling consumers’ personal information. The penalties for non-compliance vary depending on the entity issuing the penalty. If consumers pursue a private, class-action lawsuit, statutory damages could be between $1,000 and $3,000 or actual damages, whichever is greater. If the Attorney General issues fines for non-compliance, companies may be liable for paying fines up to $7,500 per violation. Additionally, in the event of a data breach, consumers can recover damages between $100-$750 per consumer per incident.

These penalties for non-compliance mean more and more businesses must find a way to demonstrate their compliance with this privacy law. Compliance with CCPA revolves around four components: consumer rights, privacy disclosure, vendor contract management, and reasonable security measures.

Checklist for CCPA Audits

An audit is one way to prove your business’ compliance with CCPA and commitment to data privacy. During this audit, a third-party auditor that specializes in privacy practices will verify that your business appropriately safeguards personal information. How can you prepare for a CCPA audit? Start with this checklist:

  • Responding to Consumer Rights
  • Required Disclosures
  • Restrictions on Selling Personal Information
  • Data Retention
  • Reidentification of Personal Information
  • Permitted Financial Incentives for Collecting, Selling, and Deleting Personal Information
  • Employee Training Related to Consumer Rights
  • Third Party Oversight
  • Duty to Implement and Maintain Reasonable Security Measures
  • Breach Response

 

 

Interested in taking your privacy practices to the next level through a CCPA audit? KirkpatrickPrice’s team of privacy experts assess business’ protection of personal information and compliance with regulations like CCPA. Let’s plan your CCPA audit today!

How to Prepare for a FISMA Audit

FISMA is U.S. legislation enacted as part of the Electronic Government Act of 2002, intended to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction.

To comply with FISMA, organizations must demonstrate that they meet the standards set forth by NIST SP 800 series. Unique to a FISMA audit, organizations can tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements, and environments of operation. This type of compliance helps organizations obtain an ATO, attract more government contracts, provide interested parties with evidence of their FISMA compliance, confirm that their organization appropriately protects government information and assets, and demonstrate a commitment to confidentiality, integrity, and availability.

Checklist to Prepare for a FISMA Audit

A FISMA audit, like all other information security audits, is an initiative that requires organization, commitment, and investment from your team. In order to be successful and reap the benefits of compliance, preparation is crucial. So, how can you prepare for this type of audit?

Start with this checklist of controls before entering into a gap analysis or audit.

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Personnel Security
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity

Download the full checklist to learn more about these controls!

Interested in pursuing a FISMA audit? KirkpatrickPrice is committed to helping your organization protect government information and assets and tackle this compliance goal.

We offer gap analyses and remediation plans, along with audits based on the NIST SP 800 series. We can help you determine which you need to use, NIST SP 800-53 vs. NIST SP 800-171. When you partner with KirkpatrickPrice, you work with information security auditors who are senior-level experts, holding certifications like CISSP, CISA, CISM, and CRISC. Let’s plan your FISMA audit today.

More FISMA Compliance Resources

Considering an Audit Readiness Tool? 4 Questions to Ask

Using KirkpatrickPrice for Audit Readiness

We’ve seen more and more automated solutions and tools enter the market that promise easy and cheap compliance, no commitment, and expert guidance. Don’t be fooled, though! These audit prep solutions and tools are actually only promising one thing: readiness.

Unlike firms with automated solutions and tools that focus solely on audit readiness, KirkpatrickPrice provides a comprehensive audit experience. They cannot provide what you actually need, which is a reputable auditor to perform testing and deliver an audit report. At KirkpatrickPrice, we can take you from start to finish.

First, we’ll begin with readiness and remediation, then move into the audit, and finally, culminate with a high-quality audit report – all with expert auditor guidance along the way. Want to learn more about how KirkpatrickPrice’s readiness services can streamline your audit process? We’re ready to support your team in this compliance journey!

In order to debunk what readiness tools offer versus readiness options through your auditor, we recommend doing your due diligence and asking questions about the tools. Use this guide during your decision-making process!

Cheat Sheet for Office 365 Forwarding Rules

Protecting Your Office 365 Accounts

A key part of your organization’s information security strategy is correct configurations for Office 365, because compromising your Office 365 accounts is a gateway to much more sophisticated attacks. Many industry breach reports speculate that hacking Office 365 email accounts is the first thing an attacker wants to do, because it has the potential to give them access to so much more information. Phishing is an obvious attack method when it comes to email. In fact, in 2017, the Microsoft Office 365 security research team detected between 180-200 million phishing emails each month. These types of bulk attacks can pay off for attackers. According to Symantec, hacked email accounts in groups of 2,500 or more can be worth anywhere from $1 to $15.

Although more and more organizations are incorporating strong security measures into their strategies, it’s still crucial to actively protect Office 365 accounts. Following Office 365 best practices, receiving CISA alerts, and keeping up with new patches are three ways that you can stay up-to-date in your security measures. Microsoft has named 10 best practices for Office 365 business plans:

  1. Set up MFA
  2. Train your users
  3. Use dedicated admin accounts
  4. Raise the level of malware protection
  5. Protect against ransomware
  6. Stop auto-forwarding for email
  7. Use encryption
  8. Protect emails from phishing attacks
  9. Protect against malicious attachments and files
  10. Protect against phishing attacks using ATP Safe Links

Let’s highlight auto-forwarding – does your organization know how to check whether your Office 365 mail accounts have forwarding rules turned on and configured? This will let your team know if any emails are auto-forwarded outside of your domain – which could be a sign of a compromised account. This is a default alert in Office 365 – but do you how to you verify it? Download this guide to learn how to correctly configure your forwarding rules.