The Four Pillars of Risk Management for MSPs - Policies and Procedures
Policies and Procedures
In our last article, we discussed the importance of reviewing your current contracts to make sure that you are protecting yourself against new threats, not just from nefarious parties but from your vendors and your clients
In part two of our series we'll look at policies and procedures you should be implementing in your MSP practice. As with your contracts you may have created policies procedures over the years that are simply not adequate in today's threat landscape.
According to Rob Scott of Scott and Scott LLP, a basic set of policies would include:
Written information security policy
Breach incident response plan
Acceptable use policy
Other policies required by regulation
Information Security Policy
Your information security policy outlines the procedures by which you keep data in your organization confidential, insure its integrity, and always make it available to those that need it. As an MSP your ISP should include policies and procedures by which you protect data for your clients as well
Confidentiality
Your ISP must address how you are securing access to your data to ensure only those with a need to access it have the rights to do so. This includes people inside your organization as well as those from the outside. This aspect of your security policy would include standard permissions for access to data based on individual credentials, role, and/or location. Strict procedures for the on-boarding and off-boarding employees would be outlined in the ISP ensuring that the process is followed and repeated for all employees. Your organization may include a zero-trust policy whereby the basic profile of a user is provided access to nothing. Only those permissions necessary for the function of the employee are given on an as needed basis. The location sensitive and protected data is identified and permissions are applied accordingly.
Details such as password strength, multi-factor authentication, and remote access would be discussed.
Any Data Loss Prevention (DLP) measures, such as outbound email filtering, and Mobile Device Management (MDM) would be articulated in the ISP.
Security monitoring systems such as a Security Information and Event Management (SIEM) system, Managed Detection and Response (MDR), or Endpoint Detection and Response (EDR) would be described in the ISP.
Integrity
The ISP needs to ensure that the data within your organization can be trusted. Processes must be put in place to detect and identify any attempt to modify data in an unauthorized manner, either through error or malicious behavior. The ISP should identify processes that ensure that systems in place to protect access to the data are configured properly and remain so. As an example, change control procedures should ensure that proposed changes to systems are reviewed in advance and the changes are documented properly. Auditing should be enabled on all systems to make sure that those responsible for making changes are identified.
Your security policy will include procedures for workflow as well. As an example, Rob Scott recommends a policy of requiring verbal confirmation of wire transfers of monies. In recent years, CEO fraud has resulted in companies fraudulently wiring millions of dollars based on a forged email sent from within the corporate email system.
Availability
As part of your ISP you must ensure that corporate data is available when it is needed. This includes a comprehensive disaster recovery plan. Disasters come in all shapes and sizes, from something as simple as a user erroneously deleting entire data set, to major equipment failures, to a ransomware attack, to catastrophic earthquakes.
Your disaster recovery plan must identify your backup and restoration procedures. Those procedures must address the Recovery Time Objective (how long can a system be down) and Recovery Point Objective (How much data can you lose). System and procedures must be able to make the data available to the users within RTO based on the severity of the incident and the criticality of the system.
The DR plan must be tested periodically to ensure the RTO can be reasonably met in the event of a true disaster.
As an MSP, the information security policy for you organization can serve as the framework for the ISP for your clients' networks.
Acceptable Use Policy
The Acceptable Use Policy for your organization should provide users with a clear understanding of what they can and cannot do. The existence of the AUP would be identified in the Information Security Policy, likely as a document presented to new employees when they are on-boarded. The details of acceptable and behavior are articulated in the AUP itself. Users are made aware of their responsibilities to help keep corporate data secure and available
Core to the AUP is the explanation that the corporate network is company property and the rules set forth by the AUP must be abided by in order to retain access to the network. The AUP usually includes obvious restrictions on illegal activities, obscene or offensive behavior, and accessing known rogue web-sites. Companies may include other restrictions such as limiting access to social media sites, shopping sites, gambling sites, etc.
Many organizations also state in their AUP that the email system is a corporate asset and therefore all mail flowing through the system is the property of the organization. Employees should be aware that the company reserves the right to open and read all email in the event it is required.
Breach Incident Response Plan
In the event a security breach is detected, a set of procedures must be identified that users and management can follow in response.
An IRP identifies the various organizational members and teams that will be involved on any response and the responsibilities those individuals and teams will have in responding. These will likely include the CISO, members of the Executive team, the Privacy/compliance officer, and certain department heads. The IRP may classify the protected information and assign severity levels based on the sensitivity of specific information.
The IRP will identify the workflow of an incident response including what information is provided to whom, and whether law enforcement needs to be included, who is authorized to speak on behalf of the organization, and what information should be disseminated.
As Security Breaches can take many forms and the severity of the incident can vary, the IRP needs to be flexible but clear. Typically, when a security breach is detected, time is of the essence. The plan needs to be relatively simple. Employees at all level of the organization need to be informed of its existence and trained on it. If the plan is too complicated it will likely lead to confusion and potentially make a bad situation worse.
As an MSP servicing your clients you may identify that a breach has occurred in your client's network. It is critical your staff be trained on how to, not only react to the breach, but what you should do and what you should not do. It is also important your staff knows what should be communicated. According to Joe Brunsman in his YouTube podcast "MSP Liability Considerations After Client's 'Cyber Event'", MSPs should follow three major steps: Identify, Contain, and Refrain. Brunsman explains that MSPs should be able to identify a breach and take immediate measures to contain it. However, if the MSP does not have a credentialed forensics practice they should stop there and have the client engage with a forensics team to identify the extent of the damage. The MSP should also refrain from providing any legal advice whatsoever. This includes not recommending the client pay any ransom or other concessions. It is important that your staff does not make inadvertent comments that can be misconstrued as legal advice or indications that the issue is resolved when no forensics have been performed.
Again, the existence of the IRP is described in the Information Security Policy with the details being articulated in the IRP itself.
Training and Testing
Policies that are written and distributed once and forgotten are useless. It is important that organizations train their end user community on the policies continually. Most of us have by now implemented end user security training in our organization in order to make sure our employees can detect phishing attempts and other email fraud. It is a natural extension to include continual training on Acceptable Use Policies and Incident Response Plans.
IT teams should be testing these policies and procedures regularly to identify gaps in the plan and ensure they can be followed easily in the event of an incident. Simple table top exercises can simulate a situation and provide great insight into how well the policy is performing and how well it is understood.
Relationship to Common Security Framework
A few weeks back I wrote an article about the importance of adopting a common security framework such as NIST or CIS. Whichever framework you choose, it will provide the underlying foundation of your Information Security Policy. Each control typically maps to a process or procedure that should be included in your Information Security Policy. Depending on which level of the framework you decide to implement, those controls would be included in your ISP.
By certifying on that framework you would ensure that your policies and procedures are reviewed on a period basis and therefore would not become out of date.
In part three of this series we'll look at cyber insurance and how implementing the things we have discussed so far will help you obtain quality insurance to protect your business and reduce your premiums.