This template is superseded by the MSP Cybersecurity Jumpstart.
This article details the Improving Cybersecurity of Managed Service Providers template discussed at Schnizzfest 2020.
With the increasing number of cybersecurity attacks on small to medium-sized businesses, malicious threat actors have diverted their attention to a more vulnerable target: the Managed Service Provider (MSP). A lack of cybersecurity controls and privacy policies makes the MSP a prime target, primarily due to their direct access to their clients’ sensitive data. As more industries begin tightening their security standards, threats migrate to the weakest link.
The National Cybersecurity Center of Excellence (NCCoE) in collaboration with the National Institute of Standards and Technology (NIST) recently developed a draft document titled Improving Cybersecurity of Managed Service Providers, providing cybersecurity guidance to MSPs to improve their cybersecurity and, in turn, their customers.
According to the NCCoE document, the project intends to provide the following guidance:
- Improved cybersecurity awareness
- Improved hardware and software asset management
- Improved system and data access control
- Improved cybersecurity of an MSP’s IT infrastructure
- Improved design, acquisition, and integration of secure technologies
The design and implementation of a cybersecurity plan is based on each MSPs individual needs.
Scope of Template
The NCCoE documentation provides guidance based on the NIST Cybersecurity Framework version 1.1. More accurately, their project focuses on the first three Functions: Identify, Protect, and Detect. The remaining two, Respond and Recover, are not included in their documentation. This is where the NCCoE and TruMethods versions differ: the inclusion of all five Functions of the CSF. We developed our standards around securing an MSP for the following reasons:
- The NCCoE documentation does not include all CSF Functions.
- Every MSP is different and providing a well-rounded set of standards helps develop their cybersecurity program.
- Developing, managing, and updating a template within myITprocess benefits anyone using the product for standards, alignment, compliance, strategy, and budgeting.
TruMethods used NCCoE guidance as a catalyst to improve on cybersecurity policies and privacy for MSPs. We felt the inclusion of all five Functions was necessary for a complete cybersecurity evaluation. The TruMethods version, "Improving Cybersecurity of Managed Service Providers," is a template used within the myITprocess software. It is not provided in other formats and is exclusive to myITprocess.
The MSP cybersecurity template borrows from the original five Functions of the CSF. While Identify, Protect, and Detect are important, the Respond and Recover steps round out an effective security program.
Another benefit of the template is readability. Original NIST documentation is vague and open-ended, which is by design but tends to confuse those tasked with reading and understanding the objectives. The CSF does not provide ample guidance, except referencing other sources like COBIT, ISA, and CIS. There is no objective answer on how to implement each subcategory.
Our simplified version of the CSF means helping MSPs get a jumpstart on their cybersecurity program. Once in place, ongoing implementation of the CSF maintains a cybersecurity program. The five Functional categories outlined in the TruMethods template are:
- IDENTIFY: Manage Cybersecurity Risk to Systems, People, Assets, and Data
- PROTECT: Implement Safeguards to Ensure Delivery of Critical Services
- DETECT: Determine the Occurrence of Cybersecurity Events
- RESPOND: Take Action on Detected Cybersecurity Incidents
- RECOVER: Restore Services Impared due to Cybersecurity Incidents
Assumptions
- Use of the "Improving Cybersecurity of Managed Service Providers" myITprocess template assumes that:
- You are an active member of TruMethods with appropriate licenses to use myITprocess.
- You own an MSP that has little to no cybersecurity program in place.
- Will complete a self-assessment and submit feedback within a reasonable amount of time.
- Maintaining a cybersecurity program is important to your success and to the success of your customers.
Background
As various industries grow, they become more prone to attack. For instance, the financial industry was a large target for hackers to access and steal financial data. The reason: little to no security measures. This lead to legislation to enact laws and regulations for mandatory cybersecurity protections in the banking and finance field. Once the walls were up, threat actors moved on to other, less-secure industries like healthcare.
The freshest trend in IT services is outsourcing to a third-party provider. Many SMBs cannot sustain an in-house IT department due to the costs of maintaining employees. Outsourcing a vendor for support, budgeting, and strategy has become the norm while paying less than a full-time employee.
Now that most industries have mandatory compliance requirements, it makes the malicious activity more difficult when attacking the industry. The solution is to circumvent business defenses by tunneling through IT services providers. Even though an MSP makes recommendations and implements security measures for customers, they do not make a considerable effort to secure their facilities.
Many forms of cybersecurity compliance exist, with notable mentions from NIST, CIS, COBIT, and even most governments through legislation. The truth is most organizations will not perform a self-assessment using the NIST CSF because it is tedious and not straightforward. The myITprocess template narrows down the objectives to an acceptable level. Simplified wordage and details on why the standard is relevant adds clarification.
Security Control Map
The table below details the Functions, Categories, and Subcategories used to create the myITprocess "Improving Cybersecurity of Managed Service Providers" template. The last column shows the questions derived from the subcategories that are included in the template. Notable differences from the NCCoE documentation:
- Inclusion of the Respond and Recover Functions.
- Extra Categories and Subcategories to produce a more complete cybersecurity program.
- Simplification of objectives and justification for the implementation of each component.
- Integrates into myITprocess reviews and generates a report for those particular questions.
- Initiates the steps of implementing a proper cybersecurity program using the NIST Cybersecurity Framework.
Table 1: Security Control Map (NIST CSF > myITprocess)
Question Distribution
The questions among the five Functions are not equally distributed, that is, the total number of questions (56) does not assume an average of 11 per category. When choosing questions from the many subcategories there was more weight on the first three Functions, especially in the Protect category, than in the others. The graph below displays the distribution of questions.
Graph 1: Distribution of Questions
Respond and Recover make up a small percentage of the total. It is vital to include these areas for a complete cybersecurity program.
Relevant Standards & Guidance
The myITprocess template is straightforward and requires less effort than the CSF. As with other myITprocess standards, justifying a recommendation is important. It is advisable to leverage best practices, regulations, and guides when defining standards. The list below can help further your research for standards in the IT industry.
- NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF), Version 1.1
- NIST SP 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST Federal Information Process Standards (FIPS) 197, Advanced Encryption Standard (AES)
- NIST Federal Information Process Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems
- Center for Internet Security (CIS) Controls 7.1