Hannah Grace Holladay, Author at KirkpatrickPrice

The Top 3 Issues With Your Risk Assessment: Auditor Insight Webinar Recap

The power of a risk assessment isn’t just identifying risks: it’s creating a culture of security.

The risk assessment process is often viewed as a necessary evil for compliance and is commonly seen as inconvenient and unimportant. However, after over 20 years in the information security space, Shannon Lane views risk assessment as the most powerful tool in directing an organization, budget maintenance, and project management.

In his presentation, Shannon shared where most companies go wrong with their risk assessments and how they can better leverage the opportunity to build their company’s consensus and morale around the subject of cybersecurity compliance.

In this blog, we have highlighted what you need to know to conduct an effective risk assessment, including the top three reasons risk assessments fail, so you can make sure your organization is making the most out of your risk assessment process. You can find the slides to the webinar presentation below:

Do as the Romans Do

An ancient metaphor helps us understand the role risk assessment plays in your business.

Rome was a nation of organization and innovation, and change was an integral part of their culture. It was seen as so significant that the idea that things never stay the same was even given a god, Janus, the god of beginnings. He has two faces; one is looking forward to the decisions being made and the other is looking back over the decisions of the past.

Like Janus, businesses are divided into two prongs: Visionaries and Guardians. Visionaries are CEOs, CTOs, CIOs, and are supported by sales and marketing. Their goal is to move the company forward and figure out what is next.

Guardians are CFOs, CISOs, COOs, and are supported by HR, IT, finance, and operations. They protect the march. They ensure the company is well equipped to meet its goals and that everything is working as intended.

The risk assessment process is designed to bring these two groups together so they understand and support each other.

A really good risk assessment will do the following:

Establish a common language to discuss and compare threats to an organization
Assist in setting objectives, milestones, and tasks
Lead to a deep understanding of the company operating environment
Help establish the “Why” of things
Show how departments, working groups, and teams are interrelated, and how their activities affect the organization
Define the road being travelled, while including the vision of where that road leads.

Preparation is the key element of a risk assessment.

“Expect everything, I always say, and the unexpected never happens.”

Norton Juster, The Phantom Tollbooth

Risk brings all of the voices of your organization together. It helps you to figure out what to expect, how often to expect it, and whether that is good or bad for your organization.

Just like a Roman campaign, we wouldn’t embark on a journey without planning. We need direction, equipment, planning, and contingency planning. Risk assessment is the key business activity used to ensure we are ready for the journey, we understand the trail, and we’re ready to face the journey ahead.

Every framework agrees risk assessment is key.

Risk assessment is so fundamental to the information security and governance process that every major framework requires a risk assessment.

Despite risk assessments being a critical part of an audit, not having a risk assessment (or a quality one) is normally one of the biggest findings for a new audit client.

Three Reasons Risk Assessments Fail

Sword points
- Sword points are the required compliance activities that lead to grudging and resentful attitudes toward compliance.
- Completing risk activities just because they are “necessary” leads to careless action.
- Considered activity leads to real understanding.
Doing things halfway
- Risk must be approached holistically; it is so much more than technology. Every role and department faces threats that are a risk to your business. What are you doing about that?
- If you only do half a risk assessment, you aren’t actually preparing yourself for the future.
Lack of a lexicon
- Does your organization understand the vocabulary used in your risk assessment? Does everyone understand the labels of risk (i.e., does everyone understand what high impact means)?
- Think of the color green. Green can be several things: olive green, grass, lime, the sea. Without a common definition, we will all interpret things differently and that is a risk in and of itself.

So, how do we take these faults and actually perform an effective risk assessment? There are four steps:

Step 1: Commitment	Everyone in management must be committed, and all departments must be involved. Expressing your commitment to understanding and managing risk speaks volumes to your company’s security culture and establishes the importance of the process.
Step 2: Cohesiveness	Use a risk framework and establish your risk vocabulary. This will align your team and create a unified experience. It teaches the whole organization what risks are important and why.
Step 3: Cyclical Engagement	This is a living document. Update it throughout the year as risks are identified. Review it every year. Use it to track progress. Use it to justify budgets.
Step 4: Check In & Celebrate	Check in throughout the year and celebrate successes. Call out milestones that are hit. This sets up a culture that calls out risk and prioritizes security. This is where a security culture begins.

Establishing and prioritizing your risk assessment does far more than produce a list of risks. It drives inclusivity so everyone understands what each department is doing and why it matters. It drives budgets by showing what is needed and giving easy justification for spending.

But most importantly, it creates a security culture that teaches your organization to value and prioritize risk.

