Unfortunately, one of the only things we can rely on in the cybersecurity world is that threats are always looming.  We know that it is a matter of when, not if, your business will undergo an attack.  Have you planned for that? Is your organization prepared to face the unexpected and still land on it’s feet?

A well developed and properly tested business continuity plan (BCP) and disaster recovery (DR) plan is the best way to prepare to face the unexpected.  In this blog, we’ll recap our BCP + DR webinar by Todd Atnip so your organization can feel prepared to face today’s threats confidently.

Expect-the-Unexpected-Webinar-PresentationDownload

Threat Overview

Again, threats are everywhere and they are becoming more advanced every day. The 2023 estimated global cost of cybercrime is $8 trillion.  This is the greatest transfer of economic wealth in human history.  It is more profitable than the global trade of all major illegal drugs combined.

The annual cost of ransomware is expected to cost its victims $265 billion by 2031 with a new attack (on consumers and organizations) every 2 seconds.  Ransomware perpetrators are progressively refining their malware payloads and related extortion activities. If you stacked all of these one dollar bills together, they would be 18,000 miles long – that’s almost as high up into space as the commercial communications satellites.

In addition to these external threats, organizational disconnect is the most common threat businesses face.  There is a huge gap between the business continuity plans created by business execs and the integration of those plans by actual cybersecurity leaders.  92% of business execs agree that business continuity is integrated into enterprise risk management strategies. Only 55% of cybersecurity leaders (those implementing the controls) surveyed agreed.

Luckily, this is also the most solvable threat. By creating and implementing a BCP, testing it properly, and training all involved parties, businesses can be confident in the controls and practices they’ve created to protect their hard work and valuable data.  Let’s dive into how to do that.

The Documents

There are a few documents and procedures that must be created to have a formally documented business continuity or disaster recovery plan: the plan itself, a business impact analysis, and an action plan. 

Let’s define each of these:

What is a Business Continuity & Disaster Recovery Plan?

A deliberate and actionable strategy to ensure service delivery in the event of a major disruptive event impacting essential business functions, processes, or technologies.

What is a Business Impact Analysis?

A business impact analysis (BIA) is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption.

Why is it important?

You need to understand what you’re protecting, the impact of those things, how long it will take you recover, and the expectations around recovery.

The ability to effectively prioritize activities when executing a BCP/DR plan is driven by the BIA.  Additionally, the BIA assesses and informs on recovery time requirements (RTO / RPO).  These should be performed at function or process levels at least and sometimes at asset levels.  A key outcome of this activity is reconciling any disagreements on recovery priorities.

Most organizations use IT and technology resources as a shared service.  Each major division or function of a company shares the same IT resources.  So, in a disaster scenario, who gets their stuff back first?  The BIA is a major resource your organization can use to inform these types of decisions. 

The second important thing this exercise does is reveal any disconnects between business expectations of recovery and actual capability to meet those expectations.  If you transact a large portion of your business via email and your PST file is 2 TB, you can’t have the business believing in a 2–4-hour RTO unless you’ve implemented a backup and recovery strategy that aligns with that expectation.  Physical limitations must also be discussed in terms of RTO/RPO.

What is an Actionable Plan?

A framework that contains all categories of action required to make sure the essential elements of your service delivery are recovered both timely and effectively.  This plan should be actionable, not overwhelming.

The key elements in this plan are:

  • Clear disaster declaration criteria
    • Make sure you clarify the difference between an incident and a disaster as well as the response plans to each.
  • Role definition
    • Who is leading this team and who else is on it? What are they responsible for?
  • Communication essentials
    • Define how communication should take place, who should be contacted and in what order, and who is responsible for these communications.
  • Restoration procedures
    • You should have more details here about how to restore technology and business processes.  But remember to still make it simple, actionable, and understandable.
  • Testing cycles
    • You have to test your plan at least annually.
    • Normally a tabletop exercise is used, but simulations are also a good option (but generally not required by audit frameworks).
  • Detailed appendices
    • This is generally for reference material that may be needed at some point (e.g., contact lists, technology diagrams) – putting these things in an appendix helps keep the noise out of the main plan since they are not constantly needed.

