Independent Audit Verifies Inovatec Systems Internal Controls and Processes

Burnaby, BC Inovatec, a cloud-based software solutions provider, today announced that it has completed its SOC 1 Type II and SOC 2 Type II audits. These attestations demonstrate Inovatec’s unwavering commitment to high-quality service for its clients by ensuring necessary internal controls and processes are in place.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of Inovatec’s controls that may affect its clients’ financial statements. SOC 1 Type II is a report on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report follows the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes Inovatec’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. The SOC 2 service auditor report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Inovatec’s controls to meet the standards for these criteria.

“The successful completion of our SOC 1/2 Type II examination audits provides our clients with the assurance that the controls and safeguards we employ to protect and secure their data are in line with industry standards and best practices,” said Christian Reina, CISSP, CISM, CRISC, CISA, Information Security Officer at Inovatec.

“Many of Inovatec’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, Inovatec has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Inovatec.”

About Inovatec

Inovatec Systems provides industry leading, cloud-based software solutions for any financial institution, any type of transaction. All solutions can be brought together in a single seamless and branded platform that can be opened to external partners and customers. Capture any marketplace – Full, robust ecosystem to drive the online customer/lead to you, streamline and facilitate the processes of crediting, auditing, funding and income verification for financing applications plus full servicing & portfolio analytics in the leading-edge LMS.

What Does an Effective Business Strategy Look Like?

For many businesses, it’s been a long time since the business strategy was initially developed. If it was created a few years ago, it’s likely missing cybersecurity as one of its strategic initiatives. The role of cybersecurity has dramatically changed for the C-suite and should be re-evaluated in terms of its impact on strategy.

Any successful business will have a solid definition of its mission, values, and goals. In today’s landscape, every organization is in the business of cybersecurity. It should have significant part to play in the overall strategy for the company’s success. How can you do this? By adopting the following five best practices to integrate cybersecurity with your business strategy.

5 Ways to Integrate Cybersecurity With Your Business Strategy

Integrating cybersecurity with your business strategy shouldn’t be as painstaking as it may initially seem. Whether you’re in the beginning phases of establishing a business strategy or your organization is re-evaluating your long-term goals, you can follow these five best practices as a starting point to integrate cybersecurity with your business strategy.

1. Identify your business’ key goals and aspirations

What is the overall purpose of your organization? Evaluate the specific milestones you have set to realize that purpose and now look at them in a new way. How does cybersecurity make or break the mission? This are important considerations to integrate into your strategic initiatives.

2. Pinpoint areas of weakness in your cybersecurity hygiene

When you evaluate risk throughout the organization, C-level executives are particularly strong at considering threats impacting financial risk, competitive changes, loss of key employees, market shifts, environmental events, and other disasters. Now, add cybersecurity risk to this same equation. Don’t make the mistake of assuming an IT department is covering this base. Executives must seek out the same details on potential impact from cybersecurity threats as they do in other areas. Conducting a risk analysis can help you identify weak areas in your cybersecurity hygiene and risk-rank vulnerabilities that need to be addressed first. You might need a third-party information security expert to provide an unbiased view of your risk. Specialists at KirkpatrickPrice can help pinpoint weak areas in your cybersecurity hygiene, give you advice on how to remediate those findings, and help fine tune your strategic initiatives.

3. Determine how your people, processes, and technology need to evolve

The cybersecurity landscape is constantly changing, and you need to make sure that your people, processes, and technology are able to swiftly adapt. Humans are generally the root cause of security incidents – whether it’s out of ignorance or deceit – and so it’s up to your organization to ensure that all personnel understand the cyber threats they’re faced with on a day-to-day basis. Requiring annual, thorough security awareness training is one way to do this. As for your processes and technology, how often do you update them to meet information security best practices? Do you conduct internal audits to validate the security of your processes and technology? Are you making investments in technology that will improve the cybersecurity of your organization?

4. Implement a strategy for cybersecurity best practices

Once you’ve identified your key goals and aspirations, identified areas of weakness in your cybersecurity hygiene, and found ways that your people, processes, and technology need to evolve, you need to decide how exactly you’ll be implementing these five best practices. Will you use a framework like NIST to guide your efforts? Will it require you to partner with an MSP or hire more IT personnel? Do you need to hire an independent, third-party firm to validate your cybersecurity efforts?

5. Leverage cybersecurity and compliance for success

Strategic planning is what guides all that you do in your organization. Cybersecurity and compliance are strategic initiatives that serve as benchmarks for your business. Do we have a cybersecurity mission? Have we identified our cybersecurity goals? What are the plans to get there? Have we defined the resources we need? Are we monitoring our progress to quantify success? Ultimately, these will become strengths that are important to your clients and other stakeholders. You might train your sales and marketing teams on how to communicate your strategic differentiation in the market because of your cybersecurity and compliance strengths. Leading firms have a dedicated cybersecurity landing page on their website that explains the “why” behind cybersecurity and how it serves as a strategic goal in their business.

