| Authenticate and permit access only to authorized users; limit each user to the customer information their role needs; review access periodically. | Identity platform with RBAC and conditional access; least-privilege admin; documented joiner/mover/leaver workflow. | RBAC matrix · access-review sign-offs · offboarding tickets |
|---|
| Know where customer information sits: the data, the systems holding it, and how it flows — the map everything else depends on. | Asset inventory from the RMM plus a data map: where NPI lives (DMS, tax software, shares, email, paper) and how it flows in and out. | Asset list · data-flow diagram · annual refresh record |
|---|
| Encrypt customer information at rest and in transit over external networks; if truly infeasible, QI-approved compensating controls — documented. | Full-disk encryption on endpoints, encrypted servers/SaaS at rest, TLS enforcement, secure email/portal for sending customer documents. | Encryption status reports · TLS policy · secure-portal configuration |
|---|
| Secure practices for in-house applications touching customer information — and procedures to evaluate the security of third-party apps (DMS, tax software, CRMs). | For SMB clients this is mostly vendor diligence: security review of the DMS/CRM/tax platforms, patch posture, and SSO/MFA support before adoption. | App security questionnaires · vendor SOC 2/attestations on file |
|---|
| MFA for any individual accessing any information system holding customer information — staff, remote, vendor, and cloud logins alike — unless the QI approves an equivalent in writing. | MFA on email, VPN/remote access, DMS/LOB apps, cloud consoles, and the MSP's own tooling; phishing-resistant methods where available. | MFA enrollment reports · conditional-access policies · QI memos for any equivalents |
|---|
| Dispose of customer information no later than two years after last use unless retention is required or serves a legitimate purpose — with periodic review of retention practices. | Retention schedule (2-year default for NPI past last use), automated purge jobs where possible, shredding and certified media destruction. | Retention policy · purge logs · destruction certificates |
|---|
| Procedures to evaluate the security impact of changes to systems, networks, and applications before they land. | Ticketed changes with security-impact notes; maintenance windows; rollback plans — your existing RMM change process, formalized. | Change tickets with approvals · post-change review notes |
|---|
| Monitor and log authorized-user activity, and detect unauthorized access to — or use of — customer information. | EDR on all endpoints, log collection/SIEM for systems holding NPI, alerting on anomalous access, defined triage runbook. | SIEM retention settings · alert triage records · monthly monitoring summaries |
|---|