Some compliance mistakes are boring. These are not. In this episode of Get NIST-y, Jared and Mike tackle two real-world MSP questions that can create liability fast if you handle them the wrong way. They break down where MSPs should help, where they should back off, and how to think clearly about MFA when the framework language gets fuzzy.
- Why MSPs should not fill out cyber insurance questionnaires for clients
- How bad answers on insurance forms can come back during a claim
- What MFA compliance really means when systems touch customer data
- When compensating controls and documented risk acceptance make sense
We answer:
- When clients forward cyber insurance questionnaires, do you bill for filling them out? And how do you answer without accidentally taking responsibility for stuff you can't prove?
- For FTC Safeguards, what actually counts as MFA compliance in the real world? Is VPN plus MFA enough, or do you need MFA at the workstation, file access, admin actions, all of it?
Submit your question:
https://blacksmithinfosec.com/nisty/