Cyberattacks and data breaches are things all business owners have learned to accept as a possibility. Breaches and hacks penetrate the headlines almost daily, and as technology continues to evolve, so do the ever-present threats associated with these types of risks. There are two sides to every breach, however. Prevention and recovery. You’re most likely already taking steps towards protecting your organization from the possibility of a breach, but have you planned what you will do to remain operable and minimize damages in the event that your environment is compromised? Experiencing a breach is disruptive, but fumbling the response is disastrous. Incident response plans are invaluable measures that should be taken by every organization, because let’s face it – controls can fail, implementation can fail, and consequently, incidents are bound to happen.

What is an Incident?

According to The SANS Institute, an incident is defined as an “assessed occurrence having actual or potentially adverse effects on an information system”.  Incident Handling is “an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events.” Your Incident Response Plan should include appropriate policies and procedures that dictate to your organization what the immediate steps are following the detection of an incident. These steps may include containment, notification of appropriate personnel, reporting, eradication, and lessons learned.

There are six common stages of incident response that are important when developing your own Incident Response Plan. Take a look at the break down of the Six Steps of Incident Response, and ask yourself, “Are we ready?”

Six Steps of Incident Response

  1. Preparation: Advanced preparation is important when planning for a potential incident. Policies and procedures should be known and tested by management and all personnel to ensure that the recovery and remediation process will quickly address any and all incidents in a timely manner, resulting in the least amount of damage. Do you have the necessary tools and training to handle incidents before they actually occur?
  2. Detection and Identification: After the incident occurs, it’s important to ask yourself a number of questions. What kind of incident has occurred? Data theft? Insider threat? Network attacks? Once you’ve identified the type of incident that has occurred, it’s important to determine the severity of the incident in order to choose the best course of action according to your predetermined Incident Response Policy and Procedures. Are there any safety concerns for personnel that need to be considered? Has there been loss or exposure of data? Were any laws or contracts violated? What is the size of the impact area?
  3. Containment: In order to limit the impact of an incident, the containment phase of incident response is critical. Have the right people in your organization been notified? The faster the response time, the more likely it will be that you can reduce the damage of the particular incident. This may mean isolating the infected or compromised area to determine the best way to handle recovery. Do you have the right tools and personnel needed to handle the task?
  4. Remediation: At this stage, it’s time to resolve the issue and remove any malicious code, threat, personnel responsible for the incident, etc. Forensic analysis should be completed and logs kept throughout the remediation process. Will backups need to be implemented? What information security weaknesses need to be addressed at this time?
  5. Recovery: At this point, it’s time to get things back up and running and be sure that all company policies and procedures are effectively being implemented. Continuous, ongoing monitoring is important following remediation of an incident to be certain that it has been fully resolved and nothing threatening is lingering in your network. Continuous monitoring will also detect any suspicious behavior going forward.
  6. Lessons Learned: Compiling a detailed report of what happened and what was done as corrective measures is a good step towards ensuring the same incident will not occur again. Why did it happen? What could have prevented it? Does your security posture need to be updated to ensure similar incidents won’t happen in the future? Who does this information need to be shared with in order to make any necessary change to your security posture?

Preparation is just as important as prevention when it comes to securing and protecting your business. Don’t be surprised by an unexpected security incident. Develop and implement an Incident Response Plan, train your employees on what needs to be done to protect your business in the aftermath of an incident, and you will be able to reduce, minimize, and address damage caused by an unfortunate event.

According to CFPB Bulletin 2012-3, companies must “oversee” their vendors “in a manner that ensures compliance with Federal consumer financial law…The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis.” An effective risk management strategy includes the assessment and monitoring of vendor compliance; in accordance with your company’s formally written policies and procedures. Today’s compliance program certainly involves an ongoing struggle in organizing vendor responses while monitoring and tracking reoccurring events and supporting documents.

In the past, managing vendor compliance contractually was adequate. Compliance risk and responsibility was effectively transferred to the service provider, and by doing so, compliance activity was kept at arm’s length. Today, the CFPB expects you to “oversee [your] business relationships with service providers in a manner that ensures compliance with Federal consumer financial law…” In other words, a full chain of custody is now necessary to ensure full compliance. In order for this to happen, an “effective process” must be in place. Simply put, you now have to check and validate they are actually what they say they do.

