We find ourselves getting closer to the end of CIS Top 18. In this episode, Matt Lee of Pax8 and I discuss Service Provider Management. Matt does an excellent job of laying out a success path for any MSP to implement. You should note that this is a non-technical control.
[00:00:04] . Welcome to MSP 1337. I'm your host, Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone. Recording. Pressing the record button now. Welcome everybody to another episode of MSP 1337. It's that time of the month where
[00:00:30] we have a, we have a fireside chat. It is Matt Lee of Pax8 joining me to talk about service provider management. Matt, welcome to the show. Man, I thought just in honor of this episode, I lit a nice dumpster fire for us to sit beside
[00:00:46] at least in my heart for this particular control. The way you say it makes me feel like we're homeless. We are in this case, it feels like because what we're talking about today is service
[00:00:58] provider management control 15 and I think one of the things that I'd like to start with as a quick story, Chris, is that I get on stage all the time and talk to manage service providers that serve all different types of customers.
[00:01:13] And they always do the same thing that is human nature. They say, I wish my client would do more of the things I asked them to do to protect myself. I wish they'd do an MFA. I wish they'd say yes to this, whatever it may be.
[00:01:25] And then they'll also say, I wish my service provider would do more, would give me more things, would be more apt, would follow these things themselves, would be more front and forthcoming with their own.
[00:01:34] And they're right about both statements, but it is rare they go inward and say, man, I'm not good at this either. We must all suck at this. We must all need to get better. And I think this is a control where this shows up the most, right?
[00:01:48] Is this understanding of what is it you're asking from them? And as you're doing that, think about would that if you inverse it be something you could answer yourself, right? Anyways, go ahead, Chris. This is your world. No, it's fine.
[00:02:02] I think that the thing that comes to mind for me is along the same lines of also thinking about when we talk about service provider management or we talk about just the conversations with vendors whose products and services we
[00:02:15] might subscribe to or insurance or fill in the blank, how do we interact with them? And had a conversation. Actually, this was on the Trustmark call. We had a conversation. MSP brought a scenario. They're working through their incident response planning.
[00:02:32] And doing some exercises to just test out how things work in the event that they would need to engage insurance, what that would look like. And it took them four days to get a hold of the person that they needed to talk to.
[00:02:46] And well, it's a good thing they tested it, right? Because they wouldn't have found out until maybe it was too late. And their SLA of a four hour response time, four days is it doesn't matter if the SLA is intact or not.
[00:03:01] You don't have more than four hours when it happens. So anyways, the reason why I bring it up is not to point a finger at a vendor, but more of like we all have a responsibility. The vendor didn't know that their auto attendant was broken.
[00:03:14] I mean, how often are we calling in to insurance to say, oh, I got to call them. This is what happened. It doesn't happen every day for every insurance carrier. And so I thought it was important to point out like, hey,
[00:03:24] they worked through it. They figured out the problem. It's something that now won't happen again because they've put some measures in place to prevent that from being the end all be all, if you can't get through on the auto attendant.
[00:03:34] But like, so I just want to put that out there like this, when we grade our vendors, we've got to remember that we have a joint or a mutual responsibility and the relationship it's not just a one-sided thing.
[00:03:45] Well, let's not actually miss that point because what you're talking about is SRM, which is a shared responsibility matrix. What is a shared responsibility matrix? Let's unpack some of that as we go through these safeguards, right? Absolutely. So let's talk about control 15 service provider management.
[00:04:03] All right. Let's talk about it. Develop a process to evaluate service providers who hold sensitive data, comma space, or are responsible for an enterprise's critical IT platforms or processes, comma space, to ensure these providers are protecting those platforms and data appropriately. What are we talking about, Chris?
[00:04:27] We're talking about this shared responsibility. I've handed you something that I am the steward of. You are now responsible for part of it because I'm using your platform. I'm using your service. You have access to my system, Mr. or Ms. MSP, whatever it may be.
