When a breach occurs in the financial services industry, it costs the compromised organization $210 per breached record – which is why we get a lot of questions about SOC 1 and PCI audits from organizations in the financial services industry. How can you protect your data from threats? Should your company complete both audits? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 1 and PCI audit.

What are SOC 1 and PCI Audits?

Before we discuss how to go through a combined SOC 1 and PCI audit, let’s review what each of these types of audits are.

What does a SOC 1 audit assess? A SOC 1 audit is an assessment of the internal controls at a service organization which have been implemented to protect client data. SOC 1 audits are performed in accordance with the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR). A SOC 1 audit must be conducted by a CPA firm.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands include Visa, Inc., MasterCard, Discover Financial, American Express, or JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA.

Why a Combined SOC 1 and PCI Audit?

Why would a company pursue a combined SOC 1 and PCI audit? Depending on your services, both could be valuable for your organization. PCI compliance may not actually be an option for you – rather, it’s mandatory to stay in business. However, a PCI audit is strictly focused on the security of cardholder data. If clients or stakeholders want assurance of other controls in your environment, they may expect to see a SOC 1 report.

Even when you’re not required to undergo a SOC 1 audit, you could consider doing a combined SOC 1 and PCI audit to get ahead of the competition on either or both types of compliance. Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 1 and PCI audit is an option.

Using the Online Audit Manager

Our goal is to make SOC 1 and PCI reports more accessible to organizations who are being asked for them, so in order to perform a combined SOC 1 and PCI audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 1 and PCI audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More SOC 1 and PCI Resources

4 Reasons to Start a PCI Audit Right Now

SOC 1 Compliance Checklist

Using the Online Audit Manager to Complete Multiple Audits

The Global Impact of COVID-19

It’s been nearly two months since China confirmed an outbreak of a novel coronavirus, COVID-19, in Wuhan. With over 93,000 confirmed cases reported globally, including more than 200 in the United States, countries across the globe have started to feel the impact of the virus. Industries like manufacturing, farming, travel, healthcare, finance, banking, retail, and technology have all taken a hit from the global outbreak, forcing them to deal with delayed products, slow distribution, low earnings, and falling stock prices.

Major technology companies like Apple have begun feeling the impact of the virus as their manufacturers are slow to return to their factories in Zhengzhou, delaying the production of parts needed to manufacture the iPhone 11s. Mobile applications, like the fintech trading software, Robinhood, also have felt the brunt of the outbreak: with the stock market violently fluctuating, investors were shocked to find the software unable to handle the large volumes of people trying to trade. Similarly, airlines, such as United, have suspended international and domestic flights – a move that will ultimately end up hurting their bottom line.

No matter their industry, size, or location, all businesses are susceptible to falling victim to man-made or natural disasters, including pandemics like SARS, H1N1, and now, COVID-19. But, while pandemics may seem like they are far less likely to occur, they should still be a critical part of your business continuity planning. Why? Let’s see what KirkpatrickPrice specialists had to say about the recent, ongoing pandemic, the coronavirus.

Testing Your Business Continuity Plan

Because pandemics don’t happen very often, it can be easy for organizations to procrastinate about testing their BCP in such situations. But this only leads to chaos when an outbreak does occur. When a pandemic occurs, almost every industry in the world is impacted – manufacturing, farming, travel, healthcare, finance, banking, retail, technology – causing stock markets to crash, layoffs to occur, death numbers to rise, and panic to ensue. We see this every day in coronavirus updates. This means that not only are businesses struggling to continue production, distribute product, and earn profits, but they also have to protect their personnel.

In fact, it is not uncommon that one of the top responses to pandemics is isolating community members, which means that it’s likely your personnel will either be required to work remotely under government orders or that you have policies that require such precautions in the event of a global outbreak. In the US, many major businesses, like Amazon, Twitter, Microsoft, and JPMorgan, have already delayed or suspended travel for employees, canceled meetings and conferences abroad, and some have even sent their employees home to work remotely until further notice. What could be this pitfall of this? While businesses think they’re doing the right thing and preventing community spread of the disease, such responses can have detrimental effects on a business if not properly tested in advance.

Richard Rieben, a Lead Practitioner at KirkpatrickPrice, explains, “The biggest issue a lot of firms face [regarding pandemics] is that they will tell themselves they’re prepared for everyone to work from home and for everything to keep running exactly as it does every day. But the reality is, unless those plans are fully tested and exercised in a practical manner, there is a strong likelihood that something that was never thought of will become an issue. Real testing of BCPs (including pandemic response) is the best way to capture valuable lessons learned which will go far beyond a basic tabletop talk-through of the plan.”

