The future of cybersecurity is full of mystery, intrigue, and intimidating trends.  Threats loom larger every day and defending ourselves against them becomes more and more challenging.  At the Secure Miami 2023 Conference, industry leaders gathered to discuss these trends and how we can safeguard ourselves and our businesses against them.  The day covered exciting new topics like AI and ChatGBT while also touching on the importance of information security basics, like access and risk management.

But whether or not the conversation was about the next big thing or the classics we all need to master, it seemed there were key trends and themes running throughout the entire day.  Let’s discuss the five key takeaways that emerged from every discussion that your organization can use to strengthen its security practices:

1. Proactively Plan

We all know the landscape of security culture is changing.  Businesses will no longer be able to survive if they only react and respond to the threats and attacks coming for them.  To survive, businesses must adapt from a reactive mindset to a proactive one.  We cannot hope that we won’t be attacked; we have to assume the attack is coming.  This is a classic case of when not if.

The good news is that businesses can create a plan to secure their business and protect their valuable assets.  Having an incident response plan and a business continuity/disaster recovery plan in place allows organizations to plan their response to an attack and avoid ruin.

An incident response plan is a predetermined approach for identifying and addressing a security incident dictating the procedures following detection to minimize the impact. At a minimum, your plan should include:

  • Roles, responsibilities, communication, and contact strategies in the event of a compromise including notification of the payment brands
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data back-up processes
  • Analysis of legal requirements for reporting compromises
  • Coverage and responses of all critical system components
  • Reference or inclusion of incident response procedures from the payment brands

A business continuity plan is a deliberate and actionable strategy to ensure service delivery in the event of a major disruptive event impacting essential business functions, processes, or technologies. At a minimum, a business continuity plan should include:

  • Document Control
  • Priorities & Responsibilities
  • Key Risks
  • Roles & Responsibilities
  • Emergency Recovery Process
  • Business Recovery Process
  • IT Business Continuity Plan
  • Emergency Delegations List
  • Contact Lists

In addition to creating these plans, businesses need to test them to ensure they operate as designed.  Tabletop testing is one of the best ways your organization can test these plans under pressure to make sure they will actually keep your business safe.

The worst thing that can happen during a breach or attack is not knowing what to do next.  Proactively plan to keep your organization safe.

2. Know Your Environment and Its Risks

In order to properly plan for the threats your organization is facing, you must know the risks you are facing throughout your entire environment. And to do that effectively, you need to fully understand your environment.  No one should know your network, environment, or processes better than you. You need to know your assets, the functions of those assets, and who has access to those assets.  This is the only way you can know which defenses are needed and what will work best to protect your unique environment.

Once your assets are properly accounted for, your organization will be prepared to perform an effective risk assessment.  A risk assessment is the most trusted weapon against all of the threats we’re facing.  By understanding what you are protecting, you will be better equipped to put the right controls in place for your organization’s unique environment and vulnerabilities.

In our Founder’s presentation at this conference, he discussed risk management as it relates to Star Wars.  Spoiler alert: Darth Vader’s lack of a proper risk management plan led to the destruction of the Death Star.  To have been properly prepared, the Empire should have inspected the ship for vulnerabilities and then planned to defend them.  The threat they faced was the Rebel Alliance’s X-wing Starfighter, but the vulnerability was the thermal exhaust port.  Being too focused on the operation, they did not manage the one thing that made them vulnerable.

So, to avoid your organization falling to the dark side, you must start thinking about the real vulnerabilities you are facing.  When you connect the threats you face to the parts of your environment that make you vulnerable, you can implement stronger controls that are designed to properly protect your valuable data.  By identifying the risks that could stop you from being successful and proactively planning how you will secure your organization from risks, your organization can be confident when facing today’s ever-evolving threats.

3. Training

Creating these processes isn’t enough to secure your environment. You have to make sure your employees know how to implement them and are willing to do so.  One of the biggest threats to an organization is human error.  According to a study conducted by Stanford University in 2020, approximately 88 percent of all data breaches are caused by an employee mistake.

