Journey of a CASP+

Part 3: Creating a Risk Assessment Program

Building a Risk Assessment Program

So at this point let us assume you now have stakeholder interest in the possibility of expanding into Governance, Risk, and Compliance (GRC). Where do you begin? How can an MSP/MSSP start the process of providing GRC services in a concise and business-conscious (i.e. profitable) manner? I began with risk — specifically risk assessments. My reasoning for this was simple: managed service (and security) providers should all be familiar with the process of validating prospective clients via network assessments.

Performing those assessments is critical to determining the needs of a potential new client, how to address those needs, and if both parties are a good fit for one another. With this simple concept in mind, I began creating a program that closely mirrored the sales → assessment → partnership process. Utilizing this “off-the-shelf” approach will hopefully keep training and retooling cycles to a minimum, reducing costs and increasing margins. So let’s take a look at what an example program would look like.

Garnering Interest

Before we look at the program itself I would like to touch upon the pre-sales stage with some benefits, objectives, and the importance of questions.

Objectives

Though far from exhaustive, I’ve focused in on a short list of three objectives that can help direct the course of a RA program.

1. Establish a consistent, disciplined, and integrated approach to risk management
2. Formalize the governance structure of the business
3. Ensure continuous baseline compliance through “X” as a Service and other product stacks to minimize decision-making

Benefits

Achieving the above three objectives via a developed and supported RA program can provide a number of benefits to an organization, such as:

1. Improved organizational support for IT
2. Effective regulatory compliance
3. Cost savings by avoiding downtime through compromise (average cost of one minute of IT downtime is about $5600)
4. Minimize attack surface from third-party vendors (who represent 62% of network intrusion sources)
5. Benefit from increase of Safe Harbor laws

Questions

Lastly, I found an excellent series of thought-provoking questions from the client-side that MSP/MSSPs could benefit from reviewing and attempting to answer honestly. Proactively anticipating these questions and having exceptional answers could be leveraged as a marketing tool. Questions such as:

1. Are you familiar with NIST 800–171, DFARS 7012, and CMMC?
2. To which security framework do you align?
3. Do you have a Customer Responsibility Matrix?
4. How does your team access my environment?
5. Do you have a SOC or SIEM?
6. What internal governing policies does the MSP have in place?
7. What risk assessment are you performing on tools that you add to your environment?
8. Do you perform Incident Response support for our systems?
9. What is the MSPs’ Incident Response Plan?

Using the above objectives, benefits, and questions as a “north star” of sorts, I began to think of what tools and services can be used for this program.

If You Only Have A Hammer, Everything Is A Nail

A risk assessment must ultimately map to one or more frameworks such as:

1. CIS Critical Security Controls
2. NIST RMF and CSF
3. SOC2 Type 1 & Type 2
4. ISO 27001 & 27701

During my research I found the IT Risk Assessment kit from ISACA to be incredibly helpful as it comes packaged with a set of documents that can be used for a “starter” risk assessment program. These documents (RAID Logs, Risk Matrix, Risk Register, RASCI Table) can be repurposed by each organization in accordance with whatever framework is most relevant.

There are also numerous assessment and environment management tools available (free and paid) that can assist with cataloging the current environment and map exceptions from a chosen framework. Simple tools such as security questionnaires and business process reviews can be developed in-house from open source references. Other tools and platforms such as Liongard, Nessus, Qualys, RapidFire, and ConnectWise can also be leveraged to track, alert on, and in some cases even remediate exceptions.

Of course, there is a cost-benefit analysis to be had for every tool and service. Naturally, open source tools are free, but may not have the features or support needed to make for a good part of an assessment program. Conversely, paid tools can be feature-rich and (ideally) have expert support teams available but cut into the margins of the RA program and run the risk of vendor lock-in/lock-out. Each MSP/MSSP will need to carefully examine their toolbox to ensure a balance is struck for a lean and capable program.

