With the compliance landscape rapidly changing, it’s important to stay up to date with current standards to gain trust and respect from your clients. If you’ve been considering getting an SSAE 16 Audit, but keep putting it off, what are you waiting for? Here are 3 Reasons to stop hesitating and start your SSAE 16 Audit today:

1. To gain a competitive advantage

Completing an SSAE 16 allows you to pursue clients that require an SSAE 16 to meet their own regulatory requirements. They simply can’t afford to work with an “at-risk” vendor. It also tells clients that you are serious about the controls and security of your organization. Engaging in an SSAE 16 Audit demonstrates that you have taken initiative by hiring a third party to conduct the audit, in turn, formalizing your audit process.

2. It will mature your environment

By completing an SSAE 16 Audit, you are ahead of the curve in maturing your organization. Management should choose to test your employees and get outside services to help your business processes mature. A review of your controls by an independent auditor can help to notice things you may have missed during your own assessment of risk. Catching these inefficiencies can help your organization stay secure and up-to-date on security and compliance best practices and can protect you from a loss of business or operability.

3. It will save you time and money

By being proactive about the security of your organization, you will save your organization time and money by reducing the burden of questionnaires and site visits from your clients’ auditors. If you don’t already have a current report, you could face multiple clients’ auditors individually and continue to repeat the process, over and over.

Don’t hesitate to begin your SSAE 16 Audit. For more information on whether or not an SSAE 16 is right for your business, contact us today or click here to download our FAQ about SSAE 16/SOC Audits.

Joseph R. Swedish, CEO of Anthem Inc., one of the largest healthcare providers in the US, announced Wednesday, that despite efforts to appropriately safeguard their information, they suffered a major cyberattack. This attack is said to have affected as many as 80 million people.

According to Anthem, this attack compromised both patient and employee information, names, birthdays, medical ID’s, Social Security numbers, street addresses, email addresses, and employment and income information. Swedish said in a letter published on a website about their response to the incident, “Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating in the investigation.” (www.AnthemFacts.com) They have since taken measures to improve their security environment by fully evaluating their systems.

HIPAA laws mandate that you properly safeguard the Personally Identifiable Information (PII) that you collect, and data breaches such as this can often result in heavy fines. There are specific guidelines in regards to protecting this information as well as reporting a breach once it has been discovered. In too many cases, businesses scramble to pick up the pieces as a result from a breach rather than already having in place a strong defense to protect the PII for which they are responsible. This is a scary time for the cyberworld, and with the discovery of this massive data breach we should be encouraged to continue to improve and strengthen our security measures as the landscape continually evolves.

If you need help assessing your current security environment or need help developing your Incident Response Plan, call us today at 800-770-2701 for a free consultation.

Performing a Risk Assessment is a critical component of any Information Security Program. It’s mandated by several frameworks (SSAE 16, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA). In order to comply with those frameworks, your organization has to complete a risk assessment, and then assess and address the risks by implementing security controls. The Risk Assessment process is a constantly moving and evolving process for an organization. So, where do you begin?

1. Conduct a Risk Assessment Survey

A Risk Assessment is a systematic process of evaluating the potential operational, reputational, and compliance risks that pertain to your organization. So why should you care about performing a Risk Assessment? As a business owner or stakeholder, it is your priority to protect the assets that are required to deliver your service or product. It can protect your revenue and business operations, insure future growth and responsibilities, and help you avoid costly lawsuits and fines.

2. Identify Risks

Risk = Vulnerability X Threat In order to identify your risks, you must first identify your assets, and the threats and vulnerabilities that can affect these assets. What wakes you up in the middle of the night? Are you worrying about the security of your Hardware, Software, Human Resources, Data, or Processes? After you have identified your assets, you have to identify the threats to those assets. Threats can be man-made or natural events that take advantage of an asset’s flaws, and that can result in a loss of integrity, availability, or confidentiality such as floods, earthquakes, accidental or intentional acts. What are your assets’ vulnerabilities? A vulnerability is a known or unknown flaw or weakness in the asset that would result in loss of integrity, availability, or confidentiality, such as a lack of security awareness training or software support for a critical application.