The only way we can combat this is through security awareness training.  Train your employees often on a variety of topics so you can ensure everyone is on the same page about how to protect your organization against threats.

While your training should cover all your organization’s unique processes as well as common attacks and breaches, here are five areas to consider focusing on to encourage your employees to practice security in the workplace:

  • Physical Security – Protect the home front.  Implementing requirements like wearing badges while on the property, appropriate identification and sign-in procedures at the front desk, video surveillance, and proper locks all protect your office and the people inside of it.
  • Password Security – Passwords should be at least 8 characters long and use a variety of upper and lowercase letters, numbers, and special characters. Default passwords should never be used, and passwords should never be shared.
  • Phishing – Train your staff to be wary of phishers and to know what to look for. Make sure they know not to open attachments in emails if they do not know the source. Encourage them to not send confidential information in response to an email claiming that “urgent action is required.” Test and train your employees to make sure you’ve created an environment where if in doubt, someone will ask before engaging in an email that may look suspicious.
  • Social Engineering – Social engineering threats are threats based on human vulnerabilities. It’s a way attackers manipulate people into giving away confidential information, password/ID combinations, or to gain unauthorized access to a facility. Train your employees to operate with a healthy amount of skepticism, and to never give out sensitive information without fully identifying the other person.
  • Malware – Malware, much like phishing, can enter your environment through non-malicious looking threats such as employees opening emails from unknown sources, using a USB drive that is infected, or going to websites that may be unsafe. Be sure employees are trained to be aware of these kinds of attacks, and practice identifying malware threats.

4. Quit Freaking Out About AI

AI is taking the world by storm right now.  It’s all our auditors have been talking about because it’s new and unknown.  The sessions at Secure Miami all heavily focused on how AI and ChatGPT will change our security landscape and how we can securely implement it into our own security processes. 

And while the unknown is scary, the overwhelming opinion was that we need to stop freaking out just because new tech has entered the chat.  Our processes and our people have adapted in the past, and they can again. Think about when the cloud was a new concept – people freaked out about that, too, but now it is common practice with new security measures developed to protect the data that we store in the cloud. 

AI will be the same way.  We will build the controls we need to protect our data, but that will allow us to still benefit from this new technology.

Remember, AI is just a tool.  Here are a few takeaways about how to securely approach it currently:

  • Be smart about how you implement your controls and secure your use of AI (knowing your environment and proactively planning for threats is how you do this).
  • Use compliance frameworks to know what controls you need.
  • Educate your users on how to use AI securely.
  • Make risk-based decisions. Make them proactively, not reactively.

5. Invest in People

Despite current fears, people cannot be replaced by AI.  We still need to invest in people and train them on security best practices so AI can be used as a tool and not as a default security measure.  While training your employees is always a good investment, you need to focus on your culture as well.  This means investing in and creating internal relationships on your team as well as across departments.  This type of relationship will create the buy-in you need to implement the controls you’ve so carefully designed. 

Outside of your own organization, consider offering internships or mentorships to aspiring cyber professionals.  Share your knowledge and make sure that the next generation of IT and cyber professionals knows the importance of these controls and processes even in light of new cool tech.  Recruiting talent you can trust is hard enough, so why not invest in young professionals and help them be the best they can be while in turn creating talent worth hiring.

Get Back to Basics

This day at Secure Miami was a great reminder that no matter what flashy new tech comes our way or attack threatens our business, we can prepare to face it with core security principles. Proactively planning how we will defend our data and respond to a breach with well-trained people helping us will always be the top trend in our industry. 

While we may have boiled this day down into 5 takeaways, we understand that implementing these things can actually be really overwhelming and challenging.  If you’re feeling that way, reach out to one of our experts at KirkpatrickPrice.  We’ve been in your shoes and know how challenging implementing these controls can be.  But we’ve worked with over 1,200 clients to issue 20,000 audit reports and are passionate about helping organizations get the assurance they deserve.  We’ll help you create the controls you need to secure your unique environment.

Connect with one of our experts.  We promise that cybersecurity and compliance will no longer be a mystery.