[00:04:41] I am now giving access to that. And I actually did a talk not too long ago that's getting turned into a white paper about talking to Fortune 100 and Fortune 500 CISOs. There were 120 of them in the room. And it was called a practical approach to selecting your SMB partners.
[00:04:59] But I lovingly called it, Nobody Gives a Blank About Fasio. And blank was not blanked out. But the talk starts like this, Chris. I asked him to look at the screen and I had a Target logo up.
[00:05:12] And I said, hey, this Target logo, does everybody know what happened? And they said, yeah, there was a breach in November of 2013, give or take till 2014 of this major retailer. OK, we know. I asked the audience, how many of you know how it happened?
[00:05:25] And they all said their HVAC vendor, at least the ones that knew. I then said, don't Google, don't search, don't ask your neighbor. How many of you know the name of the HVAC vendor? And it came up with nobody. And the answer was Fasio's mechanical services.
[00:05:40] And I said, it's been 13 years and people are still talking about Target and they don't remember Fasio's. And I said it a different way. But the point being, when we start thinking about this, your service providers can often be your weakest link.
[00:05:52] They can often be have access to too much or have access to the appropriate amount of sensitive data, not taking that appropriately. And so that's what this set of safeguards is hoping to go down. But when you look at I.G. ones, it's really only one.
[00:06:05] There's literally only one control, one safeguard that's an I.G. one or an implementation component. Who are your vendors? Yeah. And that's to your point of like that knowing your vendor doesn't just go to knowing it goes to how do you contact them too.
[00:06:17] And so when we get into this, establish and maintain an inventory of service providers. Here we are with a list yet again. You mean to tell me, Matt Lee, that cybersecurity often comes down to Excel sheets and lists? It sure does.
[00:06:29] I would argue that the majority of the safeguards in the CIS top 18, the first two one or two safeguards in each control domain likely involves an Excel spreadsheet. Yeah. At least or something fancier that does the same function.
[00:06:44] But I know PEP plus plus a data set that you can compare. Right. And so, yeah, exactly. So in this one, we're not any different. It's a list and inventory of service providers. And it says the list all known service providers, right? Like, who are they?
[00:06:57] It also goes on to say including classifications, which is interesting because this is yet again where CIS has asked us to do something before they teach us what to put in that classification that will say later safeguards.
[00:07:09] And I think it's fair, though, I think we should pause for a minute. I think it's important that this happens, whether it's classified properly or not. And the reason why are, you know, how to because I think at the end
[00:07:20] of the day, so many times solution providers don't know who all of their vendors are. And I think that's where this becomes problematic. I had the conversation the other day, like, do you have if you if I asked you,
[00:07:32] you know, hey, do you have the contact details for fill in the blank? Acme Corporation. They're like, oh, yeah, it's, you know, just Google it. Awesome. Yeah. Great phone number. I found no longer in service or never has been their phone number.
[00:07:46] Like these are not especially when you need the phone number. Right. Yes. So this point, it says have your service providers have the classification and to your point, designated enterprise contact for each service provider. Like, who am I going to call?
[00:08:00] It's not Ghostbusters. We're going to call, you know, whoever. Unless they're one of your vendors. That's fair. Well, even then, you're not just calling the company. Hopefully you've got a real contact there for when things go bad.
[00:08:09] I mean, if it's the Ghostbusters, you're probably sending out a page. That's fair. That is that is fair. But the point is designated contact. And then it says, you know, your governance words yet again, review and update the inventory annually or when significant
[00:08:23] enterprise changes occur. Well, guess what? What enterprise change could occur, Chris, in this thing that would make me have to have a new thing on the list? I don't really want to say because I feel like it's like
[00:08:33] when they do something that doesn't, you know, protect my data or. We hire a new one. Yeah, if I change. I need to maintain a list and needs to be up to date whenever that whenever I hire a new service provider,
[00:08:47] I need to put them on the list. Right. Well, not only that, but you need to constantly check on your service providers because their information changes, too. And this is one of those things you talked about with your incident response tabletop where they were trying
[00:08:59] to reach out to a service provider and they learned there was a better contact method. They had a new way to talk. And so that's why I brought this up was as you test this, make sure you're tabletopping these things out.