What Should Your BCP Include About Pandemics?

In order to establish a robust business continuity plan to combat the effects of a pandemic, you’ll need to consider the following:

  • Who are the necessary personnel needed to ensure that critical business processes can continue?
  • Which employees must work remotely?
  • What assets do employees need to continue their day-to-day tasks from remote locations?
  • What does your network and remote access abilities look like? Can they handle large volumes?
  • How will you ensure the security of your remote workers?
  • What change management and access management protocols must be used/controlled?
  • How will you test this plan for accuracy? Will it be annually? How often will your personnel be able to work remotely?

There’s usually no telling how long a pandemic will last, and if you fail to implement a robust business continuity plan, your company may not survive the outbreak. At KirkpatrickPrice, we partner with out clients to create, implement, and test strong BCPs so that they can feel confident when a pandemic like the coronavirus occurs. Let us help you, too. Contact us today.

More Business Continuity Plan Resources

Cloud Security: Business Continuity and Incident Response Planning

Business Continuity and Disaster Recovery Planning Checklist

CDC – Coronavirus Disease 2019 (COVID-19)

Does your organization have robust processes and procedures in place to identify and contain threats in your environment? Are you confident that these processes can prevent security incidents and data breaches caused by common attack methods like malware, ransomware, DoS attacks, phishing attacks, and more?

Establishing a strong intrusion detection and prevention system (IDPS) – although they are sometimes separately referred to as intrusion detection systems (IDS) and intrusion prevention systems (IPS) – is a core component to any cybersecurity strategy.

Why is that?

First, let’s take a look at what an intrusion detection and prevention system is, and then we’ll discuss what type of intrusion detection and prevention system your organization should consider using.

What is an Intrusion Detection and Prevention System?

An Intrusion Detection and Prevention System (IDPS) monitors network traffic for indications of an attack, alerting administrators to possible attacks. IDPS solutions monitor traffic for patterns that match with known attacks. Traditionally, they used signature-based or statistical anomaly detection methods, but IDPS increasingly leverages machine learning technologies to process vast amounts of data and identify threats that signature and anomaly detection would miss.

IDPS solutions are usually deployed behind an organization’s firewall to identify threats that pass through the network’s first line of defense. Typically, an intrusion detection and prevention system accomplishes this by using a device or software to gather, log, detect, and prevent suspicious activity.

What Type of Intrusion Detection and Prevention System Do You Need?

When determining which type of intrusion detection and prevention system your organization should use, you’ll need to consider factors like the characteristics of the network environment, the goals and objectives for using an IDPS, and current organization security policies. Ultimately, there are two types of IDS/IPS: network-based and host-based. A network-based IDPS runs on network segments, including wireless or any other network that is selected. A host-based IDPS, on the other hand, runs on servers. The four common types of IDPS, as defined by NIST, include the following:

  1. Network-Based IDPS: This type of IDPS monitors network traffic for specific network segments and devices. It analyzes the network and application protocol activity to identify suspicious and abnormal activity.
  2. Wireless IDPS: This IDPS is a sub-type of network-based IDPS. It monitors wireless network traffic and analyzes it to identify suspicious activity involving networking protocols.
  3. Network Behavior Analysis (NBA) System: This IDPS is a sub-type of network-based IDPS. It is used to examine network traffic in order to identify threats that generate unusual traffic flows (i.e. malware, DDoS attacks, and policy violations).
  4. Host-Based IDPS: This IDPS is used to monitor the characteristics of a single host and the events occurring within that host for suspicious activity.

Should You Use Multiple Types of IDPS Technologies?

Many businesses today have complex environments, making it a necessity to deploy more than one type of intrusion detection and prevention system. However, before implementing multiple types of IDPS technologies, it’s necessary to fully evaluate the needs of your organization. In theory, using multiple types of IDPS technologies can only lead to a more secure environment, but if they’re implemented incorrectly, there could be detrimental consequences.

What Type of Detection Should Your IDPS Use?

After you’ve determined which type of intrusion and detection system your organization should utilize, you’ll need to determine which detection method is right for you. Each type of intrusion detection and prevention system listed above, regardless if they’re network-based or host-based, has detection capabilities with one or more of the following:

  • Signature-based: The signature-based IDS is used to match the signatures of known attacks that have already been stored in your database to detect attacks on your network.
  • Anomaly-based: The anomaly-based IDS method identifies abnormal behavior in your organization’s network.
  • Protocol-based: The protocol-based IDS method monitors and analyzes protocols used by the computing system.