Unfortunately, one of the only things we can rely on in the cybersecurity world is that threats are always looming.  We know that it is a matter of when, not if, your business will undergo an attack.  Have you planned for that? Is your organization prepared to face the unexpected and still land on it’s feet?

A well developed and properly tested business continuity plan (BCP) and disaster recovery (DR) plan is the best way to prepare to face the unexpected.  In this blog, we’ll recap our BCP + DR webinar by Todd Atnip so your organization can feel prepared to face today’s threats confidently.

Expect-the-Unexpected-Webinar-PresentationDownload

Threat Overview

Again, threats are everywhere and they are becoming more advanced every day. The 2023 estimated global cost of cybercrime is $8 trillion.  This is the greatest transfer of economic wealth in human history.  It is more profitable than the global trade of all major illegal drugs combined.

The annual cost of ransomware is expected to cost its victims $265 billion by 2031 with a new attack (on consumers and organizations) every 2 seconds.  Ransomware perpetrators are progressively refining their malware payloads and related extortion activities. If you stacked all of these one dollar bills together, they would be 18,000 miles long – that’s almost as high up into space as the commercial communications satellites.

In addition to these external threats, organizational disconnect is the most common threat businesses face.  There is a huge gap between the business continuity plans created by business execs and the integration of those plans by actual cybersecurity leaders.  92% of business execs agree that business continuity is integrated into enterprise risk management strategies. Only 55% of cybersecurity leaders (those implementing the controls) surveyed agreed.

Luckily, this is also the most solvable threat. By creating and implementing a BCP, testing it properly, and training all involved parties, businesses can be confident in the controls and practices they’ve created to protect their hard work and valuable data.  Let’s dive into how to do that.

The Documents

There are a few documents and procedures that must be created to have a formally documented business continuity or disaster recovery plan: the plan itself, a business impact analysis, and an action plan. 

Let’s define each of these:

What is a Business Continuity & Disaster Recovery Plan?

A deliberate and actionable strategy to ensure service delivery in the event of a major disruptive event impacting essential business functions, processes, or technologies.

What is a Business Impact Analysis?

A business impact analysis (BIA) is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption.

Why is it important?

You need to understand what you’re protecting, the impact of those things, how long it will take you recover, and the expectations around recovery.

The ability to effectively prioritize activities when executing a BCP/DR plan is driven by the BIA.  Additionally, the BIA assesses and informs on recovery time requirements (RTO / RPO).  These should be performed at function or process levels at least and sometimes at asset levels.  A key outcome of this activity is reconciling any disagreements on recovery priorities.

Most organizations use IT and technology resources as a shared service.  Each major division or function of a company shares the same IT resources.  So, in a disaster scenario, who gets their stuff back first?  The BIA is a major resource your organization can use to inform these types of decisions. 

The second important thing this exercise does is reveal any disconnects between business expectations of recovery and actual capability to meet those expectations.  If you transact a large portion of your business via email and your PST file is 2 TB, you can’t have the business believing in a 2–4-hour RTO unless you’ve implemented a backup and recovery strategy that aligns with that expectation.  Physical limitations must also be discussed in terms of RTO/RPO.

What is an Actionable Plan?

A framework that contains all categories of action required to make sure the essential elements of your service delivery are recovered both timely and effectively.  This plan should be actionable, not overwhelming.

The key elements in this plan are:

  • Clear disaster declaration criteria
    • Make sure you clarify the difference between an incident and a disaster as well as the response plans to each.
  • Role definition
    • Who is leading this team and who else is on it? What are they responsible for?
  • Communication essentials
    • Define how communication should take place, who should be contacted and in what order, and who is responsible for these communications.
  • Restoration procedures
    • You should have more details here about how to restore technology and business processes.  But remember to still make it simple, actionable, and understandable.
  • Testing cycles
    • You have to test your plan at least annually.
    • Normally a tabletop exercise is used, but simulations are also a good option (but generally not required by audit frameworks).
  • Detailed appendices
    • This is generally for reference material that may be needed at some point (e.g., contact lists, technology diagrams) – putting these things in an appendix helps keep the noise out of the main plan since they are not constantly needed.

