Regardless of the products they offer or the industries they serve, there’s one thing all software companies have in common: the responsibility of securing user data. With the advancing threat landscape, ensuring that an organization’s software remains as secure, available, and confidential as is available on the market has become more difficult. Recognizing this, our client Ziflow, the leading enterprise online proofing software solution for enterprise agencies and brands, continues to pursue and achieve SOC 2 compliance, serving as a prime example of just how valuable SOC 2 attestations are for software companies.

What is a SOC 2 Audit?

A SOC 2 audit is perfect for software companies that want to reassure their clients that their information is secure, available, and confidential. It has become increasingly common for organizations to request that their vendors obtain a SOC 2 attestation so they can ensure that the software organizations they work with have strong security postures.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.

For Ziflow, a SOC 2 audit was an obvious investment. Their CEO, Anthony Welgemoed, explains, “For any software business, security is a primary consideration. It’s a bit like insurance. You don’t know what will happen and you might need it. We’re dealing with other people’s data. Ziflow doesn’t own that data and we are being granted the responsibility of protecting it. We want to make sure that our entire company understands how serious that responsibility is and that we have the correct processes in place to ensure that we safeguard our customers’ data.”

How Can SOC 2 Audits Keep Software Companies Protected from Cyber Threats?

Software companies rely on user data to fuel their business, but the increasing number of cyber threats that software companies face makes it difficult to ensure that user data remains secure. From inadvertent or advertent human errors to malicious attacks, software companies must make it a priority to identify and mitigate any vulnerabilities in their software so that these threats don’t lead to a data breach – and that’s where a SOC 2 audit can help. Our KirkpatrickPrice Information Security Specialists will work to uncover all potential vulnerabilities in your software and will provide remediation strategies and guidance to ensure that your organization’s software and data remain secure, available, and confidential.

After Ziflow’s experience with KirkpatrickPrice performing their SOC 2 audits over the years, Welgemoed says, “[KirkpatrickPrice] auditors have a lot of different experiences. They audit very different software companies and perform different types of audits. They’ve seen a lot more, so they can give organizations valuable ideas, and if they find a gap in your organization, they will provide you with remediation tactics.” When it comes to securing your organization’s software, then, partnering with an organization that has the expertise working with and auditing various types of software is crucial, especially if you’re wanting to get the most out of your investment in information security audits. By doing so, you’ll get objective insight into the security of your software, find new ways of remediating vulnerabilities, and your auditor might even find vulnerabilities that your internal audit team may have missed.

How Can Software Companies Leverage SOC 2 Compliance?

SOC 2 compliance is more than just an item to check off of a to-do list. While many software companies are asked to pursue compliance by clients, proactively pursuing SOC 2 compliance can help lead to more lucrative partnerships. For instance, Welgemoed says, “Once you’ve achieved SOC 2 compliance, there’s the commercial value to it. When we deal with any prospect, whether it’s a small or large enterprise, they get the benefit of the security that we have in place. We might have competitors that might be a bit cheaper, but they don’t necessarily have the security policies confirmed by a third-party auditor. Some of our biggest deals wouldn’t have closed if we weren’t SOC 2 compliant.” This is the competitive advantage that makes pursuing SOC 2 compliance so valuable for software companies. Think of it this way: if you can’t prove to prospects and clients that you provide the most secure software that is available on the market, why would they want to work with you? There are plenty of other options out there for software – use your SOC 2 compliance as leverage against your competitors.

Ziflow understands that security is a primary consideration for software companies, and they’ve taken the proactive steps to ensure that they are as secure as possible. Are you ready to follow Ziflow’s footsteps and secure your organization’s software? Contact us to learn more about how KirkpatrickPrice’s SOC 2 audit aligns with your compliance objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

What is the Purpose of the SOC 2 Privacy Category?

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

The convenience and accessibility of wireless technology makes it an integral part of business today. No cords, no cables – just waves of information streaming to your device of choice. Unfortunately, wireless technology is just as susceptible to a malicious attack as any other type of technology.

From poor wireless security configurations to choosing a flawed encryption scheme, there are so many things can go wrong. How is your internal network segmented from the network you give to guests? Could your passwords be guessed by brute force? How easily could wardriving efforts compromise your network? That’s what we are here to find out during wireless penetration testing.

Testing Wireless Security Configurations

The objective of wireless penetration testing is to test wireless security configurations, which could be the attack vector for gaining access to internal assets. At KirkpatrickPrice, we want to find the gaps in your wireless security configurations before an attacker does, which is why we offer advanced, wireless penetration testing.

