Compliance as a Service Best Practices: Assess, Address, and Maintain

Compliance can be the basis for a comprehensive managed services package that addresses all of your client’s IT needs while meeting regulatory or industry requirements.

compliance audit

Before Steve Rutkovitz was CEO of Choice Cyber Solutions, he was a managed services provider (MSP) in the Maryland-DC area for 21 years. Although he worked with clients in highly regulated industries like finance and healthcare, he says he realized “everyone was winging it when it came to security and compliance.”

With his market impacted by stricter regulations and standards and a riskier security landscape, Rutkovitz set off in a new direction. Choice Cyber Solutions is a pure-play security and Compliance as a Service provider that works with MSPs and directly with companies to get them into compliance and increase security. He has found that the best approach is a repeatable process with three objectives: assess, address and maintain.


Rutkovitz conducts a risk assessment and gap analysis using a compliance and security framework. The framework is based on the regulations or best practices the business must follow. For example, a healthcare organization needs to focus on HIPAA compliance. And if your client collects data from European citizens, they may need to comply with the EU’s General Data Protection Regulation (GDPR). Rutkovitz says a business can be subject to multiple regulatory standards or best practices, but it’s best to focus on one at a time rather than trying to address them in the same assessment.

The assessment includes a series of scans that reveal the types of data the client is storing. “What you hear from the client may be different than what you find,” Rutkovitz points out. “They may say they don’t need to comply with GDPR, but then you find 5,000 European addresses.”

It’s also vital to scan for any vulnerabilities that may be present in their system. “After doing hundreds of assessments, we can see the risk and vulnerabilities pretty quickly,” Rutkovitz says. Scans also allow you to check for newly discovered vulnerabilities that cybercriminals are exploiting. “The big SharePoint vulnerability that was announced – we would know if they have it, zero in, and button it up quickly,” he comments. “If we can stay one step ahead, we can protect them,” he says.

Rutkovitz says it’s also crucial to understand the types of solutions the client is running, SaaS, on-premises, or hybrid, which need to be assessed against specific standards. He adds that IoT system risks are increasing. “When we scan for vulnerabilities, we look at more than servers and workstations,” he says. “You need to take more of an overall approach when looking at risks. Looking at whatever the onramp could be.”


Once you determine the client’s compliance needs, you must provide those solutions and services. You must also ensure that third-party vendors with remote access to your client’s system have the proper compliance and security posture.

Your client may have to implement new compliance policies, such as enforcing hardened passwords and two-factor authentication. Training and education on the importance of new policies can also be an essential step toward employee adoption.

MSPs may also need to advise their clients on how to manage data to stay in compliance. For example, they may be required to encrypt sensitive data when transmitted, stored or archived or delete data after a specified time.

Following your client’s compliance framework, you must develop a strategic plan they will follow if a security breach occurs. Again, taking a proactive approach can minimize data loss, liability – and confusion. “You need to think it out upfront so everyone knows what to do and how to go into action,” he says.


When all necessary solutions are in place, the final phase is executing ongoing Compliance as a Service to monitor the client’s system to ensure security and compliance in a continually changing landscape. As new risks appear or new regulations are introduced, you can address them immediately.

You also need to report activity to your clients to show trends, demonstrating that their business complies, has a reduced security risk and that you’re providing them with continuing value.

Know Your Limits

Adding security and compliance services to your offering can be a great way to expand your business into a fast-growing market. Still, Rutkovitz advises doing so in a measured way.

“Best practices are one thing, but putting them into practice is another,” said Rutkovitz. “Do you have the right resources? Can you afford to spend the time necessary to understand compliance and security fully, or might it be cost-prohibitive to learn everything you need to know? We ultimately evolved into a Compliance as a Service provider because compliance and security required full, singular focus and dedication. However, perhaps you’d rather focus on your core strengths and outsource the work to an expert. That’s the decision you’ll have to make.”