Key Components of a Business Continuity and Disaster Recovery Plan

While there are several elements of a BCP and DR plan, they all fit into 4 categories:

  1. Technology
  2. People
  3. Facilities
  4. Supply Chain

When these four areas are accounted for, you can be confident that all areas of your business are covered.  Make sure to listen to the recording for more details on these areas!

Test, Test, Test Again!

Plans that are not tested are not plans: they are aspirations. They are ambitions and hopes.

Additionally, most major audit frameworks require testing as one of the controls that should be in operation.

Test relevant scenarios based on your organizational risk assessment.  Ask, “What are the most likely scenarios for you?”

If you have high availability in the cloud, prove it.  Failover a small, low risk part of your service delivery to the high availability (HA) component and make sure it works.

Finally, remember that having something in place doesn’t guarantee capability.  Everything deserves to be tested. Only then can you be confident in its functionality and ability to protect your business.

Expect the Unexpected

Adopt the “when not if” mindset.  Create a business continuity and disaster recovery plan that protects all of your assets.  Communicate it to all parties that need to be involved.  Test it thoroughly.

If you need additional help creating or testing your recovery plans, connect with one of our experts.  Let us review your BCP and make sure you’re ready for the unexpected. 

We know that when it comes to threats you want to make sure that you’re ready. In order to do that, you need a quality cybersecurity and compliance audit report that gives you results you can trust.  

The problem is choosing the right framework for your business and unique data needs can be complicated.  There are so many frameworks and regulations to learn about and sift through to see what best applies to your business. You’re probably asking yourself: What do they all mean? Which framework or regulation does my organization need to comply with? Which one best suits my organization’s needs?  

In this post, you’ll learn about the most common information security frameworks, who they apply to, and how they can benefit your organization.

Commonly Used Frameworks

Deciding to undergo an information security audit can be daunting for the sole reason that there are so many frameworks and regulations to learn about. Let’s break down the most common frameworks and how they could benefit your organization.

SOC 1

A SOC 1 audit is an audit that is performed in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18). SOC 1 reports are designed to report on the controls at a service organization that could impact their clients’ financial statements. A SOC 1 audit is not a review of a service organization’s financial statements, but rather a review of internal controls over financial reporting.

SOC 2

As a service provider, how do you validate the security of your services? A SOC 2 audit evaluates internal controls, policies, and procedures as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. These five established categories, known as the Trust Services Criteria, address the questions like: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a robust information security standard that encourages and enhances cardholder data security by providing industry-recognized data security measures. In other words, a PCI audit is an information security audit focused on the protection of credit card data. All PCI audits must be performed by a PCI Qualified Security Assessor (QSA) and are designed to test whether an organization is compliant with the 12 technical and operational requirements established to protect cardholder data.

ISO 27001

Organizations across the globe can benefit from an ISO 27001 audit. It’s the gold standard for information security and can be used in any vertical approach. Its implementation is customized for each organization’s needs to treat their particular risks. Completing an ISO 27001 audit allows organizations to demonstrate to their business partners that a mature and risk-based information security program is in place.

HIPAA

All covered entities and business associates who process, store, or transmit protected health information (PHI) and electronic protected health information (ePHI) must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Covered entities and business associates are responsible for securing the PHI or ePHI that they hold. If you are a covered entity or a business associate, you must decide which HIPAA laws apply to you – Security, Privacy, or Breach Notification laws. 

GDPR

The European Union’s General Data Protection Regulation (GDPR) is considered to be one of the most significant information security and privacy laws of our time. Born out of cybercrime threats, technology advances, and concerns about data misuse, GDPR requires all data controllers and data processors that handle the personal data of data subjects to implement a program that ensures the ongoing confidentiality, integrity, availability, and resilience of processing systems. The applicability of the law follows the data, rather than following a person or location, so organizations worldwide will be held accountable for complying with the law. 

