Policies and procedures are nothing new in the world of information security. One of the best things you can do to secure your environment is to develop detailed policies to keep your employees educated on the proper security processes that need to be implemented within your organization.

Writing a change management policy is just one step you can take to better secure your organizational and IT systems. Every organization focuses on a different change management process, which means your organization needs to define change management policies that are specific to your processes.

So, what is change management and how can establishing a clear change management process help your organization?

What is Change Management & Why Do I Need a Change Management Policy?

Change management has become more complex and includes more terms, such as change management processes, policies, and procedures. What is change management, then? At the core, change management is the official method and process of making changes to an organization’s IT systems. The change management process is designed with the intent of reducing errors when changes are made to IT systems. When disruptions occur, organizations are negatively impacted, which is why writing a change management policy is so important.

For security-minded organizations, writing a change management policy is a necessary piece of developing a thorough Information Security Policy. You can ensure that your organization minimizes disruption and reduces risk through the implementation of a clear change management process. It’s about creating policies and procedures that work for your organization and not against it.

What to Include in Your Change Management Policy

There are countless types of changes that can be made to your IT systems. Which of those are important enough to be addressed in your policies?

Whether it’s an emergency change, standard change, or routine change such as application, software, or network changes – an approach to every type of change should be addressed. When writing a change management policy, organizations need to keep in mind the various stages of the change management process and include policies that align with these stages.

Let’s take a look at 7 common change management stages that you should include in your change management policy:

  • Planning – Design, schedule, and plan out your changes to IT systems in this stage.
  • Evaluation – Determine the level of risk associated with the change, the change type associated with your goals, and which of the change processes to use in the implementation of the specific changes.
  • Approval – Gain approval from the responsible parties in order to initiate the changes that have been designed.
  • Communication – Inform applicable parties of the changes that can be expected, the time frame of when the changes will be initiated, and any other necessary details about the changes.
  • Implementation – Implement the changes according to the written plan and during the scheduled time.
  • Documentation – All changes, review, approvals, and plans must be documented according to information security standards.
  • Post-Change Review – After the monitoring of the change implementation, the post-change review will be conducted to determine any necessary adjustments.

A change management policy should also include definitions surrounding organizational change management, an explanation of the types of changes, and a list of roles and responsibilities. As change is a necessary part of organizational growth, it needs to be managed securely.

Whether its in the form of an SDLC or IT Asset Management Plan, developing proper procedures is the first step in securing your IT systems and processes.

Make sure you’re setting your organization up for security success by contacting KirkpatrickPrice today. Take the next step to learn more about what you can do to secure your systems.

More Change Management Resources

SOC 2 Academy: Change Management Best Practices

PCI Requirement 6.4 – Follow Change Control Processes and Procedures for all Changes to System Components

SOC 2 Academy: Change Control Processes

An organization may choose a combined SOC 1, SOC 2, and PCI audit for many reasons. First, there are compliance requirements. A PCI audit may be mandatory, but too narrow of a scope to be useful to user entities, so a SOC 1 or SOC 2 is needed. Second, there are logistical reasons. If you have to go through all three audits, why not consolidate the effort into one process? Combining three audits into one process can also be a more cost-effective option. In any case, it’s important for organizations to know that a combined SOC 1, SOC 2, and PCI audit is an accessible, effective option – you just need to know what organizations are authorized to perform one.

Explaining SOC 1, SOC 2, and PCI Audits

What does a SOC 1 audit assess? A SOC 1 audit is an assessment of the internal controls at a service organization which have been implemented to protect client data. SOC 1 audits are performed in accordance with the SSAE 18 standard and report on the effectiveness of internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).

A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data, but are not related to ICFR. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). The Trust Services Criteria are the foundation of the SOC 2 audit, just as the SSAE 18 is the basis of a SOC 1 audit.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally, and a PCI audit assesses compliance on this standard. The founding payment brands include Visa, MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data.

Both SOC 1 and SOC 2 audits must be conducted by a CPA firm, while a PCI audit must be conducted by a QSA. This makes finding a firm that is authorized to perform a combined SOC 1, SOC 2, and PCI audit much more difficult. When deciding on one firm to perform all three assessments, it must be a CPA and QSA firm. We’ve seen many organizations hire a firm that they believe meets these requirements, then later discover that the firm is actually outsourcing one portion – like a CPA firm that doesn’t employ any QSAs, so they must outsource the PCI audit. This type of firm completely negates the organization’s goal of working with one firm for one audit process.

Case Study: CBOSS

Let’s take a look at why CBOSS chose to pursue SOC 1 and SOC 2 attestations plus a PCI RoC. As a full-service payment solution provider, CBOSS offers online payment APIs, hosted payment forms, and POS integrations that must be kept secure in order to secure cardholder data. Complying with the PCI DSS is mandatory for CBOSS – it keeps them in business! But CBOSS has also elected to pursue annual SOC 1 and SOC 2 attestations to give their team, their management, and their clients a holistic view of CBOSS’ compliance efforts. With SOC 1, and SOC 2, and PCI reports available, CBOSS can provide proof that their systems can be trusted and they will deliver secure, available services.

When asked about CBOSS’ combined SOC 1, SOC 2, and PCI audit, Mike Lendvay, Security and Compliance Manager at CBOSS, said, “PCI compliance keeps us in business. The PCI framework is really detailed, but it’s only concerned with cardholder data. Meanwhile, SOC reports are all but mandatory. The SOC audits give a full report of our environment as a whole; everything that we offer to our customers is looked at during SOC audits. That’s why SOC reports are helpful – to have a single document summarizing all the controls that we utilize. It acts as reassurance to us on the operation of our environment, as well as reassurance to our customers.”