Key Components of a Business Continuity and Disaster Recovery Plan

While there are several elements of a BCP and DR plan, they all fit into 4 categories:

  1. Technology
  2. People
  3. Facilities
  4. Supply Chain

When these four areas are accounted for, you can be confident that all areas of your business are covered.  Make sure to listen to the recording for more details on these areas!

Test, Test, Test Again!

Plans that are not tested are not plans: they are aspirations. They are ambitions and hopes.

Additionally, most major audit frameworks require testing as one of the controls that should be in operation.

Test relevant scenarios based on your organizational risk assessment.  Ask, “What are the most likely scenarios for you?”

If you have high availability in the cloud, prove it.  Failover a small, low risk part of your service delivery to the high availability (HA) component and make sure it works.

Finally, remember that having something in place doesn’t guarantee capability.  Everything deserves to be tested. Only then can you be confident in its functionality and ability to protect your business.

Expect the Unexpected

Adopt the “when not if” mindset.  Create a business continuity and disaster recovery plan that protects all of your assets.  Communicate it to all parties that need to be involved.  Test it thoroughly.

If you need additional help creating or testing your recovery plans, connect with one of our experts.  Let us review your BCP and make sure you’re ready for the unexpected. 

We know that when it comes to threats you want to make sure that you’re ready. In order to do that, you need a quality cybersecurity and compliance audit report that gives you results you can trust.  

The problem is choosing the right framework for your business and unique data needs can be complicated.  There are so many frameworks and regulations to learn about and sift through to see what best applies to your business. You’re probably asking yourself: What do they all mean? Which framework or regulation does my organization need to comply with? Which one best suits my organization’s needs?  

In this post, you’ll learn about the most common information security frameworks, who they apply to, and how they can benefit your organization.

Commonly Used Frameworks

Deciding to undergo an information security audit can be daunting for the sole reason that there are so many frameworks and regulations to learn about. Let’s break down the most common frameworks and how they could benefit your organization.

SOC 1

A SOC 1 audit is an audit that is performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). SOC 1 reports are designed to report on the controls at a service organization that could impact their clients’ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

SOC 2

As a service provider, how do you validate the security of your services? A SOC 2 audit evaluates internal controls, policies, and procedures as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. These five established categories, known as the Trust Services Criteria, address the questions like: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a robust information security standard that encourages and enhances cardholder data security by providing industry-recognized data security measures. In other words, a PCI audit is an information security audit focused on the protection of credit card data. All PCI audits must be performed by a PCI Qualified Security Assessor (QSA) and are designed to test whether an organization is compliant with the 12 technical and operational requirements established to protect cardholder data.

ISO 27001

Organizations across the globe can benefit from an ISO 27001 audit. It’s the gold standard for information security and can be used in any vertical approach. Its implementation is customized for each organization’s needs to treat their particular risks. Completing an ISO 27001 audit allows organizations to demonstrate to their business partners that a mature and risk-based information security program is in place.

HIPAA

All covered entities and business associates who process, store, or transmit protected health information (PHI) and electronic protected health information (ePHI) must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Covered entities and business associates are responsible for securing the PHI or ePHI that they hold. If you are a covered entity or a business associate, you must decide which HIPAA laws apply to you – Security, Privacy, or Breach Notification laws

GDPR

The European Union’s General Data Protection Regulation (GDPR) is considered to be one of the most significant information security and privacy laws of our time. Born out of cybercrime threats, technology advances, and concerns about data misuse, GDPR requires all data controllers and data processors that handle the personal data of data subjects to implement a program that ensures the ongoing confidentiality, integrity, availability, and resilience of processing systems. The applicability of the law follows the data, rather than following a person or location, so organizations worldwide will be held accountable for complying with the law. 

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law that governs the access and privacy of educational information and records, such as grades, class lists, student course schedules, and student financial records. The educational records that an organization creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. FERPA compliance protects the confidentiality, integrity, and availability of educational records. 

