Security is a shared responsibility. Cloud Core MSP can recommend, manage, monitor, and respond to agreed controls, but clients must approve changes, maintain access, avoid uncoordinated changes, and address material risks.
Security operating principles
Security is a shared responsibility. Cloud Core MSP can recommend, deploy, manage, monitor, and respond to agreed controls for covered systems, but Client remains responsible for timely decisions, approvals, accurate information, and business-side participation where required.
- No system, tool, provider, or service can remove all cybersecurity risk.
- Security controls work best when systems are supported, monitored, patched, and consistently configured.
- Client decisions about budget, user experience, access, legacy systems, and business requirements affect risk.
- Cloud Core MSP may limit scope where unresolved risk prevents safe or reliable service delivery.
Client responsibilities affecting security services
- Maintaining timely access approvals.
- Notifying Cloud Core MSP of material changes.
- Avoiding uncoordinated administrative changes.
- Maintaining required vendor relationships and subscriptions.
- Participating in remediation decisions where business approval is needed.
Common required controls
- Multi-factor authentication for administrative and remote access.
- Supported operating systems and supported application versions.
- Endpoint monitoring and patch management on covered systems.
- Administrative access controls and named accountable administrators.
- Logging and alerting for supported services where included.
- Backup protection for systems where recovery is required.
- Reasonable password, access, and offboarding practices.
Effect of unresolved risk
If Client declines a recommended control, delays a required remediation, removes necessary access, or makes uncoordinated changes that materially affect service delivery or security, Cloud Core MSP may limit the affected service scope until the issue is resolved. Cloud Core MSP will communicate the reason and impact in writing where practical.
When Cloud Core MSP identifies a material risk, the recommendation may be documented in a ticket, report, email, roadmap, or service review. If the client declines or delays the recommendation, the risk remains with the client.
Examples include unsupported systems, missing MFA, unavailable backups, shared administrator accounts, exposed services, weak vendor access practices, or unmanaged devices touching business systems.
Incident containment authority
During a suspected or confirmed incident, Cloud Core MSP may take reasonable containment actions to protect systems, data, users, and operations.
- Disable or reset accounts.
- Isolate endpoints or servers.
- Restrict network access.
- Block suspicious sign-ins or forwarding rules.
- Suspend exposed services.
- Preserve relevant logs where available.
- Escalate to vendors, cyber insurance contacts, counsel, or incident response partners when authorized.
Compliance boundaries
Cloud Core MSP can support technical safeguards, evidence gathering, control implementation, policy review, and remediation planning. Compliance outcomes depend on legal, operational, administrative, physical, and business-process factors beyond technology alone.
Unless a separate compliance SOW says otherwise, Cloud Core MSP does not guarantee HIPAA, CJIS, PCI, IRS 1075, NIST, SOC 2, cyber-insurance approval, or any other formal compliance result.