All in all, cybersecurity can no longer be an afterthought or kept at arms-length from the boardroom. It must be a proactive effort – one that is ingrained in the company culture and strategic purpose. If your business is struggling to adopt these five best practices to integrate cybersecurity with your business strategy, let’s find some time to talk to see how we can help you.

More Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

How to Lead a Cybersecurity Initiative

Key Takeaways from the SEC’s Cybersecurity Guidance

Every penetration testing firm has unique processes for conducting penetration tests. While there are standards that influence penetration tests, like the OWASP Top Ten, the Open Source Security Testing Methodology Manual (OSSTMM), and the Penetration Testing Execution Standard (PTES), the truth is not all penetration tests are created equally. When hiring a firm to conduct your penetration tests, having a thorough understanding of their methodologies is imperative. How will the firm you’ve hired help you remediate findings? Will they offer detailed insights and strategies for remediation? Will they re-validate what you’ve remediated? A firm focused on advanced, personal service will do exactly that. That’s why KirkpatrickPrice has a 30-day retesting policy.

What is Penetration Testing?

Penetration testing is a form of permission-based ethical hacking in which a tester attempts to gain access to an organization’s assets, including people, systems, and locations. The purpose of pen testing is to find vulnerabilities that could potentially be exploited by a malicious hacker as part of your ongoing risk management practices. However, pen testing firms who are committed to helping their customers get the most out of their investment know that delivering a penetration test report is only the first part of the service. An exceptional pen tester mindset focuses on providing guidance to remediate the findings, and ultimately, help their client improve their security methods.

KirkpatrickPrice’s Commitment to Your Security Needs

When prospects approach us about undergoing a penetration test for the first time, or perhaps they’ve had a bad experience with another penetration testing firm in the past, they’ll question how KirkpatrickPrice’s pen testing methodologies will prepare their organization against the advancing threats of today’s cyber landscape. It’s simple. We use tried-and-true methodologies that have helped keep our clients secure, including:

  1. Information Gathering
  2. Reconnaissance
  3. Discovery and Scanning
  4. Vulnerability Assessment
  5. Attack and Exploitation
  6. Final Analysis and Review
  7. Implement the Remediation Guidance
  8. 30-Day Retesting Period

Benefits of Retesting

KirkpatrickPrice is well aware that the security of your organization is not something to take lightly. This is why when we conduct our quality, thorough pen testing services, we do everything possible to help you get the most out of your engagement, including providing free resources, access to Information Security Specialists, and a 30-day retesting period to test the changes you make after the engagement concludes. What are the benefits the 30-day retesting policy?

According to KirkpatrickPrice pen tester, Stuart Rorer, “The 30-day retesting policy provides our clients with the ability to have any issues, previously discovered in the pen test, reassessed to see if the remediations have been effective.” This means that when you remediate vulnerabilities over this 30-day retesting period you could:

  1. Save your organization from a costly, embarrassing data breach
  2. Demonstrate your organization’s commitment to security
  3. Prove to stakeholders that you’re willing to do everything possible to protect their investments
  4. Ensure the security of a product before you take it to market
  5. Give your customers peace of mind

For those who may argue that 30 days post-exploitation isn’t enough to remediate vulnerabilities, Rorer makes a critical point: “Having a pre-determined test window also provides the client with a level of accountability, and helps set a timeline goal to have issues remediated. The longer the vulnerabilities remain present, the more likely they can be exploited.” In addition, many compliance frameworks require that you remediate high findings and also test your system after any significant changes.

The 30-day retesting policy at KirkpatrickPrice is optional, but we encourage all of our clients to take advantage of the benefits of re-testing, implementing changes, and validating the security of their networks and systems. After all, a data breach is only a matter of when, not if, it will occur. Make sure your organization receives quality, thorough pen testing services – talk to an expert today. We’re here to help!

More Penetration Testing Resources

What Should You Really Be Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test

5 Critical Things to Consider When Choosing Your Pen Tester

What’s the purpose of an employee handbook? Why are you required to have a detailed employee handbook to be compliant with information security standards? What should you include in your employee handbook to meet these standards? These are all great questions you might have when you’re preparing for an audit. Let’s start with a quick explanation of the purpose of an employee handbook and how a well-designed handbook can add to your information security policy.

Why Does an Employee Handbook Matter to Your Information Security Policy?

Your employee handbook is the center of your company culture. It answers the questions that your employees have about your policies surrounding employee conduct, benefits, and more. Without it, your organization wouldn’t have a standardized way of addressing these general employment topics and employees wouldn’t know what is expected of them in the workplace. If this baseline isn’t established, how could you expect your employees to follow other, more complex policies?

On the most basic level, your employee handbook should include the following sections:

  • General Employment
  • Employment Status and Record Keeping
  • Working Conditions and Hours
  • Employee Conduct
  • Employee Benefits
  • Timekeeping and Payroll

While this list of policies to include in an employee handbook isn’t exhaustive, it is a great example of where you can start developing information security policies that will help you comply with information security standards.