Richard Rieben, Lead Practitioner at KirkpatrickPrice, commented, “CBOSS is a great example of what happens when a team of highly-skilled personnel not only understand the frameworks involved in their SOC 1, SOC 2, and PCI assessments, but also understand that security inherently leads to compliance, not the other way around. This commitment to protecting the sensitive data their clients trust them with has yielded a significant return on investment.”

Using the Online Audit Manager

Our goal is to make SOC 1 attestations, SOC 2 attestations, and PCI RoCs more accessible to organizations who are being asked for them. In order to complete a combined SOC 1, SOC 2, and PCI audit, KirkpatrickPrice utilizes the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 1, SOC 2, and PCI audit with KirkpatrickPrice will be a more efficient, cost-effective, and accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More Resources on Combining Audits

Combining SOC 1 and SOC 2 Audits

The SOC Audit Process: Tackling Type I and II Reports

How Do I Find a QSA for My PCI Audit?

Internal Audits vs. External Audits

Is an internal audit enough? Should you utilize both internal and external audits? This is an ongoing conversation in our arena. But at KirkpatrickPrice, we know that there is power in having both perspectives, especially when it comes to conquering your compliance goals. If you want to prove to your stakeholders that you’re willing to do everything you can to take control of the cyber risks your organization is faced with, listen as KirkpatrickPrice’s Founder and President, Joseph Kirkpatrick, discusses the real differences between internal and external audits and how the difference could impact your organization’s compliance efforts.

According to the Institute of Internal Auditors, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. While internal audits are useful in that they are closely aligned with your organization’s objectives, are conducted by experts in your unique business rules and applications, and are also familiar with your organization’s personalities, relationships, and histories, they also shouldn’t be solely relied upon. In fact, internal audits are often weakened because tunnel vision develops by internal audit staff; it can be difficult to maintain current trends and issues; there’s limited staff and resources that can hold back adoption of new techniques; and lastly, their voice can lose influence over time.

On the other hand, external audits can strengthen your internal audit processes, as they offer independence and objectivity, subject matter experts, enhanced credibility with partners and stakeholders, and a wide array of resources to address your unique challenges.

Investing in external audits can be challenging depending on your size, personnel, experience, time, and financial resources, but at the end of the day, they can enhance your internal audit program and give you the third-party assurance you need to validate the accuracy of your internal audit findings.

Watch the full webinar on-demand now to learn more about the differences between internal audits and external audits, find out tools internal auditors should be equipped with, and more.

Independent Audit Verifies Castra Managed Services’ Internal Controls and Processes

Durham, NC – Castra Managed Services, an information security managed service provider, today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that Castra Managed Services has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of Castra Managed Services’ controls to meet the standards for these criteria.

Castra’s team states, “As a transparent managed security service provider, Castra is proud to uphold the highest level of internal controls. Over 2,000 organizations all over the world lean on Castra and expect nothing but the best. Our SOC 2 accreditation is a testament to how much we care about upholding our commitment to providing the highest level of service and transparency.”

“The SOC 2 audit is based on the Trust Services Criteria. Castra Managed Services has selected the security and availability categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Castra Managed Services delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Castra Managed Services’ controls.”

About Castra Managed Services

Founded in 2012 by Tony Simone and Grant Leonard, Castra has successfully deployed SIEM/SOAR and a variety of Information Security products and services in over 2,000 organizations globally. We work with Fortune 50 organizations as well as SMB’s and everything in between. We have worked with thousands of Healthcare, Financial, Retail, Technology, and Government organizations on a variety of projects that range from tailored consulting, to 24×7 Managed Services. Visit https://castraconsulting.com/.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 1,000 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

We get a lot of questions about SOC 2 and HIPAA audits. Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 2 and HIPAA audit.

What are SOC 2 and HIPAA Audits?

Before we discuss how to go through a combined SOC 2 and HIPAA audit, let’s review what each of these types of audits are.

A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm.

The integrity of the healthcare industry relies on keeping data secure and patients safe. This, in part, was why HIPAA was created. HIPAA sets a national standard for the protection of consumers’ PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the OCR enforces compliance with the HIPAA Security, Privacy, and Breach Notification Rules.

Why a Combined SOC 2 and HIPAA Audit?

Why would a company pursue a combined SOC 2 and HIPAA audit? Depending on your services, both could be valuable for your organization. HIPAA compliance may not be an option for you – rather, it’s a requirement. But there are organizations like MSPs, cloud hosting providers, and SaaS providers who serve the healthcare industry and go after both SOC 2 and HIPAA compliance, like Dash. These organizations have made the commitment to come at compliance from two, proactive angles. Our clients who undergo a combined SOC 2 and HIPAA audit are also, in many cases, specifically asked for a SOC 2 report from their key accounts and stakeholders. Yes, a HIPAA report is valuable, but a SOC 2 attestation can add even greater assurance that PHI is secure. Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 2 and HIPAA audit is an option.

Using the Online Audit Manager

Our goal is to make SOC 2 and HIPAA reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 2 and HIPAA audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 2 and HIPAA audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More SOC 2 and HIPAA Resources

SOC 2 Compliance Checklist

HIPAA Compliance Checklist

Why Would a Healthcare Organizations Need a SOC 2 Audit?

Using the Online Audit Manager to Complete Multiple Audits

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing