With differentiation a watchword among channel partners these days, some have turned to the credentialing process as another way they can stand out from competitors.
Compliance verification and credentialing programs, which often involve third-party assessments or audits, may focus on a security or regulatory compliance framework. Examples include the American Institute of Certified Public Accountants' SSAE 16 and Service Organization Controls 2 (SOC 2) as well as the Health Insurance Portability and Accountability Act's Security Rule provisions. In addition, industry associations maintain their own credentialing programs on support external standards. CompTIA, for example, offers a series of Trustmark credentials that assess channel partners on security, managed services and print services. And the MSPAlliance offers an auditing program for partners interested in SSAE 16 compliance.
While adherence to HIPAA is mandatory for partners classified as business associates and subject to the Security Rule, other credentials are voluntary and not strictly defensive measures to avoid fines. Companies pursuing the nonmandatory programs say they benefit from gaining more insight into how their business operates. The credentialing process can also provide an edge in the IT services market.
CMIT Solutions of Seattle, a managed service provider (MSP), in August 2016 earned CompTIA's Managed Services Trustmark, which evaluates participants on organizational structure, internal tools and systems, and standard operating procedures among other factors, according to CMIT Solutions.
"There are few CompTIA Managed Services Trustmark holders in Washington -- and even fewer in the Seattle area," said Jeff Steele, president of CMIT Solutions of Seattle.
Steele said Trustmark is something the company can discuss "with our existing clients in our regular meetings and … with potential new clients as a differentiator of our services."
Benefits of compliance
Jeff Steelepresident, CMIT Solutions of Seattle
Going through the Trustmark process gave CMIT Solutions of Seattle some affirmation that its operations are on track.
"The process demonstrated that we were doing the proper things for our clients and our business -- which was gratifying," Steele said. "It also allowed us to more fully document already established procedures, which will serve us well as we continue to grow and scale our business."
Datapipe, an MSP based in Jersey City, N.J., recently completed the SOC 2 compliance process. SOC 2 covers nonfinancial reporting controls. In August 2016 the company announced the completion of a SOC 2 audit for the ongoing management of hybrid cloud environments, including its Amazon Web Services environments. Datapipe is the only AWS MSP partner with global hybrid capabilities to earn SOC2 compliance out of the originally selected AWS Premier Partners, according to Datapipe.
David Lucky, director of product management at Datapipe, said SOC 2 compliance shows clients and prospects -- via a third-party audit -- that the security posture the company has taken is valid. The credential also provides assurances across SOC 2's security, integrity and availability trust principles and across different mediums: traditional IT, public cloud and private cloud, he added.
"We view this as a key differentiator in how we deliver these solutions," Lucky said, citing the ability to go to market with a deeper level of trust and security.
Lucky said the main challenges with the SOC 2 compliance process were determining the proper scoping and assuring systems are properly represented in the audit. Included within the scope of the audit was Datapipe's Access and Audit Control for Cloud, the company's model for delivering managed services on the AWS cloud platform, he noted.
The credentialing process doesn't don't come without cost, however. The initiatives can prove time-consuming and fairly expensive, sometimes running into the thousands of dollars. But there are options for companies wanting to measure themselves against a standard, but not take a deep dive into an audit or pursue a rigorous credentialing process.
CompTIA offers its Channel Standards, recommended best practices that partners can elect to adopt. The standards don't require formal assessments or audits. CompTIA offers IT Solution Provider, Managed IT Solution Provider, Managed Print Provider and Cybersecurity channel standards. The latter two were announced at CompTIA's ChannelCon 2016 event.
"We are assessing the Cybersecurity standards now and are working on bringing those standards into our practice," Steele of CMIT Solutions explained. "Managed Print is something that we are looking at and if we move in that direction, we will definitely consider the standards for managed print providers."
Steele said such standards are "definitely helpful," observing that adherence means clients "can be confident that we are among the best in our field as we maintain industry best practices."
"I'm all for the neutral industry bodies promoting best practices," said Kirill Bensonoff, founder of Unigma, a unified cloud management company, and co-founder of ComputerSupport.com, a managed services and cloud services provider. A channel standards effort, he said, will benefit the industry.
"Overall, it's going to drive more best practices."
Read about SOC 2 as a cloud security standard
Find out about Trustmark's role with cloud vendors and distributors
Learn how channel partners are differentiating via intellectual property