Improve Your Risk Assessment Process with KirkpatrickPrice

Are you unsure if your risk management procedures are effective enough to protect your organization?

Connect with one of our risk assessment experts today so we can help you mitigate risk within your organization. KirkpatrickPrice offers free risk assessment reviews and will connect you to an expert who cares about your security and compliance goals.

To continue learning about risk assessments, watch the entire webinar where Shannon goes deeper into the qualities your risk assessment needs to be effective by answering the questions submitted in the Q & A portion of the webinar. Shannon answered questions like:

How do I get my C-Suite on board with this process?
Who should control this exercise?
Who needs to be included in my risk assessment process?
Where should I start if my organization has never done a risk assessment?
And more!

Assess your risk and become unstoppable.

About The Webinar Host: Shannon Lane

Shannon Lane has over 20 years of experience in information services, including healthcare IT,
e-commerce data extrapolation, network administration, database administration, and external audit work. He now serves on the frontlines of cybersecurity audit as a Lead Practitioner at KirkpatrickPrice. He holds the CISSP, CISA, QSA, and CCSFP certifications.

We make sure they’re worth it.

We know that when it comes to threats, you want to make sure that you’re ready. In order to do that, you need quality cybersecurity and compliance audit reports with results you can trust.

The problem is audits are hard. The process is complicated and feels overwhelming. But we believe if you’re going to do it, the audit should be worth it.

How can a hard audit be worth it?

We get it. Audits are overwhelming. The process is complicated and getting started can feel impossible.

But that challenge will be worth it when you gain confidence that your security program is designed to keep your organization secure and compliant.

The reality is, to fully meet the requirements of an audit, your organization has to put in the time, effort, and preparation that compliance demands. Every audit requires attention to detail, an understanding of all of your organization’s controls, and thorough answers to each of the auditor’s questions.

Not to mention, your employees are still completing their daily workloads to keep your organization running. By adding the tasks of an audit process to that workload, you may feel that an audit is too difficult to tackle.

However, your audit doesn’t have to be a daunting process. When you partner with a high-quality auditing team that is dedicated to guiding you through the entire process, you can be sure your audit will end in success.

Quality Testing Gives You the Assurance You Deserve

We’ve been in your shoes and know how hard audits can be, but we’ve issued over 10,000 reports to 1,200 clients worldwide, giving them the assurance they deserve through quality testing, experienced auditors, and dedication to being the partner our clients need.

But what is assurance and how do you achieve it?

According to the AICPA, assurance means you have high (but not absolute) confidence in the design of your security program.

During an audit, auditors are trying to obtain reasonable assurance through their testing that your organization’s security controls are operating effectively and are designed to meet the compliance requirements you are facing. This assurance is how you can make sure you’re ready to face any security challenge ahead of you.

The level of assurance you deserve can only be achieved through quality testing performed by experienced auditors.

When you commit to thorough testing, you can be confident that the controls your organization has implemented are well-designed, compliant with the frameworks and standards relevant to your business, and operating effectively.

A checklist or automated audit can’t give you this assurance. It isn’t enough to see if you have configuration standards in place; you need to make sure that the exact configuration of your cloud environment is actually keeping your data secure. Only an experienced auditor can give those configurations the thorough examination they need, and only then will you feel confident that your security program is prepared to face today’s threats confidently.

Hard Work Pays Off

When you commit to the challenge of engaging in a quality audit from KirkpatrickPrice, you can stop feeling like you are going to miss something or be surprised when a client or attacker finds something that wasn’t in your report. You can stop feeling worried that you’re wasting your time working with someone who’s not advanced enough to thoroughly test your environment.

Instead, you’ll have a report that gets you ready for your next steps, allows you to say yes to client requests, and brings you the assurance you deserve.

Here’s how it works:

1) Get ready for your audit.

Whether you’ve gone through 1 or 100, audit readiness will set you up for success. You’ll be prepared and empowered to achieve your challenging compliance goals.

2) Partner with an expert.

Our cybersecurity and compliance auditors have sat in your seat and know how intimidating audits can be. Your dedicated specialist will walk you through the entire process from audit readiness to final report.

3) Show off your audit report.

Even though it was a demanding effort, we will make sure your audit was worth it. By the end of the process, you’ll be proud of the work you did and know that it will make the difference in gaining new clients and protecting your clients’ data. They will see that your report stands out from the automated audits in the market.

We think that makes all of your hard work worth it.

Partner with KirkpatrickPrice to Complete the Quality Audit You Deserve

KirkpatrickPrice is dedicated to walking alongside your organization on their compliance journey. From audit readiness to the final report, the audit process will be worth it when you partner with experienced information security specialists who are passionate about helping you reach your challenging security and compliance goals.