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law that governs the access and privacy of educational information and records, such as grades, class lists, student course schedules, and student financial records. The educational records that an organization creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. FERPA compliance protects the confidentiality, integrity, and availability of educational records. 

FISMA

The Federal Information Security Management Act (FISMA) is a United States legislation, enacted as part of the Electronic Government Act of 2002. FISMA’s intent is to protect government information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. FISMA is the law; NIST Special Publication 800-53, Security Controls for Federal Information Systems and Organizations, is the standard that contains the individual security controls FISMA requires organizations to comply with. FISMA compliance is required of anyone working with the federal government, a federal contractor, or a sub-service provider of a federal contractor. 

HITRUST

The HITRUST Common Security Framework, or CSF, is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The framework was developed to provide a solution to increasing regulatory scrutiny, increasing risk and liability associated with data breaches, inconsistent implementation of minimum controls, and the rapidly changing business, technology, and regulatory environment. It is a framework that was built from what works within other standards and authoritative sources, like ISO 27001/27002, HIPAA, PCI DSS, and NIST 800-53, just to name a few. It was also built on risk management principles and aligns with existing, relative controls, and requirements. It’s scalable depending on organizational, system, and regulatory factors. 

SOC for Cybersecurity

A SOC for Cybersecurity examination is how a CPA firm can report on an organization’s cybersecurity risk management program and verify the effectiveness of internal controls to meet cybersecurity objectives, with the intention of giving stakeholders perspective and confidence in an organization’s cybersecurity risk management program. 

This examination is for any organization who wishes to provide their board of directors, analysts, investors, business partners, industry regulators, or users with perspective and confidence in their cybersecurity risk management program. 

Partner with KirkpatrickPrice for Your Next Audit

We hope this post makes choosing the right audit framework a little less complicated so starting your audit is easier.  If you still need help figuring out which framework best applies to your organization, just give us a call!  

When you work with KirkpatrickPrice, you can stop feeling like you are going to miss something or be surprised when a client or attacker finds something that wasn’t in your report. You can stop feeling worried that you’re wasting your time using someone who’s not advanced enough to thoroughly test your environment. Instead, you’ll have a report that gets you ready for your next steps, allows you to say yes to client requests, and brings you the assurance you deserve. Cybersecurity and compliance will no longer be a mystery.   

Auditor Insights Webinar Recap

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established to protect credit and debit card transactions from fraud and data breaches. The standard is updated regularly to adapt to new security threats and changes in technology.

Version 4.0 will be released and required by March 2025.  In this webinar hosted by PCI-expert Randy Bartels, we explore the most impactful changes in this updated version.  This blog will summarize the major changes, and the full recording of the webinar is available for you to watch at the end.

PCI DSS v4.0 Overview

There are four goals of this new version:

  • Continue to meet the security needs of the payment industry
  • Promote security as a continuous process
  • Add flexibility for different approaches
  • Enhance the validation methods

You can learn more about this version at Council’s Resource Hub and

KirkpatrickPrice’s PCI DSS Resource Page.

Summary of Changes

There are 64 new requirements in PCI version 4.0.  53 are applicable to everyone, and 11 are only applicable to service providers.   All of these new requirements must be in place by March 31, 2025, and it is recommended that any assessment after March 31, 2024, be performed against version 4.

Some notable changes to PCI DSS v4.0 include:

  • Retention of Sensitive Authentication Data (SAD)
  • Encryption of cardholder data (CHD)
  • Authenticated vulnerability scans
  • Application security
  • Targeted risk analysis
  • User access reviews
  • User authentication changes
  • Automated log reviews
  • Anti-phishing requirements
  • Virus scanning when inserting removable media
  • Detecting failures of critical security controls
  • Security awareness training enhancements
  • Incident response program enhancements

Let’s dive a little deeper into the specific changes we believe will be the most impactful:

Increased flexibility: Defined vs. Customized Approach

Version 4.0 aims to provide more flexibility in how organizations can implement the requirements while still maintaining the same level of security.  The defined approach is how PCI has always been conducted: a prescribed, point by point approach.  Compensating controls can be used if there are any constraints.  The new customized approach allows risk-mature organizations to use DIY controls to meet control objectives.  Appendix D & E provides additional documentation.

Improved scoping and segmentation

Version 4.0 provides more guidance on scoping and segmentation of the cardholder data environment to ensure that all systems and components are properly protected.  Control 12.5.2 states that, “PCI DSS scope is documented and confirmed at least once every 12 months.”  This means that scope comes first.  There are seven items that need to be validated annually or semi-annually for service providers.

Stronger Encryption of Stored Cardholder Data

If hashes are used, hashes must be based on keyed cryptographic hashing algorithms and backed by an encryption key that is managed per key management requirements. This applies to anywhere where a hash of the PAN is stored – databases, audit logs, backups, etc.

Additionally, disk encryption can no longer be the only means for encrypting CHD. Another method of encryption from requirement 3.5.1 will need to be employed.

Retention of Sensitive Authentication Data (SAD)

Retention of Sensitive Authentication Data after authorization has always been prohibited. Sensitive Authentication Data includes Track Data, security codes, and PIN blocks.  The new requirements apply to storing SAD before authorization. Data retention policies need to address the retention of SAD during pre-authorization.  All SAD stored during pre-authorization must be encrypted with strong cryptography.

Vulnerability Management

All internal vulnerability scans must now authenticate to the system.  The scanner should have privileged access.  Historically, internal vulnerability scans have been “anonymous, network-based scans.”  They query the IP address for open ports and then test each port for vulnerabilities.  With authenticated scans, the scanning tool logs into the system as a privileged user and directly queries.  This is a much more thorough scan, and that means there could be a significant increase in findings.

Application Security

A web application firewall is required. Change and tamper detection for all payment ages is now required.

Anti-Phishing Controls

With version 4, there are a new set of controls to help prevent phishing attacks. Technical controls need to be implemented to detect and prevent phishing attacks.  Additionally, phishing-  and social engineering-specific security awareness training needs to occur.

Multi-Factor Authentication

Currently, multi-factor authentication (MFA) is required for all non-console administrative access as well as all remote (e.g., SSLVPN) user access. Starting in 2025, all access to the Cardholder Data Environment must require MFA. Remote access MFA will still be required.

Targeted Risk Analysis

Many requirements now allow you to define the frequency of various controls, such as anti-virus scanning or password expiration limitations. To go along with this flexibility, the PCI Council also instituted what they’re calling a “targeted risk analysis” or TRA. This new TRA completely replaces the “enterprise-wide risk assessment” requirement in 12.2.  Many other security frameworks will still require such a thing, but PCI is now looking for something that speaks directly to the risks to CHD.  Make sure you listen to the full webinar record (link below) to walk through an example of how to perform a TRA for one of the six items it applies to.

Successfully Prepare for the PCI DSS Changes with KirkpatrickPrice

We understand that the upcoming PCI changes can feel intimidating.  We hope that our webinar, and its subsequent recap, help make it more manageable.  Overall, the changes to PCI DSS version 4.0 reflect the ongoing evolution of security threats and the need to adapt to new technologies and business practices while maintaining a strong security posture.

Check out the full recording of our webinar to dive even deeper into the changes coming to PCI.  If you still have questions, our PCI experts are ready to help.  

Connect with one of our experts today!

We are wired to avoid failure.  We often do everything in our power to make sure we will succeed at whatever endeavor we embark on and can even become terrified at the possibility of failure.

The same is true of an audit – everyone starts their audit journey hoping they won’t fail.  “Are we going to fail?” is such a common question amongst our clients, and we understand that feeling. It’s a scary process, and you want to do well, either to prove it to your boss that you’re doing your job well or to prove to a potential client relationship that your partnership is the right choice. We understand there are serious consequences for not passing or completing a successful audit.

But can we let you in on an auditing secret? Failure is actually a good thing.