Some of the most common vulnerabilities that we look for when testing wireless security configurations include:

  • Lack of Physical Boundaries Leading to Accidental Associations
  • Rogue or Easily Accessible Access Points
  • Untrained Users
  • Vendor-Supplied Defaults
  • Easy to Eavesdrop and/or Sniff
  • No Wireless Network Monitoring
  • Unauthorized, Slow Data Rates
  • Misconfigured Firewalls
  • Susceptibility to Wardriving
  • WEP Weakness
  • MAC Spoofing
  • Man-in-the-Middle Attacks
  • DoS Attacks

Could your wireless technology be vulnerable to these risks? How are you validating the security efforts over your wireless networks? If you haven’t considered wireless penetration testing before, it may be time.

How is Wireless Penetration Testing Performed?

Let’s say a company has a wireless network exclusively for employees and one for guests. To test the wireless security configurations, our task would be to first try to break into that internal wireless network from the outside. If we can gain access, our next goal is to see if we can find a way into their internal infrastructure. If the company also has a guest network, our next step is to test the wireless security configurations for that network as well. Is the guest network open to the public? Are the credentials given to authorized guests once they enter your building? Could the password be compromised via brute force? Is it too similar to the password for your employees’ network (like Guest2013 versus Employee2013)? Our penetration testers have been in this scenario time and time again. Once a penetration tester gains a password, they can sniff the network on the guest wireless and perform SSL stripping attacks to gather user credentials. From there, they find even more types access.

To thoroughly test wireless security configurations, our penetration testers will try any avenue to gain access and then see if we, again, can we bleed into any other networks or infrastructure.

Our job as your expert penetration tester is to perform the role of the attacker and assess the wireless security configurations for vulnerabilities that could lead to catastrophic consequences. Effective wireless penetration testing requires a diligent effort to find weaknesses, just like a hacker would. If you want to avoid the consequences of compromised wireless technology and work with an expert ethical hacker, contact us today.

More Wireless Penetration Testing Resources

What are the Stages of Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test

Is Endpoint Protection a Comprehensive Security Solution?

At KirkpatrickPrice, our goal is to partner with our clients to help them achieve their challenging compliance objectives. While many other CPA firms solely focus on performing audits and delivering reports, our dedicated team of experienced Audit Support Professionals and Information Security Specialists are there to guide you through the audit process so that you leave the engagement feeling confident in your organization’s security hygiene and are prepared to tackle your information security needs going forward.

To best serve our clients and to make sure they get the most out of their investment in information security audits, we always recommend that our clients begin their engagement with a gap analysis. What exactly is that?

What is a Gap Analysis?

A gap analysis at KirkpatrickPrice means working with an Audit Support Professional and an Information Security Specialist to identify any operational, reporting, and compliance gaps in your organization and advise you on strategies for remediation. Gap analyses ask and answer, “How are we doing compared to what regulations require?” Instead of jumping into an audit without knowing what your organization should expect, a gap analysis can prepare your organization to remediate any identified gaps.

What Happens if We Don’t Do a Gap Analysis?

We understand that, often times, organizations are eager to start their audit engagement — whether it’s because of first-time jitters or a hard deadline they have to meet. But to put it simply: skipping a gap analysis can result in any number of problems with your engagement, such as unidentified vulnerabilities, delayed projects, and perhaps the most extreme: non-compliance.

How to Get Through a Gap Analysis Without the Stress

When you undergo a gap analysis at KirkpatrickPrice, our efficient processes will help set your organization up for success and allow you to get the most of out your investment in information security audits. Why? Because at the end of a gap analysis engagement, organizations receive a remediation project plan – a document that provides our clients with actionable steps on how to remediate any gaps found, as well as resources that will help guide you through your remediation. In fact, because we’ve found that many of our clients struggle to remediate the gaps found during their gap analyses, thus prolonging their compliance journey even further, these remediation project plans are an essential part of KirkpatrickPrice’s auditing methodology.

Do I Really Need a Remediation Project Plan?

While some organizations may feel like they can tackle their remediation on their own, it never hurts to have extra guidance. When you receive a remediation project plan from KirkpatrickPrice, you’re not only getting access to free resources that you can reference at any time, you’ll also have access to our Audit Support Professionals and Information Security Specialists for consulting purposes. Have a question about how to create a business continuity plan? We can help! Don’t know where to start with creating application development policies? We can do that, too. Remediation shouldn’t prevent you from achieving your challenging compliance objectives, and we’re here to help make sure that it doesn’t.

