Compliance as a Service Best Practices: Assess, Address, and Maintain

Compliance can be the basis for a comprehensive managed services package that addresses all of your client’s IT needs while meeting regulatory or industry requirements.

compliance audit

Before Steve Rutkovitz was CEO of Choice Cybersecurity, he was a managed services provider (MSP) in the Maryland-DC area for 21 years. Although he worked clients in highly regulated industries like finance and healthcare, he says he realized “everyone was winging it when it came to security and compliance.”

With his market impacted by stricter regulations and standards and a riskier security landscape, Rutkovitz set off in a new direction. Choice Cybersecurity is a pure play security and Compliance as a Service provider that works with MSPs and directly with companies to get them into compliance and increase security. He has found that the best approach is a repeatable process with three objectives: assess, address and maintain.


Using a compliance and security framework, Rutkovitz conducts a risk assessment and gap analysis. The framework is based on the regulations or best practices the business must follow. For example, a healthcare organization needs to focus on HIPAA compliance, while a government agency may need to follow NIST SP-800 171. If your client collects data from European citizens, they may need to comply with EU’s General Data Protection Regulation (GDPR). Rutkovitz says it’s possible for a business to be subject to multiple regulatory standards or best practices, but its best to focus on one at a time rather than trying to address them in the same assessment.

The assessment includes a series of scans that reveal the types of data the client is storing. “What you hear from the client may be different than what you find,” Rutkovitz points out. “They may say they don’t need to comply with GDPR, but then you find 5,000 European addresses.”

It’s also vital to scan for any vulnerabilities that may be present in their system. “After doing hundreds of assessments, we can see the risk and vulnerabilities pretty quickly,” Rutkovitz says. Scans also allow you to check for newly discovered vulnerabilities that cybercriminals are exploiting. “The big SharePoint vulnerability that was announced — we would know if they have it, zero in, and button it up quickly,” he comments. “If we can stay one step ahead, we can protect them,” he says.

Rutkovitz says it’s also crucial to understand the types of solutions the client is running, SaaS, on-premises, or hybrid, which need to be assessed against specific standards. He adds that IoT system risks are up 600 percent. “When we scan for vulnerabilities, we look at more than servers and workstations,” he says. “You need to take more of an overall approach when looking at risks. Looking at whatever the onramp could be.”


Once you determine the client’s needs for compliance, you need to provide those solutions and services. Also, you need to ensure third-party vendors with remote access to your client’s system also have the proper compliance and security posture in place.

Your client may have to implement new policies for compliance, such as enforcing hardened passwords and two-factor authentication. Training and education on the importance of new policies can also be an essential step toward employee adoption.

MSPs may also need to advise their clients on how to manage data to stay in compliance. They may be required to encrypt sensitive data when it’s transmitted or stored or archive or delete data after a specified time.

Following your client’s compliance framework, you also need to develop a strategic plan that they will follow if a security breach occurs. Taking a proactive approach can minimize data loss, liability — and confusion. “You need to think it out up front, so everyone knows what to do and how to go into action,” he says.


When all necessary solutions are in place, the final phase is executing ongoing Compliance as a Service to monitor the client’s system to ensure security and compliance in a continually changing landscape. As new risks appear or new regulations are introduced, you can address them immediately.

You also need to report activity to your clients and show trends, demonstrating that their business is in compliance, has a reduced security risk — and that you are providing them with continuing value.

Know Your Limits

Adding security and compliance services to your offering can be a great way to expand your business into a fast-growing market, but Rutkovitz advises to do so in a measured way.

“Best practices are one thing, but putting them into practice is another,” said Rutkovitz. “Do you have the right resources? Can you afford to spend the time necessary to fully understand compliance and security … or might it be cost prohibitive for you learn everything you need to know? We ultimately evolved to become a compliance as a service provider because we felt compliance and security required full, singular focus and dedication. Maybe you’d rather focus on your core strengths and outsource the work to an expert. That’s the decision you’ll have to make.”