One of the most challenging parts of an audit can be getting the support you need to do it right.

For any information security audit, assessment, or testing that our firm performs, it’s incredibly important that C-level executives and stakeholders understand and support the organization’s information security needs. Without their support, how can any policies or procedures be implemented? Who will approve funding? Who will assist in building an information security team? We know that these questions can represent much larger struggles and frustrations, but we also know how important it is to have management buy-in on a project like an audit.

Let’s talk about why their support is so crucial to the success of your audit and how to get executives on board with your information security needs.

Why You Need Executive Support During an Audit

Executives are the link between the success of an audit and the organization. The quality of an audit is strengthened when they are involved. Executive support, insight, and awareness are invaluable to an organization.

From the very beginning of an engagement, executives and management have responsibility. The scope of the engagement, audit period, criteria, description of systems, description of vendors, risk assessments, internal auditor direction – all of this vital information can’t be given to the auditor without executive involvement.

Additionally, each framework has specific requirements that need the involvement of management:

  • In a SOC 1 or SOC 2 engagement, management’s assertion is a major part of the report.
  • During a PCI assessment, Requirement 12 is all about information security policies that management must set.
  • HIPAA requires universal application of training requirements and securing PHI.
  • In a HITRUST CSF engagement, the executive charter enables your information security policies to actually be policies.

No matter which information security framework you are audited against, executives are ultimately held responsible for securing data and assets. Their involvement is crucial, which is why we require an executive sponsor to be nominated for any engagement we work on.

Audits Also Require An Executive Sponsor

For an audit or information security assessment, an appropriate executive sponsor must be assigned to the engagement. This person is generally a C-level executive, like a Chief Compliance Officer, Chief Technology Officer, CEO, COO, or CFO. An executive sponsor is the party that is ultimately responsible for an organization’s compliance programs. An executive sponsor isn’t usually a member of the IT staff or IT management because there needs to be an aspect of organizational responsibility to manage compliance at the executive level.

An executive sponsor should be present at any project kickoff or planning meetings and should go through any training that the auditing firm requests, like custom software or portal trainings. Most importantly, an executive sponsor of an audit or information security assessment must be available to the auditor or auditing firm. At KirkpatrickPrice, we always want to take questions or issues directly to the appropriate person at your organization, so an open line of communication is key.

5 Ways Executives Can Support You Before Engaging in an Audit

We’ve found that being engaged in the audit process will increase executives’ and management’s view of the value of the audit. Those who are not involved in the audit process are most likely to believe that the audit itself has limited value. However, support during the audit will only come if you prioritize management’s involvement beforehand.

When considering what kind of information security audit, assessment, or testing to undergo, it’s crucial to consider executives’ and management’s opinions and feedback. After all, they’re the ones approving the budget for this kind of engagement, assigning responsibilities, and empowering an information security program. Further, they have a deep understanding of company processes and priorities, and when those are incorporated into conversations about security and compliance, executives can begin to see how they all work together and benefit one another.

When approaching an executive for their support of an information security audit, assessment, or testing, we suggest you communicate the following benefits:

  1. Your information security program will align with business objectives. It will help prevent breaches and incidents, mature their business practices, and help you operate more efficiently.
  2. Data breaches can have a huge financial impact on the organizations that suffer one. Yes, you are asking them to fund an audit – but the spend now will be well-worth it if it prevents a costly data breach or a fine for non-compliance.
  3. The ability to demonstrate your compliance and information security efforts is a valuable competitive advantage. Your clients want to know that you’re doing everything possible to keep their data and assets safe; they may be more loyal to you if you can demonstrate the information security program that you have in place.
  4. Your information security program will protect your organization, but on a more personal level, it will help mitigate threats that target executives. Whaling is a type of phishing attempt that specifically goes after the most senior-level employees of an organization because of their authority and rights of access. It’s not uncommon for whaling attacks to work because so many executives aren’t actively engaged in information security programs and don’t participate in the same awareness training as other employees.
  5. Security is an on-going effort that is becoming more and more important as threats continue to evolve and mature.  By creating a culture of security at your organization, your executives can proactively protect your organization before threats occur and simplify compliance efforts by incorporating them year-round into daily processes.