FISMA

The Federal Information Security Management Act (FISMA) is a United States legislation, enacted as part of the Electronic Government Act of 2002. FISMA’s intent is to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. FISMA is the law; NIST Special Publication 800-53, Security Controls for Federal Information Systems and Organizations, is the standard that contains the individual security controls FISMA requires organizations to comply with. FISMA compliance is required of anyone working with the federal government, a federal contractor, or a sub-service provider of a federal contractor. 

HITRUST

The HITRUST Common Security Framework, or CSF, is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The framework was developed to provide a solution to increasing regulatory scrutiny, increasing risk and liability associated with data breaches, inconsistent implementation of minimum controls, and the rapidly changing business, technology, and regulatory environment. It is a framework that was built from what works within other standards and authoritative sources, like ISO 27001/27002, HIPAA, PCI DSS, and NIST 800-53, just to name a few. It was also built on risk management principles and aligns with existing, relative controls, and requirements. It’s scalable depending on organizational, system, and regulatory factors. 

SOC for Cybersecurity

A SOC for Cybersecurity examination is how a CPA firm can report on an organization’s cybersecurity risk management program and verify the effectiveness of internal controls to meet cybersecurity objectives, with the intention of giving stakeholders perspective and confidence in an organization’s cybersecurity risk management program. 

This examination is for any organization who wishes to provide their board of directors, analysts, investors, business partners, industry regulators, or users with perspective and confidence in their cybersecurity risk management program. 

Partner with KirkpatrickPrice for Your Next Audit

We hope this post makes choosing the right audit framework a little less complicated so starting your audit is easier.  If you still need help figuring out which framework best applies to your organization, just give us a call 

When you work with KirkpatrickPrice, you can stop feeling like you are going to miss something or be surprised when a client or attacker finds something that wasn’t in your report. You can stop feeling worried that you’re wasting your time using someone who’s not advanced enough to thoroughly test your environment. Instead, you’ll have a report that gets you ready for your next steps, allows you to say yes to client requests, and brings you the assurance you deserve. Cybersecurity and compliance will no longer be a mystery. 

Auditor Insights Webinar Recap

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established to protect credit and debit card transactions from fraud and data breaches. The standard is updated regularly to adapt to new security threats and changes in technology.

Version 4.0 will be released and required by March 2025.  In this webinar hosted by PCI-expert Randy Bartels, we explore the most impactful changes in this updated version.  This blog will summarize the major changes, and the full recording of the webinar is available for you to watch at the end.

PCI DSS v4.0 Overview

There are four goals of this new version:

  • Continue to meet the security needs of the payment industry
  • Promote security as a continuous process
  • Add flexibility for different approaches
  • Enhance the validation methods

You can learn more about this version at Council’s Resource Hub and

KirkpatrickPrice’s PCI DSS Resource Page.

Summary of Changes

There are 64 new requirements in PCI version 4.0.  53 are applicable to everyone, and 11 are only applicable to service providers.   All of these new requirements must be in place by March 31, 2025, and it is recommended that any assessment after March 31, 2024, be performed against version 4.

Some notable changes to PCI DSS v4.0 include:

  • Retention of Sensitive Authentication Data (SAD)
  • Encryption of cardholder data (CHD)
  • Authenticated vulnerability scans
  • Application security
  • Targeted risk analysis
  • User access reviews
  • User authentication changes
  • Automated log reviews
  • Anti-phishing requirements
  • Virus scanning when inserting removable media
  • Detecting failures of critical security controls
  • Security awareness training enhancements
  • Incident response program enhancements

Let’s dive a little deeper into the specific changes we believe will be the most impactful:

Increased flexibility: Defined vs. Customized Approach

Version 4.0 aims to provide more flexibility in how organizations can implement the requirements while still maintaining the same level of security.  The defined approach is how PCI has always been conducted: a prescribed, point by point approach.  Compensating controls can be used if there are any constraints.  The new customized approach allows risk-mature organizations to use DIY controls to meet control objectives.  Appendix D & E provides additional documentation.

