Introduction to the 12 PCI Requirements

The purpose of the PCI DSS is to ensure that all of that data that lives within the cardholder data environment (CDE) is protected and secured from theft or unauthorized use. If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS but doing so may seem daunting. Why? Because the PCI DSS has almost 400 controls, 6 control objectives, and 12 major subject areas, and many organizations struggle with the documentation aspect of a PCI assessment. However, established best practice states, “If it’s not written down, it’s not happening.” Organizations need documented policies, procedures, and standards to control risks to business assets, but to also have a common understanding and language that creates consistency amongst your organization.

What Should a PCI Policy Include?

Depending on your unique services, industry, legal requirements, or other frameworks outside PCI that you must comply with, there will be various topics that your information security policies should cover. The PCI DSS does a good job, though, of outlining which policies you absolutely need to begin a baseline set of PCI-compliant policies.

Here are some suggested topics that a PCI policy might include:
  • Firewall Configuration Standards and Operational Procedures
  • Operational Procedures for Managing Firewalls
  • Operational Procedures for Managing Vendor Defaults and Other Security Parameters
  • Data Retention and Disposal Policies
  • CHD Storage and Protection Policies
  • Encryption Key Management Policies and Operational Procedures
  • Operational Procedures for Encrypting Transmissions of CHD
  • Anti-Virus and Malware Software Policies
  • Security Patch Installation Policies

This list serves as an overview of what policies and procedures should be documented and implemented when pursing PCI compliance, and it is not an all-encompassing list. For more information on the specific details of what needs to be included in each policy or procedure, we encourage you to review the current PCI DSS or contact your QSA.

Independent Audit Verifies Ziflow’s Internal Controls and Processes

Middlesex, UK – July 2019 – Ziflow, the leading enterprise online proofing software solution for agencies and brands, today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that Ziflow has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. Ziflow worked with KirkpatrickPrice’s service auditing team to verify the suitability of the design and operating effectiveness of Ziflow’s controls to meet the standards for these criteria.

“Our customers are the world’s largest agencies and brands and they require that our product facilitates secure content access, review and approval. The completion of this audit confirms that Ziflow’s information security policies, procedures and best practices meet the rigorous SOC 2 standards, which align with our customers’ needs”

– Anthony Welgemoed, Ziflow CEO

“The SOC 2 audit is based on the Trust Services Criteria. Ziflow has selected the security, availability, and confidentiality categories for the basis of their audit. Ziflow delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Ziflow’s controls.”

– Joseph Kirkpatrick, President of KirkpatrickPrice

About Ziflow

Ziflow is the leading online proofing solution for the world’s largest agencies and brands. Led by the pioneers of the online proofing market, Ziflow streamlines the review and approval of creative content to help creative teams deliver marketing projects faster, by improving collaboration, centralizing feedback and eliminating manual steps through automated workflow. Ziflow replaces email, printouts and other ad-hoc methods for reviewing creative content to deliver projects 56% faster, every day with Ziflow.  For more information, visit www.ziflow.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

At KirkpatrickPrice, we’ve been fortunate enough to work with companies of all sizes – from startups to enterprise-level companies. By working with a variety of clientele, we’ve seen many different pitfalls that organizations are prone to, especially startups. As an organization committed to helping our clients get the most out of our thorough information security assurance services, we’ve put together a list of five ways startups can ensure a smoother audit. Let’s discuss.

1. Get C-level Buy-in

While undergoing an information security audit is a highly technical process, it also largely relies on the mentality and intent behind engaging in an audit. Why did your organization pursue compliance? Were you asked by a client to become SOC 1 or SOC 2 compliant? Are you doing it to be proactive and position yourself as a secure organization? Are you just doing it to check an item off a to-do list? If you go into an audit with the mentality that it is just an item to check of a to-do list, you’re already at a disadvantage and most likely won’t reap all of the benefits of compliance. Instead, your C-level executives must understand why the company needs to invest in information security audits and how it can help improve the company as a whole. A large part of this also means that an organization’s C-level executives are involved in the audit process. This means that they don’t merely pass off the engagement to directors or department heads, and they have a clear stake in the outcome of the audit by being the executive sponsor.

2. Assign Someone to Oversee the Project, but Ensure that the Workload is Assigned Appropriately

Audit engagements are no small feat, and for startups in particular, the process may seem even more daunting. That’s why we require organizations to identify an executive sponsor – someone who is responsible for overseeing the audit engagement and serves as the main point of contact for your organization throughout the entire engagement. However, while we feel that having one person overseeing the entire project is paramount, that does not mean that other critical members of your organization should be excluded from the engagement. Often times, you’ll need various department heads to answer questions about policies and procedures or internal controls. This is why our Online Audit Manager (OAM) can help make your audit process even smoother: it allows executive sponsors to assign questions to various people within an organization, preventing one person from being responsible for answering all of the audit questions and helping you distribute the workload evenly.

