Checklist do not equal compliance
One of the major gaps I hear when talking to MSPs about security and compliance is a lack of understanding the “why” behind the security checklist being instituted in client environments. Many of us out there follow some checklist, especially for Microsoft 365, that we try to implement in our customer environments upon onboarding. From there, we may use the secure score recommendations to help fill in the gaps and relay this to the customer to showcase some value on improving their security posture.
The gap comes when we start talking about policy definitions you have in place and your “north star” or framework that you follow that provides a more organized structure to understand your cybersecurity posture. Time and resources are often a large constraint to increasing our posture so we need to understand what actions we can take that will be the most impactful to our MSP and, subsequently, to our downstream customers. Here are some questions you can begin to ask yourself to understand your operational maturity in this area:
- Do we follow some type of framework or standard that provides us a consistent approach to our cybersecurity strategy?
- Do we have policy definitions written and implemented across our customers such as our incident response plan, vulnerability management, backup and disaster recovery, etc.?
- Do we have base policy definitions that can be modified dependent on the uniqueness of each customer environments?
- Do we have a formal review process for the policies and controls we have in place?
- Do we set current and target profiles for our organization as it relates to improvements in cybersecurity?
In many cases, MSPs do not have formal policy definitions in place and the lifecycle around cybersecurity is very ad-hoc or reactive in nature. If you are looking to level up in this area, check out the template I built that leverages the CIS Controls as a north star to help you begin to get organized today along with putting a WHY behind the policies and controls you are implementing.
About the CIS Controls
The CIS Controls are a set of actionable security best practices developed by the Center for Internet Security (CIS) to help organizations bolster their defenses against cyber threats. Designed to be both comprehensive and adaptable, the CIS Controls cover essential areas of information security and provide a structured framework for securing IT systems and data. What makes the CIS Controls particularly valuable are the implementation groups which allow organizations of varying sizes and security maturity levels to prioritize their security initiatives effectively. By following these implementation groups, organizations can systematically enhance their cybersecurity posture, starting from securing the most critical assets and processes and gradually building a robust security infrastructure tailored to their specific needs. This tiered approach makes the CIS Controls a versatile and practical standard for businesses aiming to strengthen their defenses in a methodical and scalable manner.
Compliance Optimization Assessment
I built in a basic self-scoring assessment for the framework that you can leverage to understand where your gaps might exist today in your cybersecurity posture. The goal of this self-assessment is to rank yourself across the CIS Controls based on a current and target profile.
There are tabs in the assessment you can leverage that provide the self-assessment including a current score and target scores.
Finally, I have also mapped recommended Microsoft security controls across Entra ID, Intune, Exchange, Teams, SharePoint, OneDrive, Defender, and Purview that map to CIS Controls as well. This matrix includes the base license requirements for the controls along with checklist columns so you can track your progress implementing these controls across customers.
Power BI Template and Ebook
If you wanted to level up beyond the self-scoring assessment, I have also created an enablement ebook and multi-tenant Power BI template you can leverage to track these assessments over time, across all of your customers. The ebook contains other helpful resources such as:
- Set-up instructions for each Microsoft control
- PowerShell Scripts
- Video Tutorials
- 40+ End-User notification templates for controls that impact end-users
Automate your M365 Assessment against the CIS Controls
Finally, I have been working on a new cloud assessment tool that can perform automated pass/fail against your security in the 365 tenant across the CIS Controls. Here are some screenshots from the report that is generated:
You can run a free assessment on a tenant by signing up below: