Solutions / Managed IT Services

Regulatory Expertise

In addition to operational expertise and resources, an MSSP will need regulatory knowledge to help organizations understand how they are affected by specific legislation. In addition to general privacy regulations, many market verticals are affected by federal regulations that require compliance with certain standards. The key aspects of primary regulations as these may impact the MSSP business are outlined below. 


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to provide health insurance portability, fraud enforcement and administrative simplification for the healthcare industry. Organizations that deal with confidential healthcare information must comply with HIPAA regulations. Medical organizations must apply patches to SMTP relays, POP and DNS servers, routers, and all underlying operating systems; must conduct regular vulnerability assessments, and develop internal security policies (such as restriction policies, use of the Internet, etc.). They also must deploy proper protection measures, such as firewalls, IDS, AV protection, vulnerability identification and so on.  

Various sections of HIPAA stipulate that organizations must ensure the confidentiality, integrity, and availability of all electronic protected health information (PHI) (Protected Health Information) and must protect against any reasonably anticipated threats or hazards2. Administrative safeguard requirements are also highlighted in HIPAA3. By providing 24x7 managed security services, MSSPs can help healthcare companies to comply with the requirements of HIPAA. 


The Gramm-Leach-Bliley (GLB) Act of 1999 was enacted to enhance the privacy and security of Nonpublic Personal Information (NPI) for consumers doing business with financial institutions such as banks, brokerage firms and other organizations that maintain customer financial information. 

By providing managed security services, MSSPs can help financial organizations to comply with Gramm-Leach-Bliley Sections 314.3 (a) & (b), under which organizations must define the requirements for their information security program and objectives. By protecting customer information against anticipated threats, hazards or unauthorized access, MSSPs also help to comply with Sections 314.4 (b), (c), (d) & (e), under which organizations must define the requirements for identifying reasonably foreseeable internal and external risks. 


Sarbanes-Oxley (SOX) was enacted to monitor accounting practices at publicly traded companies. Section 404 (a) (1), Management Assessment of Internal Controls, outlines the responsibility of an organization’s management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The internal controls must include asset management, security monitoring, patch management and reporting as well as data backup management—all areas that an MSSP can address.


The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. section 1232g; 34 CFR Part 99, is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The educational institutions must implement proper safeguards to protect the confidential data.


Under the Children’s Internet Protection Act (CIPA), schools that don’t use web-filtering software can be penalized through the withholding of federal Internet and computer funding. Schools subject to CIPA are required to adopt a policy to monitor online activities of minors. MSSPs can provide managed software that protects minors from exposure to explicit email advertising, inappropriate online content, as well as protecting schools from viruses. 

Vertical Whitepapers

Regulatory Compliance Matrix 

Education Vertical Whitepaper

Financial Vertical Whitepaper

Health Care Vertical Whitepaper