1.0 - Introduction
It's almost impossible to deliver Managed IT Support services to clients without also addressing cybersecurity at the same time. Because security has kind of 'creeped up' on many MSPs over a long period of time, many of the core security services we perform for clients is actually included in our IT Support services themselves.
If you're building your security packages in HighGround and wondering 'why do they look so bad' - there's a good chance you haven't included many of the core security services you provide through your existing IT Support Service
Note: if you bundle IT Support and Security together into a single service offering to your clients, you can either follow the instructions in this article, or you can also build all of the same security components into a master service.
2.0 - Common cybersecurity features in your IT Support Service
Here is a list of the most common cybersecurity features that most MSPs are already including in their IT support service, and the associated service question you should select when performing the NIST Alignment when building a service.
Tip: you can add these by going to:
Sell > Services > Add/Edit Service
Click on any of the NIST pillars on the left (as shown below).
To learn more about security services in HighGround, read our Building your Security Services article.
What security you already do via IT support | Security Component | NIST Pillar | NIST Service Question |
Discussing and/or presenting your clients cybersecurity risk and recommendations | Annual Cyber Board Review | Identify | Does this service involve discussing cybersecurity with the board and/or senior management teams (on at least an annual basis) to ensure members are adequately briefed on security risks, likelihoods and impacts and risk appetite understood? |
Discussing your clients security obligations and making security recommendations to meet them | Security Frameworks | Identify | Does this service involve working with your client to understand and meet their legal, regulatory and contractual obligations for cybersecurity? |
Discussing your clients data privacy obligations with them and giving them advice or recommendations, including recommending partners. | Data Privacy Frameworks | Identify | Does this service involve working with your client to understand and meet their legal, regulatory and contractual obligations for data privacy? |
Do you perform IT asset management for your clients? | Asset Management
Supply Chain Security Management | Identify | Does this service provide asset management of all organizational technology assets including hardware, software, networks, services, data repositories and suppliers? |
Do you perform technology strategy for your client (i.e. vCIO) | Technology Strategy |
| Is this a virtual CIO (vCIO) service to aid in the development, execution, continuous review and reporting of a security strategy that is aligned to organizational needs, expectations, risk appetite and obligations (legal, contractual)? |
Do you provide regular patch management for operating systems and 3rd party applications? | Patch Management | Protect | Does this service provide patch management for operating systems, applications and firmware on a continual basis, and within a maximum of 30 days from patch release? |
Do you mandate clients have a network firewall at all network edges? | Firewall & Intrusion Detection | Protect | Does this service include a Firewall at the perimeter of all ingress/egress points in the clients network and web infrastructure |
Do you enable and enforce a firewall on all workstations, laptops and servers? | Firewall & Intrusion Detection | Protect | Does this service include enabling and centrally controlling a managed host-based Firewall on all devices? |
Do you mandate clients have Active Directory, EntraID or Google Workspace and enforce MFA for all user accounts? | Identity Access Management | Protect | Does this service provide a central identity service such as Microsoft EntraID, Google Workspace or an Identity Access Management (IAM) system and enforce multifactor authentication (MFA) for all authentication? |
Do you configure and manage disk encryption on devices, TLS encryption on email, and any other data encryption services? | Data Encryption | Protect | Does this service provide encryption of data and communications on devices, cloud services, whether at rest or in-transit? |
Do you configure and manage access control permissions to files, folders, cloud services and within applications? | Data Access Control | Protect | Does this service establish and maintain access control to organizational data and resources such as files, folders, applications, cloud services and devices? |
Do you securely destroy clients devices when they are retired or recycled? | Data Destruction | Protect | Does this service provide a function for the secure destruction of data on devices when they are retired? |
Do you configure, manage and monitor SPF, DKIM, DMARC, DNSSEC and Email Encryption for clients? | Domain & Email Security | Protect | Does this service provide enhanced email authenticity and integrity using domain and email security mechanisms such as SPF, DKIM, DMARC, DNSSEC and Email Encryption? |
Do you configure and maintain a secure configuration on devices using Group Policy, Intune, RMM, MDM or similar? | Secure Configuration > Device Management | Protect | Does this service maintain an approved register of devices and maintain a secure configuration on them, which is aligned with least privilege methodology and controlled through central policy? |