Regardless of which type of intrusion and detection system your organization uses, they are a vital component of your cybersecurity strategy. To mitigate the advancing threats all organizations are faced with, having a robust IDPS in place is a must. If you’re looking for advice on how you can better implement an intrusion detection and prevention system in your environment, let’s chat about how KirkpatrickPrice can partner with you to ensure the security of your business.

More Network Security Resources

Security Within Your Development, Staging, and Production Environments

Encrypted Backups: What They Are and How to Use Them

How to Build an IT Asset Management Plan

Robinhood, an investing and trading platform, experienced every startup’s nightmare: service outages at a crucial time, leaving frustrated customers unable to trade. TechCrunch explains, “It’s perhaps the worst-timed bug in the history of the seven-year-old company, because it coincided with one of the biggest single-day gains in the history of the Dow Jones Industrial Average, and huge gains on the Nasdaq, as well. In all, markets gained $1.1 trillion in value while Robinhood users were forced to sit on the sidelines.” This outage points to a critical component for successful fintech: availability.

Fintech Case Study

In 2014, Robinhood became a “pioneer” for online, commission-free trading and was an attractive platform to millions of customers. As a startup, it raised $1 billion in capital and had a valuation of $7.6 billion, competing with E-Trade and Charles Schwab. But after continuous service outages this week, the fintech company is experiencing significant customer loss and mistrust, financial consequences, and a damaged reputation. Customers have been vocal on social media about leaving Robinhood and now the company will look at compensation for customers on a case-by-case basis.

One of Robinhood’s most blatant mistakes was the lack of communication to its customers. When there’s a service availability issue, your customers need to know what’s happening – especially what’s happening with their money. Robinhood didn’t publicly acknowledge the first outage for several hours, and the New York Times reported that when Robinhood customers reached out, they couldn’t even get a response from the support team. The outages have continued throughout the week, with no exact cause given.

Richard Rieben, Lead Practitioner at KirkpatrickPrice, commented, “System availability and contingency planning is exactly the type of thing we look at when we are performing SOC 2 assessments for fintech companies. We look at availability, and not just in the way of backups and stuff, but more so in the ability to scale, to monitor and meet surging demands, in testing high loads on your platform, and in preparing to respond to all of it.”

Growth is key to a company’s success – so why not proactively prepare your platform for all levels of growth? Let’s talk about availability and now critical it is to business continuity.

Availability in Fintech

Availability is a key concept for fintech. When you’re handling someone’s money (and data), your services need to function when you say they’re going to function. Many information security frameworks include availability topics, but under the SOC 2 Trust Services Criteria, availability is covered through requirements like:

  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
  • The entity tests recovery plan procedures supporting system recovery to meet its objectives.

In the simplest terms, the availability category for SOC 2 compliance tests organizations to determine if their system is available for operation and use as agreed upon. Points of focus for the availability category include:

  • Does the entity measure the current usage to establish a baseline for capacity management?
  • Does the entity forecast the expected average and peak use of their system components?
  • Does the entity make changes to their system based on the forecasts?

In Robinhood’s case, many areas missed the mark on availability, from IT to developers to customer service. How can your organization avoid an incident like this one? Let’s talk today.

More Availability Resources

Preparing for Current and Future Availability Needs

Data Backup Best Practices

PCI Backup Requirements

Independent Audit Verifies Oro’s Internal Controls and Processes

Los Angeles, CA – Oro, a pioneering eCommerce platform made for B2B businesses, today announced that it has completed its SOC 2 Type I audit, performed by KirkpatrickPrice. This attestation provides evidence that Oro has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design of Oro’s controls to meet the standards for these criteria.

“Security and high-quality service is a key focus of Oro,” said Dima Sorka, Oro’s CTO. “As we are being pulled up-market by large global companies, it was obvious to us that we need to deliver a secure eCommerce platform and services that can be trusted by our customers. KirkpatrickPrice helped us to achieve our goals.”

“The SOC 2 audit is based on the Trust Services Criteria. Oro has selected the security and availability criteria for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Oro delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Oro’s controls.”

About Oro

Oro, Inc. offers a suite of open source commerce applications: OroPlatform, OroCRM and OroCommerce. OroCRM is a solution for multichannel companies, and OroCommerce, the only eCommerce platform purpose-built for B2B companies, was named by Frost and Sullivan as the No.1 B2B eCommerce product. Oro’s founders previously founded Magento and have deep experience in the eCommerce industry. They include Yoav Kutner, Chief Executive Officer; Dima Soroka, Chief Technology Officer; and Roy Rubin, director of Oro’s advisory board. For more information on OroCommerce, visit oroinc.com/b2b-ecommerce.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, connect with KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.