Managed Security and HIPAA Compliance FAQ — BoTech Security Solutions Kansas City
Your questions,
answered.
Everything you need to know about how BoTech works, what is included, and what to expect from a managed security and compliance engagement.
BoTech serves small and mid-sized organizations — typically 5 to 50 employees — in healthcare, legal, and financial services. These are the three most regulated and most targeted industries for small businesses, and the organizations least likely to have in-house security and compliance capacity.
Our engagements are built around your existing technology environment, delivered entirely remotely, and scaled to the size and complexity of your organization. We serve clients across the Kansas City metro area and nationwide.
Yes. BoTech focuses exclusively on security and compliance — not general IT support, helpdesk, or hardware management. We work alongside your existing IT provider without conflict or overlap.
We handle the security and compliance layer. Your IT provider continues handling general IT operations. In most cases we strengthen the relationship with your IT provider by identifying configuration gaps and security issues that general IT support does not typically cover.
Shield is the managed security bundle — continuous 24/7 endpoint and network monitoring, threat hunting, patch management, email security, Microsoft Defender management, monthly audit log review, backup validation, and incident response hours. Security only.
Comply is the managed compliance bundle — initial gap analysis, all 12 required security policies, operational procedure documentation, annual risk assessment, monthly compliance evidence tracker, semi-annual access review, quarterly compliance meetings, and annual compliance confirmation. For organizations that have existing IT security support and need compliance management specifically.
Fortress combines the complete Shield and Comply programmes in a single engagement — one point of contact, one flat monthly rate, with a monthly vCISO advisory session included. Recommended for any regulated organization that needs both security monitoring and compliance management.
No. BoTech is a managed security and compliance specialist, not a general IT managed service provider. We do not provide helpdesk support, hardware procurement, network infrastructure management, or general IT troubleshooting.
This specialisation is deliberate. Organizations that need both general IT and security are better served by having dedicated specialists for each — a general IT provider for day-to-day operations and BoTech for the security and compliance layer that most general IT providers do not cover adequately.
Each bundle is priced as a flat monthly fee — no per-incident billing, no surprise invoices, no charges for additional reports or communications. Pricing is customized for each engagement based on the specific bundle, your user and endpoint count, and any add-on services required.
We do not publish standard rate cards because the right price depends on your organization's size and scope. Contact us to request a proposal tailored to your organization — we typically respond within one business day.
Our standard engagement is 12 months with automatic annual renewal. There is no setup fee and no long-term lock-in beyond the initial term.
Early termination requires two months' written notice and is subject to an early termination fee equal to two months of the monthly bundle rate. Annual renewal terms are sent 60 days before the renewal date.
No. There is no setup fee for any BoTech engagement. The first invoice is the first monthly bundle rate, and that covers the full onboarding process — environment assessment, tool deployment, configuration hardening, policy documentation, and compliance programme foundation.
Most clients are fully onboarded within 30 days. The timeline is structured as follows:
Day 3: Security monitoring is active. Endpoints enrolled, initial configuration review complete, 24/7 monitoring live.
Day 14: Microsoft 365 or Google Workspace hardening complete. Critical misconfigurations addressed. Patch management programme active.
Day 30: Compliance programme foundation deployed — policies drafted, gap analysis complete, risk assessment initiated, compliance evidence tracker configured.
Very little. We are built to start with organizations wherever they currently are — no specific tools, configurations, or prior compliance work is required before onboarding. We assess your current environment during the first week and build from what exists.
What is helpful before Day 1: a list of your current technology vendors (IT provider, cloud services, email platform, any software that handles sensitive data), and administrator access credentials for your Microsoft 365 or Google Workspace tenant so we can begin the configuration review immediately.
The free 30-minute assessment is a structured conversation — not a sales call. We review your current security posture, technology environment, and regulatory obligations. At the end you receive a clear picture of your specific gaps, your primary risk areas, and what a remediation plan would look like.
There is no cost and no obligation. If we are not the right fit for your organization we will tell you that directly. Request your assessment here.
We support three regulatory frameworks:
HIPAA Security Rule — for healthcare practices, dental offices, therapy groups, medical billing organizations, and healthcare-adjacent businesses that create, store, or transmit electronic protected health information.
PCI DSS v4.0 — for organizations that store, process, or transmit payment cardholder data.
SOC 2 Type II readiness — for technology companies, SaaS providers, and service organizations whose clients require SOC 2 certification.
A single compliance framework is included in the Comply and Fortress bundles. Additional frameworks are available as an add-on for organizations with multi-framework obligations.
No. BoTech builds and manages your compliance programme — the policies, procedures, risk assessments, evidence tracking, and ongoing compliance activity your framework requires. We do not perform formal audits or issue certifications.
For HIPAA, there is no external certification — OCR investigates whether your programme is adequate when a breach occurs. For SOC 2, a qualified CPA firm performs the formal audit. BoTech prepares your organization to pass that audit and supports the evidence package preparation.
Your compliance programme foundation is in place within 30 days — policies written, gap analysis complete, risk assessment initiated, evidence tracker configured. This is the point at which your organization has a documented, defensible compliance programme in place.
Full, ongoing compliance — the kind that generates the monthly evidence trail an OCR investigation or SOC 2 audit requires — builds over the first 6 to 12 months as each review cycle, training session, and access review is completed and documented. Compliance is a programme, not a moment. We build it from day one and maintain it continuously.
Your bundle includes dedicated incident response hours each month. For P1 Critical incidents — active ransomware, confirmed account compromise, or data exfiltration — we respond within one hour regardless of time of day.
Because we monitor your endpoints continuously, when a verified threat is identified we are alerted immediately. In most cases we are already investigating before your organization is aware something has occurred. This is the material difference between reactive incident response and active managed security.
Following containment, we conduct a post-incident review documenting what happened, how it was resolved, and what changes prevent recurrence — which also produces the incident documentation your compliance programme requires.
Yes. Endpoint and network monitoring runs continuously — 24 hours a day, 7 days a week including nights, weekends, and holidays. Threats do not schedule themselves around business hours and neither does our monitoring.
Automated detection and alerting runs at all times. P1 Critical incident response — one-hour response guarantee — applies around the clock. Standard incident response and non-urgent security issues are addressed during business hours.
We deploy a purpose-built security stack appropriate for small business environments — including endpoint detection and response (EDR), managed detection and response (MDR) with 24/7 SOC backing, email security with integrated security awareness training, and remote monitoring and management (RMM) for patch management and endpoint oversight.
Tool selection is based on your existing environment — whether you use Microsoft 365 or Google Workspace, and the specific risks your industry faces. The cost of security tooling is included in your monthly bundle rate — there are no separate licensing fees for the tools we deploy in your environment.
We answer every question directly. No sales pitch.
If your question is not answered here, reach out directly. We respond to every enquiry within one business day and we will tell you honestly whether BoTech is the right fit for your organization.
Request a Free Assessment →Find out where your organization actually stands.
A free 30-minute security assessment reviews your current posture, identifies your specific gaps, and gives you a clear picture of what needs to change — at no cost and no obligation.