SEC Requirements

In addition to the benefits your business will see by incorporating information security and compliance into your company culture, the Securities and Exchange Commission recently adopted rules requiring businesses to disclose the cybersecurity incidents they experience as well as to annually disclose materials regarding their cybersecurity risk management, strategy, and governance processes.  In an effort to be more transparent about incidents and the efforts to prevent incidents, the new rules will, “require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”  Management’s involvement is more crucial than ever; not only will it improve your overall business processes, it will be requirement from the SEC.

Choose an Audit Partner That Wants to Help You Meet Your Business Objectives and Compliance Goals.

At KirkpatrickPrice, we understand the difficult balance executives have to orchestrate in order to keep their business running smoothly.  They are under so much pressure to meet business objectives, but they are also required to meet comply with regulatory laws and frameworks.  We believe that the two can work hand-in-hand, and we’re prepared to help you accomplish both goals.

Executives set the strategic direction for an organization, so they should be involved with information security strategy. If your organization’s C-level executives, stakeholders, or management are not involved in your information security program, don’t wait to start building their awareness and knowledge.

Connect with an expert today to learn more about choosing the right audit firm, information security audits, and gaining executive buy-in.

More Resources

When Will You See the Benefit of an Audit?

Rebuilding Trust After a Data Breach

Making Sense of Regulatory Alphabet Soup

Starting a SOC 2 audit can be overwhelming. 

You know you need a SOC 2 audit, but don’t know what to expect or how to get started. The SOC 2 Compliance Checklist below will prepare you for what your auditors look for and how to confidently begin your SOC 2 compliance journey.

What is a SOC 2 Compliance Audit?

A SOC 2 audit attests that the system or service you provide to your clients is secure, trustworthy, and prepared to handle risks. This attestation is achieved through a quality examination of your people, processes, and technologies by an experienced, licensed CPA firm.

A SOC 2 audit validates your organization’s commitment to delivering high quality, secure services to your clients.

What’s Included in the SOC 2 Compliance Checklist?

This exclusive SOC 2 compliance checklist, prepared by KirkpatrickPrice’s SOC 2 compliance professionals, outlines the specifics of each system component that will be evaluated during your SOC 2 audit.

The SOC 2 Checklist will cover:

  • The Trust Services Criteria
  • The system components evaluated in your audit
  • Which policies and procedures need to be in place
  • Average length of a SOC 2 audit
  • Answers to frequently asked SOC 2 questions

What Makes a SOC 2 Audit Successful?

After completing your SOC 2 audit, you might have concerns about completing it correctly. Here are four main metrics to help you evaluate a SOC 2 audit’s success:

Receiving C-Level Support

C-level executives and stakeholders must understand and support the audit as it relates to the organization’s information security needs. Without it, how can the business implement policies or procedures, approve funding, or drive the audit’s outcome?

Authentically Taking Company-wide Action

While SOC 2 audits help strengthen and enhance a business, many organizations fall hesitant to the lengthy process and overlook the benefits as a result. An audit isn’t something to be completed haphazardously. Instead, a business should perceive audits as an opportunity to improve internal processes, security, and organizational wellness amongst staff.

For example, a quality SOC 2 audit could have helped Clorox take action and avoid a significant cybersecurity breach. Unfortunately, few companies value cybersecurity enough to include security experts on their board, despite its requirement of information security compliance frameworks. A successful audit helps companies remain vigilant in safeguarding their organization from the threat of a breach.

Using Compliance as a Competitive Advantage

When an organization leverages compliance achievements as a competitive edge, they take full advantage of the achievement, incorporating audit insights into marketing materials and sales conversations.

The opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it.

Continuing the SOC 2 Journey

After completing a SOC 2 audit for the first time, many of our clients agree the process was difficult but worth it.

By following remediation guidance, you can proactively prepare for the next audit. They know what to expect, how to use the Online Audit Manager, how to build a stronger information security program, and can show their auditor all the improvements made every year.

Keep in mind, you don’t have to have everything perfectly in place to start your audit.  This checklist should just be a tool to help you prepare for your audit.  If you need help putting controls in place, contact one of our experts today! We want to make sure you feel ready to successfully complete your SOC 2 audit.

Prepare to successfully start and complete your SOC 2 audit by downloading the SOC 2 Compliance Checklist!