While audits will always be hard, KirkpatrickPrice will always be there to guide you through it.

Don’t shy away from the challenge of an audit. Face the hard parts of your compliance journey with KirkpatrickPrice leading you. Contact one of our experts today to get started.

Your business is at risk.

Information security compliance may be the key to protecting your valuable data and reputation.

Most businesses are likely required to comply with one or more information security regulations and industry standards, whether it’s PCI DSS, HIPAA, FERPA, FISMA, GDPR, SOX, or other regulations with information security components.

Information security compliance should be a priority in your organization, especially if your company handles personally identifiable information, credit card data, healthcare data, financial records, and a wide range of other data categories. Businesses with lax information security risk legal liability, fines, and reputation damage. In the worst cases, non-compliance results in sanctions that prevent a company from continuing operation.

But exposure to legal risk isn’t the only reason businesses should comply with information security regulations. Compliance improves internal security practices, decreasing the risk of security breaches, data leaks, and the financial damage of downtime and service disruption in the event of a security incident.

In this article, we take a look at six of the most common information security compliance risks. They cut across information security regulations, so you should find a risk relevant to your business regardless of which regulations apply.

What is an Information Security Compliance Risk?

Compliance risk is a business’s exposure to the consequences of compliance failures. These consequences may include legal penalties, financial losses, and constraints on business operations. Each set of regulations and standards has its own penalties. Here are a few examples.

HIPAA operates a tiered penalty system that runs from $100 per violation to $50,000 per violation. These penalties are set out in the HITECH Act and are adjusted for inflation when applied, so they have significantly bigger dollar values today.
PCI DSS also operates a tiered penalty system with maximum monthly penalties of $100,000. PCI has applied fines of up to $500,000 per incident for security breaches. Security breaches caused by compliance failures can also lead to the termination of relationships with payment processors and banks.
Non-compliance with FISMA can lead to the loss of federal government contracts and funding.
Businesses that operate in the EU must comply with the General Data Protection Regulation (GDPR). Penalties for non-compliance include up to 4% of global revenues or up to €20 million, whichever is greater.

6 Common Information Security Compliance Failures

1. Poor Identity and Access Management Practices

Identity and Access Management (IAM) consists of systems and processes to manage identities and their access to data, infrastructure, and organizational resources. Failures of identity and access management often result in unauthorized access to sensitive information.

The most common failures involve lost, shared, or leaked passwords. But IAM compliance failures cover a huge range of security vulnerabilities, including the over-broad configuration of access rights, insecure management of credentials and API keys, failure to delete old credentials, and so on.

Identity and access management is a business’s first line of defense against unauthorized access and data theft. Poor practices can result in information security compliance risks that expose businesses to damaging penalties.

2. IT Infrastructure Misconfiguration

Infrastructure misconfiguration is one of the most common compliance risks. As IT systems—particularly cloud systems—become ever more complex, the risk of misconfiguration exposing sensitive data has increased. The vast majority of security incidents involving data stolen from cloud platforms are the result of misconfiguration.

To take one example we’ve written about extensively on this blog, misconfigured AWS S3 buckets are a gift to cybercriminals. HIPAA-covered entities have often been found non-compliant because they stored ePHI on cloud storage with insecurely configured access permissions. Properly configured, S3 can be used as a compliance data store for ePHI, but configuration failures create massive information security compliance risks.

3. Insecure Storage of Sensitive Data

Most information security regulations insist that sensitive data is encrypted at rest and that decryption keys are stored securely. When you read about a massive data leak in the media, it’s likely the victim was not following these basic information security risk reduction strategies. Encrypted data encrypted is worthless to cybercriminals—they can’t decrypt it, provided cryptographic keys are stored securely.

Encryption is part of a defense-in-depth strategy. Businesses should implement security measures at network perimeters, such as firewalls. But it’s a mistake to rely on their ability to keep bad actors out. Encryption allows businesses to protect data and mitigate compliance risks even if their networks are breached.

4. Shadow IT

Shadow IT is information technology that is not controlled or monitored by businesses. The most common cause of shadow IT risks is the use of unsanctioned cloud IT services. Cloud resources are easily accessible and convenient—often more convenient than the officially approved resources made available by the business.

Employees who use cloud services without approval to store sensitive data create a significant compliance risk. Cloud access security broker tools can help to reduce the risk, but only if businesses work to eliminate shadow IT.

5. Inadequate Training

In this article, we’ve discussed several compliance risks created by employees. But these are rarely the result of malice. Employees are trying to do their jobs to the best of their ability, and they lack the training necessary to assess the risk associated with their behavior. Security awareness training is an essential aspect of compliance risk reduction.