Improved scoping and segmentation

Version 4.0 provides more guidance on scoping and segmentation of the cardholder data environment to ensure that all systems and components are properly protected.  Control 12.5.2 states that, “PCI DSS scope is documented and confirmed at least once every 12 months.”  This means that scope comes first.  There are seven items that need to be validated annually or semi-annually for service providers.

Stronger Encryption of Stored Cardholder Data

If hashes are used, hashes must be based on keyed cryptographic hashing algorithms and backed by an encryption key that is managed per key management requirements. This applies to anywhere where a hash of the PAN is stored – databases, audit logs, backups, etc.

Additionally, disk encryption can no longer be the only means for encrypting CHD. Another method of encryption from requirement 3.5.1 will need to be employed.

Retention of Sensitive Authentication Data (SAD)

Retention of Sensitive Authentication Data after authorization has always been prohibited. Sensitive Authentication Data includes Track Data, security codes, and PIN blocks.  The new requirements apply to storing SAD before authorization. Data retention policies need to address the retention of SAD during pre-authorization.  All SAD stored during pre-authorization must be encrypted with strong cryptography.

Vulnerability Management

All internal vulnerability scans must now authenticate to the system.  The scanner should have privileged access.  Historically, internal vulnerability scans have been “anonymous, network-based scans.”  They query the IP address for open ports and then test each port for vulnerabilities.  With authenticated scans, the scanning tool logs into the system as a privileged user and directly queries.  This is a much more thorough scan, and that means there could be a significant increase in findings.

Application Security

A web application firewall is required. Change and tamper detection for all payment ages is now required.

Anti-Phishing Controls

With version 4, there are a new set of controls to help prevent phishing attacks. Technical controls need to be implemented to detect and prevent phishing attacks.  Additionally, phishing-  and social engineering-specific security awareness training needs to occur.

Multi-Factor Authentication

Currently, multi-factor authentication (MFA) is required for all non-console administrative access as well as all remote (e.g., SSLVPN) user access. Starting in 2025, all access to the Cardholder Data Environment must require MFA. Remote access MFA will still be required.

Targeted Risk Analysis

Many requirements now allow you to define the frequency of various controls, such as anti-virus scanning or password expiration limitations. To go along with this flexibility, the PCI Council also instituted what they’re calling a “targeted risk analysis” or TRA. This new TRA completely replaces the “enterprise-wide risk assessment” requirement in 12.2.  Many other security frameworks will still require such a thing, but PCI is now looking for something that speaks directly to the risks to CHD.  Make sure you listen to the full webinar record (link below) to walk through an example of how to perform a TRA for one of the six items it applies to.

Successfully Prepare for the PCI DSS Changes with KirkpatrickPrice

We understand that the upcoming PCI changes can feel intimidating.  We hope that our webinar, and its subsequent recap, help make it more manageable.  Overall, the changes to PCI DSS version 4.0 reflect the ongoing evolution of security threats and the need to adapt to new technologies and business practices while maintaining a strong security posture.

Check out the full recording of our webinar to dive even deeper into the changes coming to PCI.  If you still have questions, our PCI experts are ready to help.  

Connect with one of our experts today!

We are wired to avoid failure.  We often do everything in our power to make sure we will succeed at whatever endeavor we embark on and can even become terrified at the possibility of failure.

The same is true of an audit – everyone starts their audit journey hoping they won’t fail.  “Are we going to fail?” is such a common question amongst our clients, and we understand that feeling. It’s a scary process, and you want to do well, either to prove it to your boss that you’re doing your job well or to prove to a potential client relationship that your partnership is the right choice. We understand there are serious consequences for not passing or completing a successful audit.

But can we let you in on an auditing secret? Failure is actually a good thing.

Failure in an audit doesn’t mean you aren’t successful. It means you found a vulnerability or gap that could have led to a real breach that threatens the stability of your business or costs you thousands, if not millions, of dollars.

We know this feels backwards, so let’s dive into why “failing” in your audit could be the best thing that ever happened to your business.

1. You Can’t Actually Fail an Audit

Audits aren’t pass or fail, but we understand that you want a clean audit report so you can show off the strength of your security program.