Audits are hard, but when done well, they are always beneficial.   

We understand if you don’t believe us.  We know that audits are overwhelming and complicated.  They can feel like daunting tasks that will only create fines or more work for your organization.  But that doesn’t have to be the case.  There are many benefits of an audit, and even more when you have a partner to help you.  

If you don’t believe that an audit can ever be beneficial, allow us to convince you.  

What Doesn’t Kill You Makes You Stronger

To make sure that your audit is worth it, you need an experienced audit partner who cares about helping you reach your security and compliance goals.    

Audits strengthen business operations, yet many organizations are fearful of the process.  Rather than seeing the benefits of information security audits, most people only worry about what will happen if they “fail.”  

In short, you can’t fail an audit.  Any “failure” or exception identified in an audit exposes potential threats or vulnerabilities that your organization may not have been aware of before the audit.   An audit is simply one of the tools you can use to verify that the way you keep your data safe is actually doing that.  

Choosing to work with an experienced information security auditor is a great way to make sure your controls are being tested thoroughly so that your organization knows its security program is designed well and operating effectively.  This gives you a chance to inspire the entire organization to show a greater commitment to security and compliance and will give you assurance that you are doing everything you can to protect your business. 

The Audit Lifecycle 

We’ve noticed a pattern in the audit lifecycle, divided over the first three years of an audit journey. In the first year, you may be starting the auditing process for a certain reason; a major client may require proof of some type of compliance, or you may be looking to distinguish your business from the competition. Your organization is probably asking, “Do we have to do this? Do we have to go through this audit? How can compliance help our business?” You’re almost in denial, questioning if this audit is really necessary. You may get stuck in the checkbox mentality, rather than reaping the benefits of information security audits.  

In the second year, though, your mindset can switch to, “We are doing this audit.” Your organization should have a little bit more confidence knowing that you completed the audit and reached compliance last year. You may have already seen some of the benefits of audits. You know the process, you know what you need to do, and you’re going to get it done.  

With the third year comes the mindset that we hope to get your organization to. We want you to say, “I’m glad we’re doing this audit. This is important for our business.” In this phase, you’ve moved on from the checkbox mentality and you recognize the value and benefits of audits. 

When Does an Audit Become a Benefit?

So, when does an audit actually become a benefit? 

  • When it helps your organization maintain customers and attract new ones 
  • When it helps your organization operate more efficiently 
  • When it helps your organization’s processes and controls mature 
  • When it helps distinguish your business from the rest, giving you a competitive advantage 
  • When it helps you avoid fines for non-compliance or breaches 
  • When it creates the Safe Harbor Effect for your business 
  • When it prevents a data breach 
  • When you need to answer to any sort of regulatory body 
  • When you can give a vendor evidence from an auditor who has seen the controls in place operating effectively 
  • When you realize that your organization constantly strengthening its processes and controls 

How to Leverage Audits for a Competitive Advantage

In this webinar hosted by LockPath, Joseph Kirkpatrick shares his insights on the auditing process, how your organization can leverage audits to gain a competitive advantage, and the benefits of information security audits and compliance.

Topics like application development, business continuity, data retention, disaster recovery, incident response testing, risk assessment, and audit trends are also discussed in this webinar. By listening to the full session, you’ll also hear from Sam Abadir, Director of Product Management at LockPath. In his position, Sam helps companies automate compliance and policy management for better performance and productivity. In this webinar, he will discuss the beneficial aspects of Lockpath’s Keylight Platform. 

About LockPath

LockPath is a leader in integrated risk management solutions. Their suite of applications empower companies to manage risk, demonstrate compliance, monitor information security, and achieve audit-ready status. Companies ranging from 10-person offices to Fortune 10 enterprises in over 15 industries address the Gartner IRM use cases with LockPath solutions. In 2017, they are expanding their application portfolio to provide more efficient and effective programs. Learn more at lockpath.com. 

 

When you work with KirkpatrickPrice, you can make sure your audit will end in success.

When you undergo an audit, you can’t lose. One of our clients recently said, 

“If we fail, it will be good for us.” 

We hope that you can see the truth in this statement. You aren’t a failure if your auditor identifies an exception.  These exceptions, when remediated properly, give you the power to strengthen your security measures and protect your valuable data from a threat you didn’t even know was possible. 

Your audit findings only make you stronger if you let them. 

Audits give you the opportunity to create an even more secure environment. 

When we work together, we will partner with you to turn these vulnerabilities into your greatest strengths.  Connect with one of our experts today and make your organization unstoppable in the face of today’s threats. 

Threats are constantly evolving.  We know you want to be ready to face them, but what happens when you’ve already experienced a breach? How do you restore not only your business operations, but your reputation?   

According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. Even more so, 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises.

Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. Why am I being shown this ad? How much does Facebook know about me? Has my data been sold? Is Google tracking me?

At KirkpatrickPrice, we talk a lot about how to prevent a data breach and put a heavy focus on the “before,” rather than the “after.” But what happens after a data breach has occurred? Can your business recover?

In short, yes.  But it’s going to take some work.  In this blog we’ll discuss some tactics your organization can implement to rebuild any lost trust, as well as examine some companies who have successfully done it.  

Tactics for Rebuilding Trust

Data breaches affect way more than just your data; they can also damage your reputation and break the trust you’ve established with your customers and stakeholders.  While restoring the integrity of your data after a breach is critical, you also need to work to rebuild the trust that you lost.  How do you do that? These five steps are a great place to start:

1. Notify the affected parties.

If personal data is stolen or compromised as a result of a data breach, private firms must notify affected parties as required by law.  Even if your organization isn’t legally required, this is still a good idea.  Honesty and transparency are vital to rebuilding or maintaining trust with your stakeholders. It allows stakeholders to take appropriate actions and shows your organization’s dedication to remedying the damage caused by the breach.

2. Investigate the root cause.

You have to identify the cause of the incident so that you can be sure you have adequately contained and fixed it.  Without knowing what actually occurred, you won’t be able to fully remedy the incident or implement the correct controls to protect against it in the future. Additionally, you won’t be able to confidently tell stakeholders that the issue is (or will be) fully remedied.

3. Implement corrective measures.

Once you investigate and fully understand the incident, you can implement the corrective measures or controls that fix the issue. 

4. Learn from the experience and demonstrate your commitment to cybersecurity.

It’s not enough to just fix the issues that led to your breach.  You must evaluate and learn from the experience to demonstrate your commitment to cybersecurity.  This is the best way to protect your organization from future breaches, but also to rebuild trust with your clients.  By showing your security program improvements, and participating in industry events, you can prove to your stakeholders that you are serious about protecting their valuable data.

5. Improve your data security strategy.

The final step to responding to a data breach is to ensure that your data security strategy or procedures have been reviewed to reflect any lessons learned or new controls added as a response to your incident. This will allow your organization to formally prepare for any future incidents.

Companies That Rebuilt Trust After a Data Breach

While the five steps listed above provide a helpful roadmap to rebuilding trust after a data breach, we all know it’s much easier said than done. Let’s take a look at three advertising campaigns to examine how three well-known companies sought to rebuild trust after a breach.

Facebook Data Scandal

With GDPR enforcement on the rise and data privacy at the top of digital consumers’ minds, the Facebook-Cambridge Analytica data breach has become one of the largest of all time. Out of the 2.2 billion Facebook users, 78 million were impacted by this breach. The data was used to build a software program that predicts, profiles, and influences voter choices. Now that Facebook’s data privacy practices are in the spotlight, more and more questionable practices are rising up.

The scandal is still unfolding, as Mark Zuckerberg is questioned by Congress and the GDPR enforcement date has officially passed. In an effort to win back user trust, Facebook launched a major advertising campaign, “Here Together,” which promises to protect users from spam, click bait, fake news, and data misuse.

How has the Facebook scandal impacted your use of the platform?

Uber Cover-Up

When Uber announced its breach in 2017, it hit close to home for the millions of drivers and riders who use the app every day. Uber reported that not only did hackers steal 57 million credentials (phone numbers, email addresses, names, and driver’s license numbers) from a third-party cloud-based service, but Uber also kept the data breach secret for more than a year after paying a $100,000 ransom.

The New York Times points out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.” Uber recognizes that driver and rider trust is the core of their business, and when they announced this cover-up and breach, they knew they’d be facing major backlash.