Failure in an audit doesn’t mean you aren’t successful. It means you found a vulnerability or gap that could have led to a real breach that threatens the stability of your business or costs you thousands, if not millions, of dollars.

We know this feels backwards, so let’s dive into why “failing” in your audit could be the best thing that ever happened to your business.

1. You Can’t Actually Fail an Audit

Audits aren’t pass or fail, but we understand that you want a clean audit report so you can show off the strength of your security program.

If you are pursuing SOC 1 or SOC 2 audit, you will receive an opinion issued by an independent auditor that speaks to the operating effectiveness and design of your organization’s security program.  This means that as an auditor is testing your controls, they are looking to see if the control is compliant with the framework you are being audited against and if it is working as you intended. 

We know that compliance is complicated.  An audit with KirkpatrickPrice allows you to work with an experienced partner who can assure you that your security program is designed correctly and securely.   

In your audit report, each control objective will outline if there were any exceptions found during testing.  An exception on your audit report means that the control was working as intended except for one thing.  For example, if your organization claims that every visitor that comes to your facility must sign into a book documenting their visit, but your auditor arrives on site and isn’t asked to sign-in, that would be an exception.  Your auditor would see that the control was not being implemented as intended, or operating effectively, even if it was required by a policy. 

This type of discovery, and any other exceptions noted, allow organizations to double check themselves against the controls required of them by their own policies as well as industry standards and frameworks.  Maybe the company mentioned in the example above knew that recording visitors was a requirement, but the execution of that task was never assigned.  Now the organization can make sure the front desk employee knows they are responsible for signing-in each visitor in order to keep the facility safe.

2. Failure Exposes Potential Threats

Not all exceptions are as low stakes as not signing into a visitor log.  What if your company’s IT department has spent months designing and implementing a cloud environment that is perfectly configured to meet your company’s needs, and then you experience a breach from one misconfiguration that leaks huge amounts of valuable internal data?

That’s exactly what happened to The U.S. Department of Defense when a misconfiguration of one of their internal servers left the server without a password and therefore accessible to anyone on the internet who knew its IP address.

That is risky. It would have been even riskier if it hadn’t been caught.  A quality audit can identify vulnerabilities like this to ensure you aren’t unknowingly leaving yourself and your data vulnerable.

If this vulnerability had gone unnoticed, special military operations and intel could have been found online, making the whole country vulnerable.

No one would say finding that misconfiguration is a failure.  While it may have been mistakenly configured, we all know mistakes happen.  What matters is that you are committed to finding and remediating those mistakes before they become a threat.

And when your data is as important as internal military data, finding a mistake like this saves the day.  It leads to success.  The Department of Defense should constantly be searching for misconfigurations so they can be sure they’re taking every precaution to keep their valuable data safe, and so should you.

An audit is simply one of the tools you can use to verify that the way you keep your data safe is actually doing that. Choosing to work with an experienced information security auditor is a great way to make sure your controls are being tested thoroughly so that your organization knows its security program is designed well and operating effectively.  This gives you a chance to inspire the entire organization to show a greater commitment to security and compliance and will give you assurance that you are doing everything you can to protect your business.

3. Failure Inspires Greater Commitment to Security

When you experience failure, you are given the chance to grow. When your organization receives exceptions in your audit report, don’t see them as marks of failure.  Use them as a way to inspire your organization to show an even greater commitment to security to both internal employees and clients.

When your organization faces it’s exceptions or findings as a challenge to overcome, the remediation process demonstrates to your clients that you are committed to maintaining the strongest, most secure system possible. Once you remediate your findings, your organization can be confident in the security of its controls and your clients will feel comfortable trusting you with their valuable data.

Continuously engaging in yearly audits will assure your organization that your security and compliance program is keeping your valuable data secure and that is growing and maturing appropriately.

When you work with KirkpatrickPrice, you can make sure your audit will end in success.

When you undergo an audit, you can’t lose. One of our clients recently said,

“If we fail, it will be good for us.”