Who’s Responsible for What?

According to the CFPB, if you have “any person (e.g. service provider) that produces a material service to a covered person (i.e. you) in connection with the offering or provision by such covered person of a consumer financial product or service” then you are responsible for their compliance to all relevant CFPB requirements. This means the service provider is also responsible to the CFPB and no one gets a free pass.

Managing Vendor Compliance

When it comes to vendor management, there are two things you should be thinking about; you are both the auditor and the audited. When managing your own vendors, what are the necessary components of a Vendor Compliance Management Program?

What do you need?

  • List of policies and procedures: You will most likely have a policy that requires third parties to conduct compliance training and monitor employees who have consumer contact (UDAAP, FDCPA)
  • List of third parties to include activities performed: Do you maintain a list of your service providers that are involved in debt collection? Which of your vendors are consumer facing? Which of your vendors are storing or receiving consumer information?
  • Contracts with third parties: Ensure your contracts have clear definition of what your expectations are in regards to compliance with federal consumer financial protection law. Does it include consequences for violations?
  • Evidence of due diligence: Your policies and procedures say you require all vendors to perform training, but what evidence are you gathering that show you are proving this?

Your Vendor Compliance Management program is a piece of your overall Compliance Management System, which encourages you to collect information and documents you may need easy access to in order to demonstrate your compliance to the CFPB directly, or to one of your clients. The CFPB clearly dictates what you should be doing to manage your vendors.

Where do you start?

You know what you should be doing to demonstrate that you are monitoring your vendors, but how do you get the ball rolling and get the process going? The best place to start is by performing a Risk Assessment for all third parties involved in the debt collection process. A Risk Assessment will help dictate the following:

  • Develop/enhance policies and procedures: What needs to be developed that is missing? What are you already doing that you need to enhance?
  • Continuous monitoring: How will you monitor to ensure your vendors compliance?
  • Remediation: What are you going to do to remediate issues if any are found? Will this mean possible termination of a vendor relationship if the risk is not worth it?

How much evidence is enough?

What information should you be gathering from your third parties to prove that you’re doing your due diligence and effectively monitoring them for compliance?

  • Vendor Policies and Procedures
    • Regulatory compliance & CMS Overview
    • Compliance training
    • Consumer complaints
    • Information Security posture
  • Types of Evidence
    • Training logs
    • Call recordings
    • Third party security reports
    • Performance reports
    • Audited financials

Using the Online Audit Manager for Vendor Compliance

KirkpatrickPrice utilizes a unique online portal that is uniquely equipped to help you manage your own vendors. The Online Audit Manager is a tool designed to save you time by simplifying the vendor compliance management process, allowing you to:

  • Customize audit questions based on a number of compliance frameworks (SSAE 16, SOC 2, PCI DSS, FISMA, ISO 27001, HIPAA, CFPB, and more)
  • Track vendor progress and set deadlines
  • Approve, deny, or request further information per item
  • Establish reoccurring events based on the information you wish to receive annually, quarterly, monthly, etc.
  • Upload and attach files in support of the question or reoccurring event such as insurance certificates, licensing information, call recordings, policies and procedures, etc.
  • Utilize your own compliance staff to review the audit findings or let us do the work for you, online or onsite

If you are interested in learning more about this tool, contact us today to sign up for a free demo.

More Resources

The First Step in Vendor Compliance Management: Risk Assessments

Vendor Compliance Checklist: Why Vendor Compliance Management is Important for Your Business

Common Gaps in Vendor Compliance Management

SSAE 16, SOC 2, HIPAA, PCI DSS, FISMA, ISO 27001. We’ve all heard of the Alphabet Soup, but what do they all really mean?

Which one is right for me? Which one should I pursue? Why would I get this audit over that audit? As auditors, these are the questions we are most frequently asked.

To help answer these questions and truly familiarize you with the different audit frameworks, we’ve broken down the Who’s, What’s, and Why’s for the most commonly reported on frameworks.