[00:09:09] Make it something where you're like, listen, I know this number. I'm going to call you and let you know. I just want to test the system. It's not really an event, but I just want to do that. Can we do that annually?
[00:09:16] You might set that contact point up ahead of time to say we're going to do that. Right. Yep. So the point is they're asking you to have a list, classify those lists. What they're really asking about classification when you get down
[00:09:26] to it is like, is the data sensitive? They have a lot of access. Are they my MSP that has admin creds? Those could be very important questions, right? Like that's where it matters. Yeah, and I see a couple of a couple of challenges here
[00:09:38] and I run into it quite a bit. And I don't know that it's worth splitting hairs over, but, you know, I think it's important to maintain the piece, which is do they store sensitive data as a category? And are they able to access sensitive data in your environment
[00:09:53] as a separate delineation? Well, those are good points, right? Like as delineating points, knowing is their data there in processing? Is there access, potential access to data? Or do they store another copy that's now made a duality? Well, remember, we talked about this already, right?
[00:10:11] So in control three, in data protection, we talk about where does my data flow? And if we have a clear understanding of where data flows, unless it's just staying in a little circular box that is my it's in the large hadron collider, you know, right around spinning around.
[00:10:29] Then then maybe you don't have a very long list of vendors, but everybody that I've talked to, even the ones that are adamantly like we've consolidated down and we're continuing to minimize like, oh, where? I was in the 60 application range with 170 employees like that.
[00:10:43] And I haven't seen anybody yet below 30 that I've talked to, big or small 30. And by that I mean service providers. Yeah, yeah, absolutely. Yeah. So all right. Dead horse 15.2 establish and maintain a service provider management policy. Good grief. Are we noticing a trend here in 15
[00:11:05] that maybe all of 15 could be policy oriented, that there are no technical controls in 15. And a lot of people ask me like, what is my how should I manage my service providers? What's my way of managing providers?
[00:11:19] What's a lot of it gets clarified here of what needs to be in it. Right. Like any classification as a process, like a way to actually classify those service providers and inventory, right. Something to maintain the inventory process to make sure that 15.1 stays up to date.
[00:11:32] Right. Well, yeah, it's a pattern. The provider, I need to process and procedures. Yeah. I mean, obviously, you're not going to do a very good job of managing your service providers if you don't check in with them. Yeah, exactly. Assessment.
[00:11:44] And now this one we'll get back to in a sec monitoring and then decommissioning the service providers. Right. When I get rid of one, do I how do I get rid of it? How do I make sure I've gotten rid of it?
[00:11:52] What is the effective amount of getting rid of it? And this really does give guidance to how I modify four dot one for how I configure systems if I've removed a service provider, how I write as you start thinking about some of these options.
[00:12:03] So anyways, well, 15, one, two and three. So all the way through classification, one can argue that this is a relatively. I don't want to say it's trivial, but I think that this is doable for most MSPs if they put their mind to it.
[00:12:17] I take them a little bit. This is reasonable. And I think as you shift into the latter safeguards of this control, there's a reason why they are I.G. Threes, the last three are I.G. I want to say why I think I.G.
[00:12:29] One people get hung up on or I.G. to at least sure, you know, up on assessment. And that's why I pause to talk about assessment last in the service provider management policy. And the reason is when you think about how to assess somebody,
[00:12:42] everybody gets hung up in the details of perfect. Like what is perfect? I don't have any guidance. What must I have from every what must I have? You get to define that if you notice for the most part, unless you're in a regulated industry,
[00:12:54] unless you're in something that has some level of like defined standards that must be met, that you must ask for or write or some contractual obligation that's driving it for clarification. That is a level three. Well, 15.2, the assessment function being defined
[00:13:08] in service provider management policies, what I'm speaking. I understand. So, OK, I guess I'll find later. Yeah. So but to your point, all of this stuff, it can start in a lower level of where perfect is and get the muscles built of doing it right.
[00:13:25] If I'm only asking for a SOC to report from somebody and I'm not doing anything more and that's it, getting that muscle firing of collecting that, asking for it, denoting when they don't have it, writing an exception for what that is. What are those compensating factors?
[00:13:38] I'm going to look for if that's the case, whatever it may be. Right. Yeah. And I mean, go back to so we did bounce a little bit. So we understand classifying service providers. I think for the most part, we're all pretty.
[00:13:49] I don't say we're good at it, but we we have a general understanding like there's a difference between my my XDR and my backup solution. Right. There's there's a definite delineation between the two functions of those products, although I'm starting to see vendors that do both things
[00:14:03] at the same time with the same agent. So I digress. But but when we get into like contracts to include security requirements and then in 15 five, you know, assessing of the service providers, I truly think this this gets really complicated, really fast,
[00:14:20] because I don't think that for the most part, MSPs in general have been truly educated on how to do the assess process without just really making a vendor mad. Yeah. Give me this information. They're like, sign an NDA.
[00:14:35] And it's like, well, what is it that you really want to know about the vendor in the context of assessing them from from a security standpoint to ensure that they're going to be able to meet the requirements that you've called out, say, under your security requirements? Yeah.
[00:14:51] Well, and when you think about it, like if I get what you're saying about this, like you're asking for a SOC two. The vendor says, sure, you got to sign an NDA. You get the SOC two. You check the box, you file it and you're good. Right.
[00:15:03] Did you read it? I would love to like put a Willy Wonka's golden ticket or like give my house away in paragraph four of the third page or something to the first reader that responds because nobody reads them.
[00:15:16] They're filing them away and just saying check the box. Right. But I could have scoped that SOC to whatever controls I created. However efficacious they are, however, they're going to really serve that. And someone's just assessing, am I doing them and are they like meaningful to some extent?
[00:15:29] But really, when you start looking at that, those SOC twos are often scoped poorly, the controls are inadequate. And it's funny because there's a meme that goes around that says, you know, every breach in the last five years has had a SOC two. Right.
[00:15:43] And that is the reality. So when you're talking about this, what I love about the way CIS has written this last control and we probably ought to go back over the others, but in fifteen five, we're talking about assessing service providers consistent with the service provider management policy.
[00:15:57] This is where they link it back to make sure your policy is governing. To your point, Chris, they're following a process to do this. Assessment scope may vary based on classification. Like if you are my SOC and you are doing my security operations,
[00:16:09] I might assess you at a higher stringency than if you were providing me with paper on Thursdays. Right. Like we might have a very different world. And so you may have to say when you get into it, says assessments
[00:16:22] go may vary and may include a review of standardized assessments. It doesn't say collection. It doesn't say checkbox of standardized assessment. It says a review of them or other appropriately rigorous processes to include customized questionnaires, which means you can write your own stuff.
[00:16:39] Yeah. You can write whatever the hell you want. But you also find vendors don't necessarily respond to that. I think that would be great to solve. Yeah. You know, when I give them the questionnaire, right, they're not so quick like so.
[00:16:51] And I think that's an area where, you know, I think CompTIA and the direction of the trust mark, especially as we get into vendor profiles. You know, obviously our goal along those lines is to help remove some of the friction between service providers
[00:17:06] or solution providers asking their vendors, you know, service providers to help them. And so, you know, I actually was spending more time than I like to admit. And I had some help from some of the team over at Choice Cyber.
[00:17:20] But I went through and I mapped all of the crosswalks where CIS crosswalks to SOC 2. And then I reviewed and we've got all of the ISO safeguards in the trust mark that that match. We've also mapped those into SOC 2.
[00:17:34] And one of the things that I uncovered is that in order to truly satisfy the the ISO safeguard or the CIS safeguard, in many cases, you had to satisfy two, three, four SOC 2 safeguards in actual to meet that requirement. And then you're looking at what was the scoping
[00:17:53] that was in the SOC 2 safeguard? And one of the things that often comes up is it's more of a 10,000 foot level of sort of seeing a general direction that would imply doing it the way we're calling it out through the CIS or ISO safeguard.
[00:18:09] And so while we see a path of success, of being able to say, hey, assuming your scope does facilitate an understanding from the trust mark certification process that you are you did do due diligence across more than just the bare minimum.
[00:18:25] Then we don't want you to have to reinvent the wheel for those safeguards that do match. Let's tackle scope. Let's say you have scope down to a system that is what's under this scope that meets the need. They're still interconnected. They still have different dependencies and access,
[00:18:40] depending on how you've built this. It's likely not you building a complete enclave that functions. And so you try to then pick. And what I'll say is the threat actor says long hair don't care. I'm going to tell you wherever you are, wherever I find,
[00:18:52] I do not care if you find it in the scope or not. I don't care if I get it through a different way of pushing two truck bumpers together and laying a jack handle over the positive. I don't care. We're going to get her started.
[00:19:03] Right. And I think the point is, is like when you get into this, what I love about fifteen dot five to bring this back to home is it says you standardize assessments, but review them PCI DSS. Sock two are specifically called out right here in this.
[00:19:17] But then or other appropriately rigorous processes. But you're now saying like with Trustmark, we hope it becomes with the vendor profiles that trusted resource that standardized and review becomes to mean that we're this very assessed platform. You know, you know where we're going with it. Right.
[00:19:31] But the point is, is you can also create questionnaires. And I did. But to your point, that creates friction because everyone has a different questionnaire and they're asking for different things and they want them a different way and they have different demands.
[00:19:40] And so it's very hard to scale and normalize that. And I think what you're doing with Compto or what we're doing, I always forget, but yeah, we're doing with Comptia Trustmark vendor profiles is very much in that vein of solving some of that.
[00:19:52] I mean, and this is what channel program is doing right. Like they give you the ability to see things that have already been answered. And if you can accept those questions as truth for your organization, you're not creating friction
[00:20:05] with a vendor who has already answered the questions once. Why make them answer it over and over again? Yeah. And the interesting part about that, too, not to delve off into another topic is the only way that works is if the crowd sourcing
[00:20:18] is accurate, valid and on equal footing of their capabilities of understanding the answers are given, be given and continuously participates in reevaluation. I think that's the challenge with that model. I think you have to make sure that you've normalized
[00:20:32] the end consumer that is actually reporting and also the time basis and aging of such information based on delineation. I think so. This doesn't turn into Wikipedia, right? Like, well, the last person to update this eight years ago
[00:20:46] with their new version of the facts and no one else has bothered to validate or verify that it's true. Yeah. I think that's done well. Yeah, it could be very valuable. I think what I mean without it, we're in trouble, too.
[00:20:59] I don't know that there's an easier way to do this. I think there has to be a minimum standard of the people doing it, too. Right. And I think to your point, with the whole purpose of Trustmark
[00:21:08] is us self adopting a minimum standard to say, I know enough to be here and have this conversation, in my opinion. So I would use the nose thing, but no one sees that. And then we can see that on audio. So we've got two left.
[00:21:21] Fifteen to two, we went into establish the policy. Fifteen to three. And all of these feedback to 15, one and two, right? They set that policy. Fifteen three was classification. And to your point, characteristics you get to pick could be such as data sensitivity, data volume, availability, applicable regulations,
[00:21:38] inherent risk, mitigated risk, assuming you've done any of these conversations. You kind of hear a pattern of like calling out the CIA triad, right? Like it's all of those things. Yeah. CIA and the dad side of it, right? The disclosure, right?
[00:21:50] The dad, the bad, the baddie side of the triad being called out. Right. OK. Fifteen four. We have to make sure that the contracts actually have security requirements. And that's tough to do. Sometimes you're on the bottom end of that stick.
[00:22:02] Sometimes you have to just write, nope, they wouldn't allow me to do that. They're asking you call it such things as minimum security program requirements for that vendor, security incident and or data breach notifications and responses contractually put in data encryption requirements.
[00:22:15] You imagine yourself walking up to some fictitious company like a Schminn act wise or a belaya or something like that and saying, hey, I've got a thousand dollars a month. I want you to sign this agreement that says your minimum security program requirements.
[00:22:27] So you're going to spend three point six million dollars a quarter on increasing your you imagine how that conversation goes. You're very much and this is part of, if I'm honest, this entire control in my mind, fifteen to four to get on my pulpit
[00:22:39] is very much part of this this mantra in National Cybersecurity Directive in in in part three talking about how the EULA often protects and removes all liability for the company away from the constituent victim of their actions. Right. And you see that playing out.
[00:22:56] So I don't think this is solved by us. I think you have to have a way that you process this yourself. I think you have to say, here's what my policy says. That's why they say include security requirements consistent with your enterprise's service provider management policy.
[00:23:07] And I'll give an exact example. My initial requirement for a vendor was you had to offer MFA that allowed me to bring my own MFA source, whether that be XML, Samuel, other methodologies, web hooks. I don't care how that plays out.
[00:23:21] I want to know that I can bring my own MFA. But then later we changed that to say, no, now it must be SSO. I must require five dot six and six dot seven to be met. Therefore, I'm going to ask for SSO.
[00:23:31] And so you could see that these requirements that you're asking for people could be functional platform requirements. They could be security requirements of their own actions. And I'd also like that ultimately be somebody saying you as a vendor must have a security trust mark.
[00:23:43] And as long as you're doing that, I know you've done at least the modicum of things to protect me and the stuff that I care about or that you signed the Secure by Design Pledge from CISA or I think you may be.
[00:23:52] I think you've hit it on the head. I think that this is an area and we're seeing this in DoD world, right? Like if your contractors don't have, say, CompTIA certifications. In fact, CMMC is a contractual methodology and it's a contract based security program, 100 percent.
[00:24:08] And I think that's, you know, in the solution routers space, we don't want to necessarily get to that level of requirement because I think when it's you have to do it, there's the resistance of doing it or at least not telling the whole truth about doing it
[00:24:23] because you want to get the contract and then, you know, just cross your fingers that they don't audit you and you don't get caught. Right. So long term, I hope you and I see very differently on that statement. One day it is endemic, but I digress.
[00:24:34] No, I'm with you. I think that the reality is and we've heard this said before. I think it was somebody that works at PAX8. We were on a panel and I believe the question asked was, you know, where do you see the success of solution providers?
[00:24:50] Do you know this guy? Like, what's the success look like? I think it was Henry Tim that may have asked this question. Yeah, it might have been a guy named Schmat me or something. Yeah, that might be.
[00:25:00] That might be. And I think the words were half of you will no longer be here. And that is success because to be fair, I said half of us to be more nuanced on the side. Yes, sir. That way I made it better for that person.
[00:25:13] But I mean, in fairness, you're talking specifically about solution providers. And I think that what what things like CIS framework, the Trustmark, CMMC, they're saying you shouldn't be able to just play in this space if you're not taking security serious and doing what you can
[00:25:31] to improve your cybersecurity posture. That's all you have to do. That's all you have to do. Cyber hygiene doesn't mean perfect. It doesn't mean you take a shower every day. You want to ones that's not sucking next time. Yeah, right. I clicked on the link.