If you are pursuing SOC 1 or SOC 2 audit, you will receive an opinion issued by an independent auditor that speaks to the operating effectiveness and design of your organization’s security program.  This means that as an auditor is testing your controls, they are looking to see if the control is compliant with the framework you are being audited against and if it is working as you intended. 

We know that compliance is complicated.  An audit with KirkpatrickPrice allows you to work with an experienced partner who can assure you that your security program is designed correctly and securely.   

In your audit report, each control objective will outline if there were any exceptions found during testing.  An exception on your audit report means that the control was working as intended except for one thing.  For example, if your organization claims that every visitor that comes to your facility must sign into a book documenting their visit, but your auditor arrives on site and isn’t asked to sign-in, that would be an exception.  Your auditor would see that the control was not being implemented as intended, or operating effectively, even if it was required by a policy. 

This type of discovery, and any other exceptions noted, allow organizations to double check themselves against the controls required of them by their own policies as well as industry standards and frameworks.  Maybe the company mentioned in the example above knew that recording visitors was a requirement, but the execution of that task was never assigned.  Now the organization can make sure the front desk employee knows they are responsible for signing-in each visitor in order to keep the facility safe.

2. Failure Exposes Potential Threats

Not all exceptions are as low stakes as not signing into a visitor log.  What if your company’s IT department has spent months designing and implementing a cloud environment that is perfectly configured to meet your company’s needs, and then you experience a breach from one misconfiguration that leaks huge amounts of valuable internal data?

That’s exactly what happened to The U.S. Department of Defense when a misconfiguration of one of their internal servers left the server without a password and therefore accessible to anyone on the internet who knew its IP address.

That is risky. It would have been even riskier if it hadn’t been caught.  A quality audit can identify vulnerabilities like this to ensure you aren’t unknowingly leaving yourself and your data vulnerable.

If this vulnerability had gone unnoticed, special military operations and intel could have been found online, making the whole country vulnerable.

No one would say finding that misconfiguration is a failure.  While it may have been mistakenly configured, we all know mistakes happen.  What matters is that you are committed to finding and remediating those mistakes before they become a threat.

And when your data is as important as internal military data, finding a mistake like this saves the day.  It leads to success.  The Department of Defense should constantly be searching for misconfigurations so they can be sure they’re taking every precaution to keep their valuable data safe, and so should you.

An audit is simply one of the tools you can use to verify that the way you keep your data safe is actually doing that. Choosing to work with an experienced information security auditor is a great way to make sure your controls are being tested thoroughly so that your organization knows its security program is designed well and operating effectively.  This gives you a chance to inspire the entire organization to show a greater commitment to security and compliance and will give you assurance that you are doing everything you can to protect your business.

3. Failure Inspires Greater Commitment to Security

When you experience failure, you are given the chance to grow. When your organization receives exceptions in your audit report, don’t see them as marks of failure.  Use them as a way to inspire your organization to show an even greater commitment to security to both internal employees and clients.

When your organization faces it’s exceptions or findings as a challenge to overcome, the remediation process demonstrates to your clients that you are committed to maintaining the strongest, most secure system possible. Once you remediate your findings, your organization can be confident in the security of its controls and your clients will feel comfortable trusting you with their valuable data.

Continuously engaging in yearly audits will assure your organization that your security and compliance program is keeping your valuable data secure and that is growing and maturing appropriately.

When you work with KirkpatrickPrice, you can make sure your audit will end in success.

When you undergo an audit, you can’t lose. One of our clients recently said,

“If we fail, it will be good for us.”

We hope that you can see the truth in this statement. You aren’t a failure if your auditor identifies an exception.  These exceptions, when remediated properly, give you the power to strengthen your security measures and protect your valuable data from a threat you didn’t even know was possible.

You aren’t a failure. And your audit findings only make you stronger if you let them.

Failure gives you the opportunity to create an even more secure environment.

When we work together, we will partner with you to turn these vulnerabilities into your greatest strengths.  Connect with one of our experts today and make your organization unstoppable in the face of today’s threats.