SSAE 16/SOC 1

Who asks for an SSAE 16? If you work with publicly traded companies, financial institutions, or state or local government, you will frequently be required to have an SSAE 16 (or SOC 1) audit performed by a third party. It is the most commonly used form of attestation for service providers in the US. So what is an SSAE 16? It’s an audit and report on internal controls (whether related to information security, financial, operational, or compliance controls) at a service provider that are relevant to their client’s data. The SSAE 16 audit takes a risk-based approach, with specified objectives that are created to address client risk, and controls, or activities, to accomplish each objective. A third-party auditor would be looking at your environment to make sure your objectives are appropriate, your controls are effectively designed, and that you are doing what you say you are doing. An SSAE 16 audit is as good as its scope.

SOC 2

Typically, the same clients who are asking you for an SSAE 16 will be the ones asking you for a SOC 2 audit. Whereas SOC 1 was designed to validate internal controls at a service provider that relate to client financial reporting and validate information security, SOC 2 was a framework specifically designed for companies delivering technology related services. The SOC 2 framework is finally gaining popularity. SOC 2 was specifically designed to report on one of five principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The established criteria for each principle address the following questions: How are your policies and procedures relative to the standard documented? How do you communicate those to all interested parties? How do you monitor that those controls are being effectively performed?

HIPAA

If you are working for a healthcare provider or a Business Associate who services a healthcare provider, you are going to be asked for validation of your compliance with HIPAA laws. Any entity who handles Protected Health Information (PHI) will be responsible for compliance with HIPAA. Legislation requires appropriate Physical, Administrative, and Technical Safeguards to protect PHI. Much like the SSAE 16, HIPAA compliance is risk-based. You must begin by performing a Risk Assessment to determine what the appropriate physical, administrative, and technical safeguards are, implement those, and then perform regular monitoring to ensure the safeguards are still appropriate. There is no “hard list” of requirements for HIPAA, and there is no certification. A third-party audit would provide validation of your controls and their appropriateness and effectiveness.

PCI

The PCI Data Security Standard applies primarily to the payment card industry. If you store, transmit, or process cardholder data, you will be required to comply with PCI DSS. Additionally, if you have a client who is required to comply with PCI DSS, they are required to validate your compliance with the standard as well. PCI DSS is a very robust information security standard, and is also sometimes used as a best practice, even without handling credit card data. A PCI audit is an information security audit focused on the protection of credit card data. All PCI audits are performed by a PCI Qualified Security Assessor (QSA). There are over 200 controls and 1,000 audit tests that make up the framework and process. There are six control objectives with 12 subject areas. When a third-party auditor performs a PCI audit, it results in a PCI Report on Compliance (ROC).

FISMA

FISMA Compliance is required of anyone working with the federal government, a federal contractor, or a sub-service provider of a federal contractor. FISMA is the law. NIST Special Publication 800-53 is the actual standard that lists the individual security controls required to comply with FISMA. A FISMA audit is a thorough assessment of your information security practices as it relates to NIST SP 800-53 requirements. It involves a detailed risk assessment, and a selection of comprehensive controls determined by whether you are a low, moderate, or high category. Out of the frameworks we’ve covered so far, FISMA is the most extensive.

ISO 27001-27002

If your customers are doing business globally, chances are you’ll be asked for an ISO 27001 audit. It is a very mature, holistic, information security standard that is widely recognized and highly revered on an international level. 27001 is the entire standard, and 27002 refers to just the controls. An ISO 27001 audit is a complete audit of your Information Security Management System (ISMS). This includes management system, risk management, internal audit, management review, continual improvement, and information security controls.

What is Meant by Audit Framework?

If you are unsure what is mean by an audit framework, please read over these Kirkpatrick Price resources:

Chief Compliance Officer Series: Constructing an Internal Audit Framework

6 Steps to Construct Your Internal Audit Program

Determining which audit framework is the best for your organization depends on a number of things; who your clients are, who your clients’ clients are, and what kind of information you process. For more information on a specific framework, or if you are interested in speaking with an Information Security Specialist for a consultation, contact us today.