At KirkpatrickPrice, we’re here to make your audit engagement as pain-free as possible, and that starts with undergoing one of our gap analyses to help prepare you for the audit. Is your organization ready to start pursuing your compliance goals, but is unsure of how KirkpatrickPrice’s gap analysis methodologies will work for your organization? Contact us today to discuss your compliance objectives and how we can help.

More Resources

Was the Gap Analysis Worth It?

What is a Gap Analysis?

Will I Fail the Audit? Reasonable Assurance Explained

Independent Audit Verifies VPLS’ Internal Controls and Processes

Orange, CA – VPLS, a network, cloud, and bare-metal server hosting company, today announced that it has completed its SOC 2 Type II and HIPAA Security Rule audits. This SOC 2 Type II attestation verifies that VPLS has the proper internal controls and processes in place to deliver high quality services to its clients, and this independent review of their information security control structure demonstrates their compliance with the HIPAA Security Rule.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of VPLS’ controls to meet the standards for these criteria.

The Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for the protection of consumers’ Protected Health Information (PHI) and electronic Protected Health Information (ePHI) by mandating risk management best practices and physical, administrative, and technical safeguards. The goal of the Security Rule is to create security for ePHI by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance.

“The completion of these audits is an attestation of our commitment to our customers in ensuring the confidentiality, integrity and availability of their data. This accomplishment was made possible thanks to the diligence of our highly-skilled engineering team who are constantly learning and applying their knowledge to help keep VPLS and our customers up to date with current industry standards.” said Tim Mektrakarn, COO of VPLS.

“Many of VPLS’ clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, VPLS has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by VPLS.”

About VPLS

VPLS, Inc. is a worldwide leader in dedicated cloud and managed services, hosting well over 15,000 servers and 5 million websites. We offer the latest in technology services with affordable pricing, to businesses all over Orange County and Los Angeles County, California.  The VPLS portfolio of products and services covers a wide selection of IT services, such as Infrastructure Management, Public and Private Cloud Deployments, Disaster Recovery and Backups, IT Support Services and Management, Networking, Cyber Security, Data Storage, Web Design and much more.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 900 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Reviews CellarStone’s Controls in Support of GDPR

Half Moon Bay, CA – CellarStone, a provider of systems, solutions, and services focused on incentive management, PaaS application development, and data integration, today announced that it has completed its GDPR audit. This audit verifies that CellarStone, in its role as a processor, has implemented safeguards that meet the protections required by GDPR and its data protection program is operating with sufficient effectiveness to provide reasonable assurance that the privacy, security, confidentiality, and integrity of personal information is protected.

The GDPR is a broad-sweeping data protection law effective May 25, 2018, created by the European Union to establish the rights of EU subjects with respect to their personal data. Additionally, the GDPR establishes the data protection obligations of entities processing the personal data of EU data subjects, wherever such EU person’s data is processed, whether in the EU or internationally.

It should be noted that a GDPR audit does not constitute a formal legal opinion, legal representation, or formal certification on behalf of a private company, an individual data protection authority or the European Union itself.

“GDPR will give our customers, especially those who are in the EU region, a greater control over their data; and we take the responsibility for its protection,” said Gopi Mattel, CEO of CellarStone, Inc. “As sales commission specialists, we understand the sensitivity of compensation data very well. The GDPR law extended the privacy and security principles of sensitive data to personal data too. Thus, we enhanced our procedures and controls to ensure that our company complies to the new rules under the GDPR.”

“Based on our objective analysis, CellarStone is performing its due diligence as a processor to safeguards the nonpublic personal information it is responsible for,” said Mark Hinely, Director of Regulatory Compliance at KirkpatrickPrice.

About CellarStone

CellarStone, Inc. is a premier firm in the Sales Compensation Management and Sales Analytics arena. CellarStone works with IT, Finance, Human Resources and Sales to manage and implement variable pay and sales commission systems. The CellarStone commission and analytic solutions have been successfully implemented for companies in many industries including, Retail, Banking, Staffing, Manufacturing, Consulting, Investment Management, Insurance, Medicare and many others. For more information please visit www.qcommission.com, www.qxchange.com, www.easy-commission.com, www.maxblox.com and www.cellarstone.com.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 900 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.