The purpose of developing strong information security policies is to minimize risks to your organization and protect against vulnerabilities. By giving your employees clear guidelines on security procedures, you’re enabling your organization to be better protected against security risks. Whether you’re completing a HIPAA audit or a SOC 2 audit, you can expect your information security policies to be tested for clarity, detail, and accuracy.

So, what role does your employee handbook have in an information security audit? In any audit, you will be asked to provide your employee handbook and it will be reviewed for clarity, detail, and accuracy. It’s important for your employees to understand your policies comprehensively in order to put proper security procedures in place. If they don’t understand your employee conduct policy, could that lead to malicious activity? If they aren’t away of your Internet usage policy, could that open your organization up to more risks? On the other hand, if you don’t have an employee handbook, how can your auditor gauge the integrity and culture at your organization?

At KirkpatrickPrice, our clients upload their employee handbook and other information security policies into the Online Audit Manager for auditors and audit support staff to review. Instead of sending files back and forth insecurely, you can do it all in a simple action in the Online Audit Manager. This is all part of our streamlining process so that most of the work involved in the audit is done online.

Make sure you’re working with an auditor, like our senior-level Information Security Specialists at KirkpatrickPrice, who will properly review your employee handbook and other information security policies during the audit process. Don’t wait until it’s too late to make sure your policies comply with information security standards, contact us today!

More Resources

Choosing the Online Audit Manager: One Tool, Multiple Audits

Quickstart to Information Security Policies for Startups

Choosing an Audit Partner that Makes Sure

As more and more governing bodies are implementing data privacy laws, it’s becoming even more important for organizations to mitigate gaps in their systems before they are met with a data breach and hefty fines. We can see the effects laws GDPR and CCPA have had on the privacy and security landscape already. Take it from British Airways’ experience – the airline was fined $228 million for leaking 500,000 customers’ personal data and violating GDPR. That’s just the cost of the fine and not what it cost the organization to respond to and contain the breach. In a day and age where personal data is valuable to malicious individuals, you need to take every measure to protect your data by avoiding common privacy gaps that many organizations get trapped in.

10 Most Common Privacy Gaps to Mitigate

After evaluating several organizations’ responses to security breaches, we noticed a common thread of areas that are susceptible to hackers. These top 10 privacy gaps should be your first line of defense against malicious individuals. To reduce security risks and increase proper privacy procedures, take note of these common privacy gaps:

  1. Data Mapping: To protect the privacy of secure data, you must know where that secure data is and who has access to it. Data mapping should be a priority in creating proper records of your systems.
  2. Device Management: Data encryption, anti-malware software, and strong passwords are all important parts of device management that help to increase the security of private information.
  3. Application Development: Whether it’s secure practices for logging personal data or creating clear terms and conditions, you need to be implementing secure procedures for personal data in the application development stage.
  4. Breach Notification: When a breach occurs, certain governing bodies must be informed of the breach according to the regulatory standards. Developing a thorough breach notification policy is necessary to mitigate common privacy gaps.
  5. Privacy Policies: When you gather personal data from any individual, they need to have access to a privacy policy with clear, understandable language that explains their privacy rights. Whether in the form of an online privacy policy statement or a written posting, you need to construct privacy policies that meet regulatory requirements and review them annually.
  6. Security Testing: In order to respect the privacy rights of your customers, you need to also keep their data secure. Diligent security testing in the form of vulnerability scanning or penetration testing should be conducted annually, or as big organizational changes occur to keep personal data private.
  7. Employee Training: All employees should be trained to uphold privacy laws and implement proper procedures to protect secure data. Training should occur at least once yearly.
  8. Documentation: Documenting all handling of PII as it is transferred throughout your organization is an integral part of avoiding common privacy gaps.
  9. Continuous Monitoring: You can further protect private information by implementing continuous monitoring of your organization’s processes to be notified of risks and gaps that need to be addressed.
  10. PII Retention and Destruction: To properly handle PII, you must also develop policies to determine how long you retain the data and implement detailed procedures for disposal of the data.

Learning to Adapt and Minimize Privacy Gaps

As privacy laws change and new regulations are enforced, your organization needs to be prepared to adapt to the ever-shifting landscape of information security. Whether that looks like investing in yearly penetration tests or implementing a thorough risk analysis, you need to start minimizing these common privacy gaps if you’re trying to stay on top of any changes in privacy law. Adaptation is key to avoiding hefty fines and loss of personal data. Don’t be another organization that falls victim to a hacker’s malicious intent because you weren’t mitigating known common privacy gaps. Contact KirkpatrickPrice, today, to learn how you can continue protecting your secure data.

Privacy audits can feel overwhelming.

Privacy laws and regulations are constantly changing, and the process feels overwhelming. This guide will help you feel more confident as you prepare for your next privacy audit.

Get the Guide

More Resources

Best Practices for Data Privacy

Privacy vs Security: What’s the Difference?

Preparing for CCPA: 4 Data Privacy Best Practices to Follow