We hope that you can see the truth in this statement. You aren’t a failure if your auditor identifies an exception.  These exceptions, when remediated properly, give you the power to strengthen your security measures and protect your valuable data from a threat you didn’t even know was possible.

You aren’t a failure. And your audit findings only make you stronger if you let them.

Failure gives you the opportunity to create an even more secure environment.

When we work together, we will partner with you to turn these vulnerabilities into your greatest strengths.  Connect with one of our experts today and make your organization unstoppable in the face of today’s threats.

Audits are hard and choosing the right compliance tool is overwhelming. We understand that you need a tool that will make your life easier and help you accomplish your challenging security and compliance goals.

You need a tool that will help you get an audit report as soon as possible. 

You need a tool that can help you meet your deadlines.

You need the best and simplest way to complete an audit. 

You need a tool that connects you with audit experts.

You need a tool that makes something really hard, easier.

There are an overwhelming number of tools promising to help you meet these needs, and we understand how hard it can be to figure out which one will best help you meet those needs and goals. In our latest webinar, KirkpatrickPrice Founder & President Joseph Kirkpatrick walks through ten critical factors you should consider when choosing a compliance platform. Let’s walk through those factors and some questions you should ask during your decision making process.

  1. Integrations and Automated Evidence Gathering
    • Does the tool take scope into account?
      • If your automated tool isn’t considering how your people, processes, and technologies influence the scope of your audit and offering ways to verify their roles, you should probably keep looking.
    • Can the evidence be gathered to support and satisfy the audit requirements?
  2. Assign Compliance Responsibilities
    • Can you assign roles and responsibilities to other users, or is the tool just an audit checklist put online?
      • Individual departments should be able to work on and answer questions related to their responsibilities.
      • You need to rely on your team to make the audit less overwhelming. Community is the answer to a successful audit engagement.
  3. Live Connection to an Expert
    • Will you be working in a platform that gives you access to an expert?
    • How does the tool support you when a question arises?
    • Does the expert have enough experience to thoroughly answer your questions or test your advanced, unique environment?
  4. One Firm
    • Will you have to engage multiple entities to complete your audit?
    • Who is actually reviewing the evidence and issuing the report?
    • Do you have to manage multiple relationships?
    • Will misunderstandings occur from one interpretation to the next?
      • This leads to inconsistent results
    • Don’t exclude the audit firm from your tool conversation.
  5. Self-Service
    • Can you work at your own pace as you get ready for your audit?
    • People want to feel prepared before they start their audit. It’s like knowing the answers before taking the test, and it makes people feel more confident. Your compliance tool should make this possible.
  6. Educational Resources
    • Does the platform offer you educational resources that will prepare and empower you throughout the process?
  7. Custom Mapping
    • Can the tool support your unique engagements now and in the future?
    • How does the tool account for the differences between control environments?
      • You will have unique needs because every organization is different. Your tool should support that.
    • Does the tool use boilerplate language or does it customize reports and controls according to your unique business needs?
  8. Multiple Frameworks
    • Does the tool support multiple audit frameworks?
    • How seamlessly do the frameworks map together if you need multiple engagements?
  9. Built by a Licensed Firm
    • It matters who built the tool. Was it a software developer or a licensed firm who understands the intricacies of security and regulatory requirements?
    • Where was the tool built and how will those jurisdictional requirements affect your data?
  10. Platform Cost
    • What does the tool cost?

The Buyer’s Guide to Compliance Tools.

Looking for the right compliance tool is overwhelming. With so many options, it’s hard to know that you’re making the right choice for you. This guide will prepare you for the compliance journey ahead.

Get the Guide

Choose the tool that can give you the assurance you deserve.

We understand that you want an audit tool that will make your life easier. That’s why we created the Online Audit Manager, the world’s first compliance platform, to bring you both technological innovation and direct interaction with a certified auditor.

The OAM will get you ready to successfully complete an audit and connect you with an audit expert who understands just how overwhelming the audit process can be.

To learn more about the factors you should consider when choosing a compliance too, listen to the full webinar.

Create your free account today!