3. Assess Risk Importance & Risk Likelihood

Now that you are aware of what your risks are, you can begin to assess the importance and likelihood that this even is going to happen. What is the likelihood of this specific event having a negative effect on the asset? If it’s not likely, should we even worry about it? The likelihood of a risk can be expressed subjectively or quantitatively (High, Medium, Low, or 1, 2, 3, 4, 5). Determining the Risk Importance is determining what the impact on business is if an event has a negative effect on the asset.

4. Create a Risk Management Action Plan

Based on your complete analysis of which assets are important to your business and the threats and vulnerabilities that are likely to negatively affect those assets, you must develop control recommendations to either mitigate, transfer, accept, or avoid the risk. Creating your Risk Management Action Plan can look like a number of things. Your control recommendations could be to get a spare part, cross train employees, or create new policies and procedures.

5. Implement a Risk Management Plan

After you’ve developed a plan to manage your risks and determine what you’re going to do and how you’re going to do it, it’s time to implement these controls. This won’t necessarily be an overnight process, but you should now have successfully developed an effective way to identify and manage your risks. The final step of mastering a Risk Assessment is knowing that in order to constantly monitor and manage your risks, you must return back to Step 1.

For help with conducting your Risk Assessment, contact us today.

Did you know it’s National Data Privacy Day? That’s right, Data Privacy is so important these days it gets its own national holiday. Here at KirkpatrickPrice, we highly value the privacy of our clients’ data and encourage them to educate their own employees about practicing security awareness in the workplace, as well as at home. Already in 2015 we are seeing security breaches daily in the headlines. What better day than Data Privacy Day to address the question,

“Are we doing everything we can to avoid a security breach at our organization?”

Today we are encouraging everyone to ask themselves that question. That’s why KirkpatrickPrice is excited to celebrate with you in this year’s Data Privacy Day by offering exclusive access to our Online Security Awareness Training Solution. Check out our current Security Awareness Training rates below, and call today to setup your demo training account. Let’s make 2015 our strongest year yet!

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Security Awareness Training Info

Security Awareness Training Rates

Download and share this Infographic here.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

Text Recap: Information Security Tips for 2015

The New Year is here, and if Information Security trends from last year are at all telling, 2015 will be a very important year to pay close attention to the security of your sensitive data. Here are 5 Information Security Tips to keep in mind to protect yourself and your organization in 2015.

  1. Cybersecurity – Organized crime in the 21st century has a new name – Cybercrime. We are all too familiar with the headlines declaring the most recent retail hack. However, in 2015, the possibility of a breach is not only threatening to our credit card numbers, but also healthcare information, intellectual property, personally identifiable information, and more. Now that companies are beginning to “understand” the increasing severity of these attacks, they need to fully prepare to withstand any attack by investing in security.
  1. Privacy and Regulation – Laws and regulations that mandate safeguards and the use of Personally Identifiable Information (PII) are nothing new. What’s changing? Reactionary fines have been replaced with proactive supervisory The government isn’t waiting for a breach to inspect your compliance. However, thinking about implementing appropriate safeguards only for the sake of compliance with these laws to avoid heavy fines and penalties can be dangerous. Privacy should be looked at from a risk-based perspective. Following these laws and regulations can help prevent against loss of business and reputational harm.
  1. Vendor Management – Strategic outsourcing of consumer focused business processes comes with significant risk. According to federal legislation, the risk itself cannot be outsourced, it must be managed. Increasing governmental scrutiny has only magnified that risk. Threats from third-party providers demand that you control the supply chain. Do you have evidence to support that your vendors are compliant?
  1. Wearable Technology – Wearable technology is everywhere. While simplifying the ability to “connect”, these new pieces of technology also introduce new risk to your organization. Be proactive about securing wearables just like any other mobile device, and make sure your BYOD policy is up-to-date and enforced. Minimize the threat of a data leak.
  1. Your Weakest Link – Your People – Everyone’s heard “you’re only as strong as your weakest link”. In the world of Information Security, this adage should be on the forefront of every business owner’s mind. Protect your people. Educate your people. Setting the tone from the top is essential when promoting healthy security awareness in the workplace. When those who “sign the checks” focus on security, everyone else will too.