6. Poor Documentation

Poor documentation is related to our previous compliance failure. Employees can’t follow security best practices if there is no documented practice for them to follow. Many information security regulatory frameworks mandate comprehensive security process documentation for this reason.

For example, PCI DSS Requirement 12 requires “Evidence of security policy created, published, maintained, and distributed to all relevant personnel.” HIPAA requires a range of documentation, including risk analyses, risk management plans, sanctions policies, and notices of privacy practices.

Mitigate Information Security Compliance Risk with KirkpatrickPrice

Kirkpatrick price offers a wide range of information security services that help businesses to identify and reduce security compliance risks, including:

Compliance audits, including HIPAA, PCI DSS, FISMA, and FERPA.

Independent assessment attests platform shares key functionality with UltraDNS, but maintains separate infrastructure and operations

STERLING, Va. – Dec. 7, 2022 – Neustar Security Services, a leading provider of cloud-oriented security services that enable global businesses to thrive online, has completed an independent third-party audit of its UltraDNS and UltraDNS2 platforms. The independent assessment, based on SSAE No. 18 standards and performed by KirkpatrickPrice, attests to both the similarities in functionality and the differences in infrastructure and operations between the company’s UltraDNS and UltraDNS2 platforms.

Neustar Security Services’ UltraDNS is a cloud-based, managed authoritative DNS service that protects enterprises’ digital assets and maximizes their Internet presence uptime. UltraDNS2 adds an independent secondary global DNS anycast network that works seamlessly alongside the existing UltraDNS platform to provide all the benefits and functionality of UltraDNS, with even greater redundancy, increased performance and higher availability of DNS resolution services.

The two networks offer the same robust features such as traffic management capabilities, API and portal, but have separate node locations, network infrastructure operations, provisioning, automation, peering and routing policies. This customized audit – an assessment of agreed upon procedures (AUP) – was designed and executed by KirkpatrickPrice leveraging SSAE 18 attestation standards to provide independent confirmation of Neustar Security Services’ assertions regarding the similarities of and differences between its UltraDNS and UltraDNS2 platforms.

“Since the independence of the two networks is critical to organizations’ ability to reduce risk, but their similarities deliver vital benefits for reducing cost and complexity, we wanted to provide third-party attestation to these characteristics,” said James Willett, senior vice president of operations at Neustar Security Services. “Customers and prospects need to be certain that the UltraDNS and UltraDNS2 platforms are truly separate from an infrastructure standpoint, but that they leverage the same technologies and deliver key benefits for cost and complexity reduction, like unified traffic management and single pane of glass management capabilities.”

“Enterprises rely on us to protect their critical infrastructure, and we are committed to doing everything we can to earn and maintain our customers’ trust,” said Neustar Security Services CEO Colin Doherty. “This custom AUP audit is just one more example — alongside our more traditional audits such as SOC 2 Type 2 — of the platform due diligence we perform to instill customer confidence and ensure our ongoing ability to provide best-in-class service.”

“The customized audit assessment of agreed-upon procedures provides evidence that Neustar Security Services has a strong commitment to delivering on its promises to customers,” said Joseph Kirkpatrick, president of KirkpatrickPrice. “The results of this audit can assure customers that key claims about the UltraDNS and UltraDNS2 services are accurate.”

For more details on the specific features audited by KirkpatrickPrice, see https://neustarsecurityservices.com/blog/neustar-security-services-completes-the-third-party-audit-for-ultradns-and-ultradns2.

For more information about Neustar Security Services’ DNS services, please visit https://neustarsecurityservices.com/dns-services.

About Neustar Security Services:

The world’s top brands depend on Neustar Security Services to safeguard their digital infrastructure and online presence. Neustar Security Services offers a suite of cloud-based services that are secure, reliable and available to enable global businesses to thrive online. The company’s UltraSecurityTM suite of solutions protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional interactions all day, every day. Delivering the industry’s best performance, Neustar Security Services’ mission-critical security portfolio provides best-in-class DNS, application and network security (including DDoS, WAF and bot management) services to its Global 5000 customers and beyond. For more information, visit https://neustarsecurityservices.com.

About KirkpatrickPrice:

KirkpatrickPrice is a licensed CPA firm, PCI QSA and HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe and Australia. The firm has more than a decade of experience in information security by performing assessments, audits and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn or subscribe to our YouTube channel.

Media Contact:

Neustar Security Services
Finn Partners for Neustar Security Services
Pete Johnson
+1 503-546-7880
pete.johnson@finnpartners.com

The security of your AWS cloud environment is your responsibility.