Do you configure and maintain a secure configuration on network devices using a network monitoring & management tool? | Secure Configuration > Network Management | Protect | Does this service maintain an approved register of network devices and network connections, and maintain a secure configuration on them that is approved and aligned with least privilege methodology? |
Do you configure and maintain a secure configuration on clients cloud environments using a cloud monitoring & management tool? | Secure Configuration > Cloud Management | Protect | Does this service maintain an approved register of cloud services, and maintain a secure configuration on them that is aligned with least privilege methodology, and where possible is controlled through central policy? |
Do you maintain a register of approved applications and enforce this through application management tools or application whitelisting / blacklisting? | Secure Configuration > Application Management | Protect | Does this service maintain an approved register of applications and maintain a secure configuration to ensure only authorised applications are used? |
Do you manage and regularly review user accounts on clients systems, ensuring they are still required and MFA is enabled wherever possible? | Secure Configuration > Identity Management | Protect | Does this service maintain an approved register of user accounts in use across all systems, ensuring accounts are protected with multifactor authentication wherever possible and are aligned with least privilege methodology. |
Do you configure and manage MDM for your client, for example through a their existing Intune setup or through your Apple MDM solution you use for IT support? | Mobile Device Management | Detect | Does this service provide Mobile Device Management (MDM) capabilities to manage the configuration and security of mobile devices which have access to corporate data and resources? |
Do you monitor clients systems for unrecognised user accounts, devices, network connections and applications, and investigate / remediate any unexpected findings? | TBC | Detect | Does this service continually monitor for and review user accounts, devices, software (locally installed or Saas) and connections (transient or persistent) to ensure they are recognised and approved? |
If you provide a cyber incident response function to clients, do you ensure it is fit for purpose (or advise them to check this themselves)? | Incident Response (Vision & Mission) | Respond | Does this service establish organizational context and required outcomes of the incident response function to ensure it delivers on the requirements? |
Do you provide a cyber incident response reporting and triage function to your clients? | Incident Response (Procedure) | Respond | Does this service provide an incident response reporting and triage function to all employees, suppliers and partners for the reporting, investigation and prioritization of any suspicious/anomalous activity? |
Do you provide an incident respond function for the critical phases of incident handling including containment, evidence gathering, eradication, recovery and reporting? | Incident Response (Plan) | Respond | Does this service provide an incident response function for the containment, evidence gathering, eradication, post incident analysis and reporting of security incidents? |
Do you provide offsite backup (including cloud backup) of locally hosted data? | Backup (local to offsite/cloud) | Recover | Does this service include backup of all business systems and data? |
Do you provide cloud to cloud backup? | Backup (cloud to cloud) | Recover | Does this service include cloud backup of all protectable cloud hosted data? |
Do you provide a DR Appliance (physical or virtual) and/or a cloud-native Disaster Recovery Service? | Disaster Recovery Appliance | Recover | Does this service include Disaster Recovery services to restore affected systems from backups on alternate hardware, infrastructure or locations, to ensure business operations can continue whilst affection systems are investigated and recovered? |
Do you perform regular Disaster Recovery tests for clients systems? | BCDR Test Recovery | Recover | Does this service include performing real and test restorations of backups and disaster recovery services and their associated DR Plans and standard operating procedures on a regular basis? |
3.0 - Create a service for your Baseline IT Support
We recommend that you start by building a Service for your IT Services and do this in a way that fits your IT Support model.
Here is a worked example:
You have 2 different IT Support Services:
β
Basic: includes unlimited report support, support hours 8x5 and a 4hr SLA
βPremium: includes basic, but with 24x7 support coverage, a 2hr SLA and incident response function.
In the above example, you could build 2 Services in HighGround 'Basic IT Support' and 'Premium IT Support'.
For each of these services, you would attest the relevant security features you are providing as part of the service.
4.0 - Adding your IT Support Service to your Packages
Once you have created Services for your IT Support Services, you can then use them in your packages, together with additional security services that you build.
Tip: If you provide a comprehensive service offering which includes both IT Support + Security, it is still recommended that you build them separately in HighGround.
This makes it easier to manage your services in HighGround - otherwise you could end up creating a single service that includes all security capabilities and build a Package that includes a single service.