Many users of popular social media sites do not realize the potential risks they expose themselves to while using and participating in social networking. Most users develop a “dangerous level of assumed trust” with other users of these sites, regardless of whether or not they have actually verified their identities. This is why it is a good idea for businesses to put into place social media policies for employees to practice so they are not only protecting their employees, but also their company.

Things all social media users should avoid and keep in mind:

  • Don’t be a password sloth – Using the same password for multiple sites or accounts is lazy and can allow someone potential access of your banking information if an attacker has hacked your twitter account.
  • Don’t give away too much information – Letting your social networks know you’re going out of town for vacation, your current location, birthday, place of birth, and family tree, are all factors that could be used against you for identity theft, or present danger to your family or belongings.
  • Don’t engage in “tweet rage” or posting rage – Think about your personal brand as well as your company’s brand before ever posting out of anger.
  • Think twice before posting work related posts – In 2009, the FTC guidelines stated that statements made by employees on social networking sites, blogs, and other sites, may impose liability on businesses.
  • Be wary of scams – Refrain from sharing information you shouldn’t (passwords, sensitive data, company secrets), and clicking on links you shouldn’t (malware). Some of these scammers use some of the following approaches to scam you of information:
    • Secret celebrity gossip
    • 419 scam – They hack a friends account, pose as them, and ask for money.
    • “Lol! Did you see this picture of you?” – Phishing with a question that piques the user’s interest, and then directs them to a fake log-in screen.
    • Quizzes and polls
    • Tweet for cash
    • Joining fake online groups without verifying authentication and the validity of the group and the individuals running the group.
    • Clicking on bad links that relate to news headlines.
  • Don’t over-share company activities – This can leak information to competitors.
  • Be wary of downloading mobile apps that may contain malicious software.
  • Be aware of social engineering tactics.
  • Be careful when mixing personal with professional – Friends include business associates, family members, and friends.
  • Do not add connections just for the sake of accumulating as many connections as possible – Always verify the person who wants to get in contact with you.
  • Avoid being “click happy”, especially on Facebook – This means clicking on every link that your friends post or invites from unknowns.

In today’s society, we are constantly sharing information, sometimes too much. Keep these social media security best practices in mind before posting your next Tweet. Contact us today for more information on protecting yourself online and warding off potential cybersecurity threats.

Are you looking to gain insight into how you can establish an effective call monitoring program for your organization? Are you curious about what the best practice are for developing a call monitoring program according to CFPB regulations? This webinar will provide an overview of the top four components of an effective call monitoring program and will help answer questions about the structure of your program, the components of your scorecard, and how to understand and use call monitoring analytics.

What are the Top 4 Critical Components of an Effective Call Monitoring Program?

We believe the top 4 critical components of an effective call monitoring program include:

  1. Structure and Oversight: The Quality Assurance (QA) Department is a vital importance to everyone who performs any sort of collection work. You must have a strong and knowledgeable QA manager, one who had adequate knowledge of the laws, knowledge of the client requirements, and the collection process. The QA Department must also determine the best practices for collecting samples of calls. Most importantly, however, all policies, procedures, and work instructions must have documented expectations.
  2. Management of Staff: Educating, training, and mentoring new and current staff is imperative in establishing an effective call monitoring program. Creating a multi-level approach to monitoring, such as including collection managers and utilizing speech analytics, will also support an effective call monitoring program.
  3. Scorecard Components: The best practices in development are risk assessment, consumer complaint statistics, CFPB complaint statistics, overall consumer lawsuits, separate compliance with quality objectives, and utilizing a weighted score of components based on risk level and exposure. However, whatever components of a scorecard you use can always change based on assessment needs.
  4. Reporting and Analytics: Gathering and making use of the data is essential to establishing an effective call monitoring program. By evaluating trends, implementing corrective actions, and communicating the results with the compliance committee and the executive management, the Chief Compliance Office can ensure that the call monitoring program is compliant with CFPB regulations.

To learn more about what you can expect working as a Chief Compliance Officer or for ways that KirkpatrickPrice can assist you in establishing an effective call monitoring program, watch the full webinar. For more information, contact us today.