Partly. Amazon Web Services (AWS) shares security responsibility with users. They are responsible for configuring and using cloud services securely and in compliance with information security regulations and standards.

But AWS doesn’t leave its users high and dry where security and compliance are concerned. The platform offers an array of cloud security features and tools to help users with AWS cloud security and compliance.

In this article, we explore six AWS security tools every AWS user should know about. We recommend taking a closer look at each tool to assess whether they could help your business improve its cloud environment’s security.

1. Identity and Access Management

AWS Identity and Access Management (IAM) helps businesses to manage who has access to cloud resources and what they can do with them. It is perhaps the most important AWS security tool and one that every business with resources on AWS should use. IAM has three main roles:

It governs authentication for AWS users.
It limits the actions those users can take.
It allows for the creation of identities like users and groups.

When you first create an AWS account, it has a single user, the root user, who can access all data, resources, and services. Sharing the root users’ credentials is unsafe, so IAM is used to create subordinate identities with varying permissions. In this way, a team can manage and use AWS resources without sharing the root account.

As a general rule, you should not use the root account for day-to-day operations—it is too powerful. Instead, use IAM to create users with just the permissions they need. Learn more about IAM and compliance from:

2. AWS Security Hub

AWS Security Hub centralizes security data and presents it in an easy-to-integrate format. AWS includes over 100 services, many of which generate data relevant to security and compliance.

Monitoring and acting on security issues across an AWS environment can be time-consuming and error-prone. Security Hub gathers all that data into a single location, simplifying security awareness and helping businesses to understand their security posture.

Security Hub integrates with many other AWS services, including AWS GuardDuty, Amazon Inspector, AWS Config, and Amazon Macie. It collects data from these services and carries out best practice security checks, providing users with the insight they need to respond to security issues as they arise.

Security Hub can also integrate with your incident management and audit management tools, delivering data in a consistent format that enables third-party cloud security tools to display and organize remediation work.

3. AWS Secrets Manager

Amazon Secrets Manager provides a way for AWS users to securely store encrypted credentials and keys while allowing software to use them. The secrets are kept in AWS Secrets Manager, and your code accesses them via API calls to the service.

AWS Secrets Manager helps you to manage secrets securely, including credentials and API keys. If your business writes web software, you need a way to give apps access to other services, such as databases and APIs.

Traditionally, this was achieved by embedding secrets like passwords and API keys in the code, but that’s an insecure practice. It often results in leaked secrets and stolen data.

If secrets are hardcoded, anyone who can access the code can see them, which is particularly dangerous when the code is uploaded to version control systems.

4. Amazon GuardDuty

Amazon GuardDuty is a threat detection system that monitors your AWS services and accounts for security issues. It works by looking for abnormal activity and assessing its potential security implications.

It primarily monitors for activities that indicate reconnaissance by a bad actor and the compromise of cloud instances, accounts, and S3 storage buckets. It combines data about known threats and threat actors with machine learning analysis that can detect suspicious activity patterns.

As we mentioned above, GuardDuty integrates with AWS Security Hub, which in turn integrates with many other tools, allowing you to send actionable threat data to work management and monitoring tools.

5. Amazon Macie

Before you can protect sensitive data, you need to know that it’s sensitive. That’s not always as easy as it sounds.

If a company processes large quantities of data, it may contain unidentified sensitive data that puts security and compliance at risk. Plus, it is not uncommon for employees to upload sensitive data to insecure cloud services. Millions of sensitive records have been leaked in recent years because employees uploaded them to improperly configured S3 buckets.

Amazon Macie is a data security service that helps businesses to find sensitive data stored on their AWS resources. It uses machine learning and pattern matching to scan S3 buckets for sensitive data, alerting users so they can take action.

6. AWS CloudTrail

AWS CloudTrail is a cloud logging service that records actions taken across your AWS account. The data it provides is essential for identifying malicious behavior and ensuring that users behave in a secure and compliant manner.

CloudTrail records a vast range of events, including actions by users, roles, and services. It logs events from numerous sources, including the web management console, the command line interface, SDKs, and APIs.

In short, CloudTrain provides a comprehensive overview of activity on your account, helping you to identify and respond to malicious activity quickly and effectively.

Identify AWS Security Issues with KirkpatrickPrice

AWS cloud security tools help you to be secure and compliant in the cloud, but they can’t verify compliance with regulations and standards such as PCI DSS, SOC 2, or ISO 27001. KirkpatrickPrice offers a range of cloud security services that help businesses to comply in the cloud, including:

Contact a cloud compliance expert to learn more or run a free cloud security scan of your AWS infrastructure.