In response to the breach, Uber began their “Moving Forward” campaign in an effort to rebuild trust. What do you think of this commercial – have they regained your trust? Would you still use the app?

Wells Fargo Incentives

The 2016 Wells Fargo breach was incredibly eye-opening to many consumers because it wasn’t a malicious hacker taking data; it was Wells Fargo. The bank was fined $185 million because of the 5,300 bank employees who created over 1.5 million unauthorized bank and credit card accounts on behalf of unsuspecting customers. Their reason for doing this was incentives; bank employees were rewarded for opening new bank and credit card accounts.

What is Wells Fargo doing now? In an effort to rebuild trust, Wells Fargo completely restructured its incentive plans by ending sales goals for branch bankers. Do you think that firing the 5,300 guilty bank employees and restructuring their incentive program is enough?

We believe that client trust is one of the most valuable benefits of compliance. Undergoing information security audits can help your organization maintain customers and attract new ones, distinguish your business from the rest, avoid fines for non-compliance, and answer to any sort of regulatory body.

How do you perceive this trend of public rebranding – is it convincing? Do you believe that companies like Facebook, Uber, and Wells Fargo have changed enough to rebuild trust?

Prepare to Face Today’s Confidently with KirkpatrickPrice

We know that when it comes to threats you want to make sure that you’re ready. In order to do that, you need quality cybersecurity and compliance audit reports with results you can trust.  With quality testing of your unique environment, you can prepare to face threats before they become a data breach and gain a partner to help you if they do.

Partner with an expert today to make your organization unstoppable.

More Resources

Turning Audit Into Enablement

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

Regularly training your employees is a critical component of compliance and security in your organization. The risk of an employee not understanding the potential security threats facing them as a frontline target could be just the opening that an attacker needs to create a security breach. This is why many information security frameworks and regulations, like SOC 2PCI DSS, and HIPAA, have security awareness training compliance requirements. What are those requirements? What does your organization need to do to ensure compliance? Let’s take a look.

The Importance of Security Awareness Training

The importance of continually educating your employees on the cybersecurity threats they’re up against can’t be stressed enough. Why? Employees are often the weakest link at an organization. Whether it’s because of the limited number of personnel, lack of funding, or misunderstanding of how to follow cybersecurity best practices, focusing on security awareness training can easily become an afterthought. But here’s what you need to know: every single person at your business needs to understand how they could unintentionally compromise your organization by falling for phishing attempts, using recycled passwords, neglecting to follow company-wide policies, or via the plethora of other ways malicious hackers can compromise the integrity of your security.

What Do Common Information Security Frameworks Require?

In order to demonstrate your compliance with many common information security frameworks, organizations must implement security awareness training programs. Take a look at what some of those common information security frameworks and laws require.

  • SOC 2: According to the AICPA, in order for entities to be compliant with the Common Criteria 2.2, entities must “communicate information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.”
  • PCI DSS: According to Requirement 12.6 of the PCI DSS, entities must implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
  • HIPAA Security Rule: According to the administrative safeguard, 45 CFR § 164.308(a)(5), covered entities and business associates must “implement a security awareness and training program for all members of its workforce.”
  • HIPAA Privacy Rule: According to administrative requirements under the HIPAA Privacy Rule, 45 CFR § 164.530(b)(1) says, “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information…as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
  • GDPR: According to Article 39(1)(b), Data Protection Officers are responsible for “monitoring compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits…”
  • FISMA: According to U.S.C. § 3544.(b).(4).(A),(B) under FISMA, entities are required to implement “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.”
  • ISO 27001/27002: According to Requirement 8.2.2 of ISO 27001, “All employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”

Whether your business has a team of two or five hundred, investing in security awareness training from the beginning reinforces a culture of compliance and helps mitigate the risk of human error causing a security incident.

Partner with KirkpatrickPrice to Create an Effective Security Awareness Training Program

If you’re looking for a cost-effective security awareness training solution for your company, KirkpatrickPrice offers several courses for various frameworks, industries, and experience levels. For more information about the courses we offer or to learn how KirkpatrickPrice can help you meet the security awareness training requirements of many of these common information security frameworks, contact us today!