Z1 Z1 Networks

FAQ

The questions we actually get asked

Collected from real conversations with Tri-Valley practices and firms — answered the way we'd answer across a table.

Healthcare & dental

Our practice management vendor handles our backups. Are we covered?

Check what "handles" means — vendor backups often cover the database but not local imaging servers, and almost none are restore-tested against ransomware. We back up the practice database and imaging stores together, keep copies the ransomware can't reach, and actually test restores on schedule. The test is the difference between a backup and a hope.

Our EHR vendor says they handle security. Aren't we covered?

Only inside the EHR. HIPAA holds your practice responsible for everything around it — workstations, email, staff accounts, file storage, and backups. Most healthcare breaches start in email or on a laptop, not in the EHR. That surrounding layer is exactly what Z1 manages and documents.

What about our X-ray and imaging systems?

They're usually the oldest, least-patchable machines in the office, because the imaging vendor controls the software. We don't pretend they can be modernized — we isolate them on their own network segment, limit what they can reach, and monitor them, so one legacy workstation can't compromise the practice or the patient images on it.

What does a HIPAA security risk assessment involve?

It's a documented review of where patient data lives, what could threaten it, and how your current safeguards hold up — the specific analysis HIPAA requires and the first document an auditor or investigator requests. We run it as part of onboarding and refresh it on schedule, so it never becomes a stale PDF.

How fast can you be on-site if the office is down?

Same-day, and usually much faster — we're based in Pleasanton, so most Tri-Valley dental offices are within a 20–30 minute drive. Downtime that cancels patients is treated as the emergency it is, and most issues are resolved remotely before a drive is even needed.

We're a small practice. Does HIPAA enforcement really reach us?

Yes — enforcement against small practices has been increasing, and investigations are usually triggered by a patient complaint or a breach report, not by your size. Small practices carry the same breach-notification duties as hospital systems, with far less cushion to absorb the cost.

Will Z1 sign a business associate agreement?

Yes. As your managed IT provider we handle systems that touch patient data, so we sign a BAA and operate under it. We also inventory and track the BAAs for your other vendors — one of the most commonly missed HIPAA requirements we find in new-client assessments.

What does this cost for a practice like ours?

Flat monthly pricing per user, so it's predictable and budgetable. Where you land depends on practice size and how much compliance evidence you need — which is exactly what the free gap analysis scopes. You'll leave it knowing what you need, what you already have, and what closing the difference costs.

CPA & tax firms

What is a WISP, and does the IRS actually require one?

A WISP is a written information security plan — a document describing how your firm protects client data, who is responsible, and what happens in an incident. Yes, it's required: IRS Publication 4557 and the FTC Safeguards Rule both mandate it for tax preparers, and your PTIN renewal asks you to attest that you have one. An unwritten plan doesn't count.

Can we just do this during tax season?

No — the requirement is year-round, and so is the risk. Attackers know CPA firms hold Social Security numbers, bank accounts, and returns in July just like in March. A plan that only exists during filing season isn't a plan, and the IRS treats it that way. We manage it continuously so the busy months need nothing extra from you.

What actually happens if client tax data is breached?

You notify the IRS, your state attorney general, and every affected client — and depending on the circumstances, your PTIN and e-file privileges can be at risk. For most firms the client-trust damage outlasts the regulatory process. The point of the gap analysis is to find the openings that lead there before someone else does.

We already have antivirus and a firewall. Why isn't that enough?

Because the requirement isn't "have some security tools" — it's a documented program: a written plan, a designated coordinator, MFA, encryption, staff training, and monitoring, with evidence that each piece exists. A firm can own good tools and still be non-compliant on paper, which is exactly how most firms fail an inquiry or an insurance claim review.

What does this cost for a firm like ours?

Flat monthly pricing per user, so it's predictable through the year. Where you land depends on firm size and how much compliance documentation you need — which is exactly what the free gap analysis scopes. You'll leave it knowing what you need, what you already have, and what closing the difference costs.

