MSP: Is Your New Digital Service Compliant?
Blog Article Published: 12/15/2017
By Eitan Bremler, VP Marketing and Product Management, Safe-T Data Offering managed services seems like an easy proposition. You offer IT services for companies that don't have the infrastructure to support their own, bundle in services like cloud storage or remote desktop access, then sit back and watch the money roll in. Of course, that's a dramatic oversimplification of how an MSP works, especially because this description contains a rather substantial omission — security. As an MSP, you're handling the sensitive digital data from dozens of companies. Not only are you subject to well-known compliance regimes such as PCI-DSS and HIPAA, you might also be subject to newer regulations from the NY DFS or soon, the GDPR. Some of these regimes are known quantities and others not so much, but if you fail to follow them, one thing is certain — your customers will quickly cut ties. How can managed service providers provide secure and compliant digital services? MSPs Are Likely to Be Covered by Multiple Overlapping Compliance Regimes Each managed services provider is likely to be covered by at least one of the following four compliance standards, based on who they do business with.
- If you touch PHI from a healthcare provider, you are subject to HIPAA and must execute a Business Associate Agreement (BAA) before you're allowed to start working with them.
- If you process credit card numbers, or store credit card numbers for another company, you are subject to PCI-DSS. Companies who process more credit cards are subject to stricter standards, so it pays to keep track of how many cards you're processing.
- If you work with a company that's under the jurisdiction of New York's Department of Financial Services, then you will be subject to compliance regulations recently laid down by the DFS. These regulations mandate a number of security controls, backed up by regular audits.
- If you work with a company that deals with the data of EU citizens, or do business with an EU company direction, then after May 25th, 2018, you will be subject to the GDPR.