It’s All About “The Process”

Bearing in mind the natural aversion to cost that businesses have combined with the common view of IT being a “cost center”, I created a RA process organized into three modular sections. The sections are as follows:

1. Module One — Crawl to Walk
2. Module Two — Walk to Run
3. Module Three — Run to Fly

These modules could be sold together or standalone depending on the maturity of the organization in question. Some may require a total overhaul (Crawl to Fly), others may just need to understand where they are at with compliance but can implement solutions in-house (Walk to Run), and others may just need a little push to get off the tarmac (Run to Fly). The goal being a program that is flexible enough to properly serve as many clients as possible.

Module One (Crawl to Walk) — Timeline 0–1 Months

The first module is comprised of the following steps:

1. ID Client Industry
2. ID Relevant Frameworks
3. Map Framework Requirements to current Business Processes

This module would effectively amount to an advisory role with the intention of establishing context by identifying the goals and objectives of the business, whether they be cultural, legal, and/or operational. Selling this module as standalone would focus on creating and formalizing governance scope, roles, and responsibilities. Both versions would set a baseline from which staff can plan and prepare for continuous compliance operations. Documentation reviews should be viewed as mandatory throughout all three modules as many frameworks require explicit documentation of the entire compliance pursuit. Finally, a readiness assessment should be performed near the conclusion of the module to confirm the organizations readiness to move onto Module Two.

Module Two (Walk to Run) — Timeline 1–2 Months

The second module includes the following:

1. Perform Network Assessment
2. Perform GAP Analysis
3. Map Exceptions to Risk Matrix
4. Determine Risk Management Strategy (Accept/Transfer/Mitigate/Avoid)

Module Two begins with the Risk/Network Assessment. I treat these two assessments as two sides of the same coin. Only after accurately inventorying an organizations assets, policies, and personnel can you accurately gauge all of the risks that apply. During the assessment you want to document existing controls and map them to a given standard to identify exceptions to different risks via gap analysis. Once these exceptions to risk have been evaluated, you must then communicate these findings to stakeholders, documenting everything each step of the way, and determine which management strategy is to be used in accordance with a chosen standard.

Module Three (Run to Fly) — Timeline 2–6 Months

The third module consists of the final few steps:

1. Architect Solutions
2. Implement Solutions
3. Review, Reassess, Improve

Module Three focuses on building and implementing solutions that treat and manage risk in accordance with the chosen management strategy. Whether mitigating or monitoring a given risk, once a measure has been implemented, it must be documented and continuously reassessed. Adhering to a GRC framework is not a once-off project, it is an recurring task that will inevitably require rebuilding.

Outcomes and Goals

So what are some outcomes and goals that an MSP/MSSP should look for internally? As the average timeline for a compliance audit ranges between several months to over a year, we can look at some short and long term examples.

Short Term

The two most immediate outcomes of offering a risk assessment/compliance program are projects and contracts. Projects would include initial consulting, risk/net assessments, and solutions architecture/implementation. The ideal outcome from these projects are contracts whether they be management, co-management, or “X” as a Service; all of which provide monthly recurring revenue (MRR).

Long Term

In addition to projects and contracts, once a client has become certified compliant, they will very likely wish to remain compliant. This means recurring certification and recertification as well as annual mini-audits (such as for ISO 27001) provide opportunities to generate further projects and contracts in a manner that naturally accounts for changes in standards and solutions.

Costs and Quoting

How much does this all cost a client? Factors such as scope, industry, and variance from acceptable baseline will influence final cost but the average range is between $15,000-$40,000. Managed clients, especially SMBs, should require fewer labor hours and projects to an attestation-ready state. Rough examples would be around 24 labor hours for Module One, 6–12 hours for Module Two, and Module Three can vary wildly depending on the number and complexity of projects required to achieve compliance. These estimates also preclude any recurring services, contracts, etc.

Summary

Offering GRC services through a Risk Assessment program allows an MSP/MSSP to answer the important questions proactively, provide the benefits of risk and compliance programs through well-defined procedures, policies, and tools, and encourage B2B relationships to cultivate business value.

The next set of articles of this series will be a more granular look as the various tools and processes mentioned throughout this article.