[00:25:44] It was a good it was a good deal. I clicked on it. I'm sorry. Right. Like that's what's where we're at. All right, we got two controls. Are we not six? Yes. After you've established this thing
[00:25:53] that you say you must ask of them and you hit this right. Chris, I'm going to open all it open on it. Make it part of it. Make the fact that I'm going to monitor you. I'm going to reassess. I'm going to ask you to provide evidence.
[00:26:04] I'm going to make you do this. I might monitor you. I think they get into weird places here because some of the suggestions are like dark web monitoring on my vendor. I don't know. I don't know. Let's go back in time or let's rewind back to previous control.
[00:26:17] And you're going to have to you're just going to have to put me on which one it was exactly because I can remember what it says. But one of the things that says is where do you get your information about cybersecurity?
[00:26:27] And it talks about things like you could use like the ice cell from CompTIA or, you know, but like if you are doing those things, you should be able to bake that into right here, monitoring your service
[00:26:38] providers, because that should be some of the key word information you're looking for. Yeah. And this comes up to like think about Slash and Grab, right? Think about Cyclops Blink. Think about even Hafnium and some of the extensibilities from ProxyNotShell, ProxyNotLogon. Think about, you know, the major plays,
[00:26:58] the major hit list of vulnerabilities out there and some of those things that turn into compromises, the SolarWinds, the Casayas, those aspects of it where there were legitimate compromises, legitimate supply chain problems, legitimate things that cause problems in that world.
[00:27:12] Like being able to monitor that real time and start isolating and containing the access, how cool would it be to be able to go, you know what? Maybe we need to disable this particular service right now as an RMM until we can get this figured out.
[00:27:25] And it also comes into the API challenges. Yeah, I mean, there's lots of lots of things to talk about that. Oh, for sure. But my point being is like monitoring service providers needs to be something that's part of this so that you can take action,
[00:27:38] so you can ensure they're actually doing the things you've asked them to do. Right. I think this is also another one of those that is limited by the amount of spend, the current contractual wins, the current year of the world.
[00:27:51] There's still a lot of problems with this safeguard and it's very idealistic. We've got three minutes coming up with something that you can do there. OK, sure. But the point is asking you to monitor and 15.7. God bless 15.7. I really hope that I would say this, Chris,
[00:28:07] but when you get rid of one uninstall that crap. That's it, boys and girls. Look at a process to securely remove their access, to understand that the data was there is destroyed to do the things that are necessary, terminate data flows, user accounts, service account disablement,
[00:28:23] secure disposal of the data that was in those systems like, come on, bro. And I think I think there's one that you didn't say, but you kind of implied, and that is prove that you are no longer in my system. Yeah, like, are you still billing me? Yeah.
[00:28:41] Are you still accessing my environment? Do you still push up? You know, maybe an old screen connect agent running that you didn't clean up that turned into my clients demise like that happened on more than one
[00:28:52] occasions for sure, somebody that's not doing their due diligence and do care. And that is one of the things I'll leave people to think about. Right. Because we're wrapping this up. And that is who owns that? Who owns the proof?
[00:29:03] Is it me that should gather it and look for that evidence and own that evidence? Or is it they that should provide it or is it a shared responsibility? And I think we should always apply the latter. Where is that? Yeah, yeah.
[00:29:15] I think we always have to go to share because if we don't, we're just asking for trouble because that means that if I say it's your responsibility, then I'm playing the card of ignorance. I am playing the card of no, no, no. That's what I pay you for.
[00:29:30] And I think that the world we live in when it comes to cybersecurity especially is that we can't do that to each other. We have to play together or somebody, if not everybody fails. And here's a great hyperbole example. Don't worry. I know I bought this new house.
[00:29:45] I'm not going to change the locks. I'm certain that the old owners and all their friends got rid of the keys and would never accidentally put me in a place where I'm at risk for that.
[00:29:53] No, you change the stupid locks just like they get rid of the keys. Anyways, I digress. You know what? I think that's enough. That's it, everybody. This has been an episode of MSP 1337. Thanks and have a great week.