Like with all software and technology, there are bound to be vulnerabilities found and updates needed to be made. For this reason, organizations must have a patch management plan in place. But for many entities who are just starting to create their information security management plan, or who lack the experience, personnel, or resources needed to execute patch management, they’re likely asking the basic questions like: What is patch management? How can you conduct patch management? What is the difference between automated patch management and manual patch management? Should you use patch management software? Read on to learn the answers to these questions and more.

What is Patch Management?

According to NIST, “Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems.” It involves updating pieces of code that would likely be compromised by malicious individuals and updating security features to software.

Why is Patch Management Important?

Patch management is an integral component of vulnerability management – and is something your organization must be vigilant in implementing, especially given the current cyber climate where malicious individuals and organizations are quick to compromise vulnerabilities due to patch management negligence (see breaches caused by WannaCry, Not Petya, and SamSam).

10 Steps to Conduct Patch Management

Establishing a robust patch management plan boils down to following these 10 steps:

  1. Inventory all IT assets
  2. Categorize and risk-rank assets
  3. Identify applicable patch management requirements (i.e. NIST 800-53, PCI Requirement 6.2, and SOC 2 Common Criteria 7.5)
  4. Create and implement a patch management policy
  5. Regularly monitor and scan all networks and devices to locate vulnerabilities and undiscovered patches
  6. Test patches
  7. Document all changes
  8. Implement patches
  9. Audit patches to determine if they were successful or not
  10. Report patches to stakeholders, business partners, and clients

Automated Patch Management vs. Manual Patch Management

It’s likely that patches will need to be made on a regular basis. For this reason, using automated patch management processes is the most effective way to ensure that patches are addresses on a timely, regular basis. By using an automated patch management system, your organization will also save time and financial resources. However, there are instances when manual patch management processes are also useful. For example, in the event that certain software and technologies are not supported by automated patch management, manual patch management techniques should be used.

Should You Use Patch Management Software?

Using patch management software is useful for making sure that all devices on your network are up to date. However, there are a few pitfalls to using patch management software, including:

  • Updates might not be installed across your entire infrastructure
  • The possibility of interruptions to other devices/software
  • A limited ability to patch third-party applications
  • Failing to update patch status

Staying on Top of Patches

While there are some discrepancies regarding how often you should install patches, it’s a best practice to continuously be patching software, networks, and other technologies. However, “continuously” is a rather ambiguous term. But according to a 2019 Ponemon report, only “31% of respondents are scanning more than once a month, half are only scanning quarterly or have no formal schedule at all, and less than half use up-to-date software patching to avoid data breaches.”

So, what patches should you be looking for? Most commonly, organizations should keep a close eye on patches from common OS and software providers like Microsoft, Linux, Mac, and AWS.

  • Microsoft/Windows OS: Microsoft regularly publishes software updates on Tuesdays (aka “Patch Tuesdays”) and all updates can be located here.
  • Oracle/Linux OS: Oracle houses all of their critical patch update advisories, security alerts, and bulletins here.
  • Apple/Mac OS: Apple frequently updates this list of software updates and patches.

Need a more in-depth conversation about patch management? Do you need guidance on how to implement patch management best practices? Contact us today to see how KirkpatrickPrice can keep you ahead of vulnerabilities in your software.

More Patch Management Resources

Hardening and System Patching

How to Build an IT Asset Management Plan

The Dangers of End-of-Support Operating Systems

Independent Audit Verifies XPERTECHS’ Internal Controls and Processes

Ellicott City, Maryland – XPERTECHS, a managed IT services provider, today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that XPERTECHS has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of XPERTECHS’ controls to meet the standards for these criteria.

“It is a priority at XPERTECHS to have the proper processes and controls in place to keep our environment as secure as possible” said Michael Mellott, President of XPERTECHS. “By achieving successful SOC 2 Type I and II audits, XPERTECHS is demonstrating our commitment to security for our clients and prospective customers.”

“The SOC 2 audit is based on the Trust Services Criteria. XPERTECHS has selected the security and availability categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “XPERTECHS delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on XPERTECHS’ controls.”

About XPERTECHS

XPERTECHS is a Microsoft Gold Partner company offering a full range of services including Microsoft network solutions, LAN and WAN connectivity, Proactive IT Managed Services (XperCARE), Cloud Solutions (CLOUD XPERIENCE), Office 365 Implementations, and Network Security. Their focus is on delivering high quality Networking, Proactive Management, IP Telephony and Internet Solutions that are critical to solving information needs of their clients.