Wealth management & RIAs

What does the SEC expect from a firm our size?

The same things it expects from larger advisers, scaled to your risk: written cybersecurity policies and procedures, periodic risk assessments, incident response with reporting readiness, and evidence that principals oversee the program. Examiners request the documents regardless of AUM — firm size changes the depth of the program, not whether one exists.

Our archive vendor says we're Rule 17a-4 compliant. How would we know?

By validating it: WORM configuration actually enabled for the right record classes, retention periods set correctly, capture covering every channel you supervise, and the designated-third-party arrangement in place. We review the configuration against the rule text and give you the findings in writing — either confidence or a fix list, both worth having before an exam.

An exam letter just arrived. Can you help before the response deadline?

Yes — exam-readiness work is a defined engagement: we gather and organize the cybersecurity documentation the request list asks for, close the gaps that can be closed in the window, and document honestly what's in progress. The earlier you call the more we can fix rather than explain, but a deadline is workable.

We already have a compliance consultant. Where does Z1 fit?

Alongside them, not in place of them. Your consultant owns the regulatory program — filings, testing, the compliance calendar. Z1 is the technical layer that makes the program's claims true: the controls, the monitoring, the archive configuration, and the evidence stream your consultant cites. Most consultants prefer working with us to auditing a generalist IT vendor.

Which areas do you serve?

Advisory firms along the 680 corridor — Pleasanton, San Ramon, Danville, and Walnut Creek — with on-site support the same day when it matters. Firms outside the corridor arriving by referral can be served remotely on our Complete tier.

Defense contractors

Do you do CMMC certification prep?

No — and we'd rather tell you that in the first paragraph than the last meeting. Our scope is NIST 800-171 self-assessment support: the SSP, the POA&M, control implementation, and SPRS scoring. When you need C3PAO certification audit preparation, we refer you to specialist partners by name. The foundation work we do is required either way, and none of it is wasted.

What is an SPRS score, and why does my prime keep asking about it?

SPRS is the DoD's Supplier Performance Risk System — the database where your NIST 800-171 self-assessment score lives. Primes check it because their contracts require flowing the obligation down to you, and your score is their paper trail. A missing or ancient score makes you the risky line item in their supply chain; a truthful, improving one keeps you on the bid list.

We're a subcontractor in the labs' supply chain. Can you handle NIST 800-171?

Yes, with a clear scope: we support NIST 800-171 self-assessment — building your SSP and POA&M, implementing controls, and improving your SPRS score on commercial Microsoft 365. If you need full CMMC Level 2 certification audit prep or a GCC High migration, we'll refer you to a specialist partner rather than learn on your dime.

Do we need GCC High?

Only sometimes. If your contracts involve ITAR data or specify certain federal cloud requirements, a government cloud may be genuinely required — and if so, we'll tell you early and refer the migration to a specialist partner. Many subcontractors handling ordinary CUI can meet their 800-171 obligations on properly configured commercial Microsoft 365, which costs dramatically less. The honest answer depends on your data, and that's the first thing we scope.

Law firms

What counts as 'reasonable efforts' under Rule 1.6?

The Bar deliberately doesn't publish a checklist — reasonableness scales with the sensitivity of the information and the size of the firm. In practice it means the recognizable basics done and documented: MFA, encryption, access controls, staff training, and a way to show they're maintained. Our approach is to define "reasonable" for your firm in writing, so the answer exists before anyone official asks the question.

A corporate client sent us a security questionnaire. Can you help us answer it?

Yes — outside-counsel guidelines and client security questionnaires are increasingly how firms win or lose institutional work. We answer them two ways: immediately, by documenting honestly what you have today; and durably, by closing the gaps so next quarter's questionnaire gets better answers. Firms we manage answer from an evidence file, not from memory.

Do you take on new law firm clients?

Selectively — most of our legal clients arrive by referral from CPAs, insurance brokers, or existing clients, and we keep the roster small enough to serve deeply. If your firm has real confidentiality obligations and wants them handled properly, start with the gap analysis; if we're not the right fit, we'll say so and point you to someone good.

Services

How often are restores actually tested?

On a defined schedule — and the results are documented, which is the part most providers skip. A backup that has never been restored is an assumption. Our restore tests verify the data comes back complete and measure how long it takes, so your recovery time is a number we've observed, not a guess.

We already pay for Microsoft 365. What do you add?

The license isn't the security — the configuration is. Most tenants run on defaults: no conditional access, admin accounts without separation, sharing links nobody reviews. We harden the tenant against published baselines, enroll devices properly, and audit the configuration quarterly. Same subscription, very different security posture.

How do responsibilities split between Z1 and our internal IT?

It's written down before we start — a responsibility matrix covering every function. The typical split: your team keeps user support, local knowledge, and business applications; we take security operations, patching discipline, compliance evidence, and after-hours coverage. The matrix kills the two failure modes of co-managed IT: double work and unowned work.

Which compliance frameworks do you cover?

Our core programs are HIPAA (medical and dental), IRS Publication 4557 and the FTC Safeguards Rule (CPA and tax firms — and the wider Safeguards family: auto dealerships, insurance agencies, and title/escrow companies), SEC and FINRA requirements (advisory firms), and NIST 800-171 self-assessment (defense subcontractors). California privacy obligations get layered on where they apply. If your framework isn't on that list, we'll say so honestly and refer you well.

Do you replace our current IT person, or work with them?

Either. Fully managed means we're your IT department. If you have a good internal person who's stretched thin, co-managed IT keeps them in place and adds our security layer behind them — with a written split of responsibilities so nothing falls between two teams.

What actually happens when something is detected at 2am?

Analysts triage the alert immediately. A real threat gets contained on the spot — the affected device is isolated from your network so the problem can't spread — and we're notified in parallel. You get a plain-English account of what happened and what was done, not a log file. That containment step happening at 2:05am instead of 9am Monday is the entire point of MDR.

Why not just hire a CISO?

A full-time CISO runs well into six figures, and a business under 150 people doesn't have full-time CISO work — it has quarterly-cadence leadership needs with occasional intensity around audits and incidents. A vCISO delivers the named accountability and the judgment at a fraction of the cost, backed by a whole team instead of one calendar.

If ransomware hits us, what does recovery actually look like?

Containment first — affected systems isolated so it stops spreading. Then recovery from immutable backups the attackers couldn't touch, in the order that gets your business functioning fastest. Because the copies are immutable and the restores are rehearsed, the ransom question becomes academic. Timeline depends on your environment; it's one of the numbers the gap analysis establishes.

Can you migrate us from our old server or Google Workspace?

Yes — migrations to Microsoft 365 from on-premises servers, Google Workspace, or a badly configured tenant are routine project work for us. They're planned, rehearsed, and scheduled around your business calendar, and the result lands already hardened rather than 'migrated now, secured someday.'

Will you deal with our auditor or examiner directly?

Yes — that's part of the service. We prepare the evidence packages in the format request lists ask for, join the calls, and answer the technical questions so you're not translating between an auditor and an IT vendor. Your name stays on the attestations; ours stands behind the evidence.

Is co-managed just a foot in the door to replace our IT person?

No — a good internal IT person with local knowledge is an asset we'd rather work with than replace. Most of our co-managed arrangements make the internal person more valuable: they gain enterprise tooling, a senior escalation bench, and vacation coverage. If your needs ever change, that's your call to initiate, not our sales strategy.

What are your actual response times?

Most tickets are answered within the hour during business hours, and critical issues on our Complete plan carry a 30-minute response commitment. On-site is same-day across the Tri-Valley — we're in Pleasanton, so most client offices are a 10-to-20-minute drive, not a dispatch decision.

We have antivirus. Isn't that enough?

Antivirus blocks known-bad files. Modern attacks mostly don't use them — they log in with stolen credentials and use legitimate tools, which antivirus watches happily. Detection and response looks at behavior, and MDR adds humans who act on it around the clock. Insurers have caught on, which is why applications now ask about EDR and monitoring, not antivirus.

What does the vCISO engagement look like quarter to quarter?

A quarterly review anchors it: risk posture, incidents, project progress, and the next quarter's priorities, reported in executive language. Between reviews, your vCISO owns policy decisions, fields the security questions that land on your desk, and steps in whenever an auditor, examiner, or carrier wants to talk to someone accountable.

How does your pricing work?

Flat monthly pricing per user — no hourly surprises, no invoice for every phone call. Where you land depends on headcount and how much compliance evidence your business needs, which is exactly what the free gap analysis scopes. You'll leave it knowing what you need, what you already have, and what closing the gap costs.

We already have an IT provider. How painful is switching?

Less than staying with the wrong one. Onboarding is a structured 30-day process: we document your entire environment as we take it over, so you end up with something most businesses have never had — a complete, written record of your own IT. Your old provider's cooperation helps but isn't required; we've onboarded plenty of clients whose previous IT person simply vanished.

Working with Z1 locally

How fast can you be at our Danville office?

About twenty minutes from our Pleasanton headquarters via 680 — downtown Hartz Avenue, Sycamore Valley Road, or Alamo. Same-day on-site is standard, and for the small professional offices Danville runs on, most issues are fixed remotely within the hour anyway.

How fast can you be at our Dublin office?

Dublin is our closest neighbor city — about ten minutes from our Pleasanton headquarters, whether you're on the Dublin Boulevard corridor or near the BART stations. Same-day on-site is routine, and most issues are resolved remotely within the hour first.

How fast can you be at our Livermore office?

About fifteen minutes from our Pleasanton headquarters — downtown First Street, the Vasco Road corridor, or out toward the wineries. Same-day on-site is standard across Livermore, and most issues are resolved remotely before a truck roll is needed.

How fast can you be at our Pleasanton office?

We're headquartered in Pleasanton, so on-site usually means under ten minutes across town — Hacienda, downtown, or the Stoneridge corridor. Most issues are resolved remotely within the hour before a drive is even needed, but when hardware needs hands, same-day is the floor, not the goal.

How fast can you be at our San Ramon office?

About fifteen minutes straight up 680 from our Pleasanton headquarters — Bishop Ranch, City Center, or the Crow Canyon corridor. Same-day on-site is standard, and most issues are resolved remotely within the hour first.

We're only an eight-person office. Are we too small for this?

No — our plans start at ten users, and small Danville offices holding sensitive client data are exactly who we built them for. An eight-person advisory or dental office carries the same insurance requirements and breach exposure as a firm five times its size, with less slack to absorb a bad week. If you're genuinely below our minimum, we'll refer you to a good fit rather than upsell you.

What kinds of Dublin businesses do you work with?

Dublin's growth has brought exactly the offices we specialize in: medical and dental practices, accounting and tax firms, and professional-services companies with cyber insurance requirements. We work with security-conscious businesses from about 10 to 150 employees; pure break-fix shoppers aren't a fit, and we'll tell you that honestly.

What kinds of Pleasanton businesses do you work with?

Security-conscious businesses from about 10 to 150 employees — especially medical and dental practices, CPA and tax firms, and professional offices with cyber insurance or compliance obligations. If you mostly need occasional break-fix help, we're not the right fit and we'll say so — and point you to someone who is.

Do you understand the compliance side for advisory firms?

It's a specialty, not a sideline. For RIAs and wealth-management firms we deliver SEC-exam-ready cybersecurity — written policies, Rule 17a-4 archive validation, vCISO oversight, and 24/7 monitoring — working alongside your compliance consultant rather than around them. San Ramon anchors the 680 corridor where we do most of this work.

Have a question that isn't here?

Ask it during the free gap analysis — you'll get the answer and a findings report in the same 30 minutes.

Book a Free Gap Analysis

30-minute findings presentation. No obligation.