We get a lot of questions about SOC 2 and PCI audits. Should your company do both? Are you able to consolidate multiple audits into one project? KirkpatrickPrice has developed the Online Audit Manager to make it easier to combine multiple audits into one project. Let’s talk through why and how you would take on the project of a combined SOC 2 and PCI audit.

What are SOC 2 and PCI Audits?

Before we discuss how to go through a combined SOC 2 and PCI audit, let’s review what each of these types of audits are.

A SOC 2 audit is an assessment of the internal controls at a service organization that protect client data. The SOC 2 audit was designed to determine if service organizations are compliant with the principles of security, availability, processing integrity, confidentiality, and privacy (also known as the Trust Services Criteria). A SOC 2 audit must be conducted by a CPA firm.

The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands include Visa, Inc., MasterCard, Discover Financial, American Express, and JCB International. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA.

Why a Combined SOC 2 and PCI Audit?

Why would a company pursue a combined SOC 2 and PCI audit? Depending on your services, both could be valuable for your organization. PCI compliance may not actually be an option for you – rather, it’s a requirement. There are a couple different scenarios of why you would pursue a SOC 2 attestation along with your PCI RoC. You could have clients that appreciate your PCI compliance, but also specifically ask for a SOC 2 report from you. Or, in other circumstances, your clients may not know the value of your PCI RoC, so they require a SOC 2 report. Even when you’re not required to undergo a SOC 2 audit, though, you could consider doing a combined SOC 2 and PCI audit to get ahead of the competition on either or both types of compliance.

Whenever your clients (especially key accounts) or stakeholders have specific compliance requirements, it’s always a wise decision to do your due diligence and know what your options are for meeting their requirements and industry standards. To effectively ensure that your controls meet the demands of the variety of clients and stakeholders that you serve, you should know that a combined SOC 2 and PCI audit is an option.

Using the Online Audit Manager

Our goal is to make SOC 2 and PCI reports more accessible to organizations who are being asked for them, so in order to complete a combined SOC 2 and PCI audit, we utilize the Online Audit Manager. The Online Audit Manager is an online audit delivery tool that maps the requirements of each framework to one another so that you can capitalize on your resources instead of answering the same question over and over again on separate audits – all with the goal of saving your organization’s time, effort, and money. Completing a combined SOC 2 and PCI audit with KirkpatrickPrice will be a more efficient, accessible process for your organization. Interested in more specifics on how this works? Let’s set up a demo of the Online Audit Manager.

More SOC 2 and PCI Resources

4 Reasons to Start a PCI Audit Right Now

Using the Online Audit Manager to Complete Multiple Audits

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing

Online Audit Manager

Multi-Audit Delivery for ProntoForms

Because of the complexity of today’s security threats, many organizations must pursue multiple compliance goals to protect their systems. Take ProntoForms, a low-code application platform that helps users deploy field apps to reliably complete field work and collect data that bolsters field service, fleet, safety, and asset management systems. ProntoForms’ users are often in environments with complex equipment and processes, like hospitals, construction sites, heavy manufacturing factories, and oil upstreaming sites. Because of the services they provide and the industries they serve, ProntoForms needed to gain a SOC 2 attestation and HIPAA compliance to demonstrate their due diligence.

When pursuing multiple compliance goals, it’s crucial to find an auditing firm that has the technology and expertise to not only streamline your process, but that also uses your resources in the most responsible way. At KirkpatrickPrice, we utilize our Online Audit Manager to do so. Let’s discuss the common challenges that come along with pursuing multiple compliance objectives and the solutions we provide.

The SOC 2 and HIPAA Journey

There’s always a fear of the unknown when approaching an audit for the first time – especially when you hope to do two at once. What will it entail? Will you pass? Can you even do two audits at the same time? When ProntoForms found KirkpatrickPrice, they were looking for a firm with the ability to perform a customized audit that would accommodate both SOC 2 and HIPAA audits. Since our partnership began in 2017, ProntoForms has utilized KirkpatrickPrice’s Online Audit Manager to undergo a customized, multi-audit process and successfully gain annual HIPAA compliance and SOC 2 attestations, including the expansion from SOC 2 Type I to Type II.

For a combined SOC 2 and HIPAA audit, the Online Audit Manager maps SOC 2 and HIPAA requirements and consolidates the questions so clients can see the project in front of them in a practical way. Glenn Chenier, Chief Product Officer at ProntoForms, said, “It didn’t feel like we were doing two audits, we just had a larger question set. Working in the portal and with an auditor helped us feel like we had a realistic expectation for the project size.” This is the exact mission of the Online Audit Manager – to make audits more approachable and empower your team to meet compliance obligations.

Using the Online Audit Manager

When an organization asks why they should partner with KirkpatrickPrice, the Online Audit Manager is impossible to ignore. When Joseph Kirkpatrick began his career in the information security industry, he noticed a major gap: a way to perform multiple audits through a single process. So, what did he do? He created the Online Audit Manager and KirkpatrickPrice was the first authorized company to provide multiple audits through an online portal process. If you’re wondering how you can meet all of your compliance goals, let us walk you through an Online Audit Manager demo and discuss your compliance plan. With KirkpatrickPrice, it may be more achievable than you think!

More Online Audit Manager Resources

Choosing the Online Audit Manager: One Tool, Multiple Audits

Was the Audit Worth It?

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing

Data Backups and Recovery Go Hand-in-Hand

When a data breach happens at your organization – whether you’re hit by a ransomware attack, an advanced DoS attack, or an internal actor mistakenly deletes company records – you need to ensure that your data is properly backed up. A data backup is an updated copy of your company’s data that is stored in a separate system or medium (i.e. file, hard drive, cloud, etc.) and is used to protect your organization’s assets in the event of data loss, including data breaches, accidental loss, theft, or natural disasters. In other words, data backups and recovery should go hand-in-hand.

4 Data Backup Best Practices

The concept of data backups is quite simple, but it’s one that many organizations have trouble implementing whether due to lack of resources, personnel, or time. For those questioning how to back up data, consider using these four data backup best practices.

1. Use Remote Storage

Storing backups on-site can pose imminent danger. If your entire system is compromised or if there is a natural disaster that compromises your entire facility, the data backup will likely also be compromised. Because of this, data backup best practices include storing data backups in an off-site location, whether that is at another physical location or in the cloud. However, Lead Practitioner at KirkpatrickPrice, Richard Rieben, explains, “Just because you’re in the cloud, it doesn’t mean you don’t need offline backups. The bottom line is, all organizations need to back up their data online and offline.”

2. Schedule Frequent Backups

Having current, up-to-date backups is essential to the continuity of your business. When establishing a data backup program, consider utilizing built-in backup programs, like those provided in Microsoft and Apple products, or create time-based solutions, such as updating every day, week, or month. To ensure that data backups aren’t neglected, it’s a best practice to automate backups.

3. Encrypt Backups

If your data backups are not encrypted, they could easily be compromised if the data is stolen, misplaced, or compromised in some way. For this reason, encrypted backups are one of the top data backup best practices. It adds an extra layer of security to your backups and can give you peace of mind that your data is secure in the event that you have to use your disaster recovery plan.

4. Determine and Comply with Retention Requirements

Are you aware of the data backup retention requirements that your organization must comply with? In this new age of data privacy laws, like GDPR and CCPA, you must know which data backup retention requirements apply to your business. These laws make data backup retention requirements a bit ambiguous because of the “right to erasure” requirements that entities must comply with – organizations must know which data they are required to backup, which data they must delete, and more. This is also the case when dealing with highly sensitive data, like protected health information or payment card data.

Knowing data backup retention requirements also helps limit the amount of data you must store. Older, out-of-date backups should be deleted, data that is no longer in use should be deleted, or data that no longer supports the activities of your organization should be deleted.

Common Framework and Legal Requirements for Data Backups

Data is now the world’s most valuable asset, and many information security frameworks address securing such assets by requiring robust data backup practices. Take a look at some of the common framework and legal requirements for data backups.

  • SOC 2: According to Availability Criteria 1.2, service organizations must “authorize, design, develop or acquire, implement, operate, approve, maintain, and monitor environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.” It also reiterates that entities should have “procedures … in place for backing up data, monitoring to detect back-up failures, and initiate corrective action when such failures occur.”
  • PCI DSS: PCI Requirement 9 says that entities must restrict physical access to cardholder data. Elaborating on this, PCI Requirement 9.5.1 says, “Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.”
  • HIPAA: Under the HIPAA Security Rule, 45 CFR § 164.308(a)(7)(ii)(A), business associates and covered entities must establish a contingency plan, including a data backup plan, that details a response to any emergency situation that damages systems that contain ePHI.

In today’s threat climate, data breaches are inevitable. Are your data backup retention policies up-to-date with the current framework and legal requirements? Are your data backups and recovery processes aligned? Let us help you ensure the security of your data backups by evaluating if your organization has implemented these four data backup best practices. Contact us today to get started.

More Information Security Resources

Encrypted Backups: What They Are and Why to Use Them

Auditor Insights: Business Continuity and Disaster Recovery Plans for the Cloud

Incident Response Planning: 6 Steps to Prepare Your Organization