3. Communicate Regularly

There are a lot of moving parts during an audit engagement, especially if multiple people or teams are involved. Communication must be highly effective and clear to ensure a smoother audit for startups. Major key players in the audit engagement should be communicating on a regular basis. If an auditor hasn’t received required documentation on time, who will ensure that is addressed? If a vulnerability is found and communicated to one person on the team but not another, that could delay the audit process altogether. To prevent delays in your engagement, there needs to be a clear line of communication both within your organization and between your organization and your audit firm.

4. Stay on Schedule

When organizations partner with us to perform their audits, one of the most frequently asked questions we get is, “Can we get our report by X date?” While we are committed to staying on schedule and delivering projects on time, the audit process is a two-way street. If your organization puts off answering questions or providing documentation in the OAM, it will only prolong the engagement. This could be especially problematic for organizations who have hard deadlines for their compliance efforts or deals relying on their audit engagement. Ultimately, creating and sticking to a schedule is absolutely necessary in order to ensure a smoother audit process. For example, this might mean that you commit to answering 20 questions a day to stay on or ahead of schedule. Additionally, our OAM goes a step further to help our clients stay on track by displaying a progress-tracking bar.

5. Utilize Your Auditor and Your Audit Firm’s Resources

When choosing an audit firm, startups need to be sure to work with a firm that does more than provide audits: they need to choose a partner and someone who will guide them every step of the way throughout the audit engagement. Feel like you don’t know how to remediate vulnerabilities? Consult with your auditor on remediation strategies. Not sure what your auditor is requiring or what is being asked of you to provide? Your auditor should be able to provide clarification and company resources to reference. If you want to ensure a smoother audit, be sure to utilize your auditor and your audit firm’s resources.

Startups who invest in information security audits are doing what’s necessary to position themselves as secure entities, and we want to make sure that they get the most out of that investment. Let’s talk about how we can help you ensure a smoother audit process. Contact us today.

More Resources for Startups

How to Lead a Cybersecurity Initiative

You’re a Target for Cyber Attacks No Matter Your Business Size

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

When an entrepreneur sets out on a new business venture, there’s typically many things to take into consideration and many pitfalls to avoid. How will you raise the capital needed to get the company off the ground? Who will be a part of the team? What can you do to ensure that your products or services are ready for market? While all of these considerations are critical to the success of a startup, there’s also many pitfalls that startups must avoid, especially when it comes to information security. At KirkpatrickPrice, we believe that those pitfalls boil down to five key areas.

Not Investing in Information Security from the Start

When we say “invest in information security,” we’re alluding to two things: a personnel investment and a financial investment in a robust information security program. We often emphasize the importance of establishing a culture of compliance from the start, and this especially applies to startups because of their limited number of personnel. If an organization has five employees and only one of those employees advocates for the need to implement a robust information security program, chances are, it won’t be made a priority. If all of the executives or members of a startup are on board with information security from the start of the company, there’s a greater chance for a startup to mitigate the risks they’re faced with and, ultimately, become a successful, secure business.

Failing to Create and Implement Effective Policies and Procedures

For startups who don’t invest in information security from the start, they’ll often experience a domino effect that leads to other pitfalls. In many cases, this means that startups will fail to create and implement effective policies and procedures. But here’s what startups must understand: robust documentation of information security policies, standards, and procedures is one of the hallmarks of an effective information security program. Startups may think that because their organization is so small, they don’t need policies and procedures because they know who is taking on what responsibility. If a startup wants to position itself as a secure entity, then they must be sure to create and implement effective policies and procedures.

Not Securing Work Spaces

Many startups are now relying on shared or coworking spaces, or even have their employees working remotely full-time. What many startups don’t take into account is the information and cybersecurity risks that come with working in coworking spaces or remote environments, and they often neglect to train their employees on best practices for working remotely.

Not Establishing Effective Business Continuity and Disaster Recovery Plans

According to the Verizon 2019 Data Breach Investigations Report, 43% of small businesses experience cyber attacks. This means that no matter which industry you’re in, there are sensitive assets that can and will be stolen by malicious hackers, so startups must make it a priority to establish and practice effective business continuity and disaster recovery plans. What would happen if a natural disaster impacted your startup’s service offerings? What if an unauthorized individual compromised your network via a phishing attempt and held your organization’s sensitive data for ransom? Would you be able to recover?

Not Planning for the Future

It’s every entrepreneur’s dream to have a successful business, but when startups fail to plan for the future and don’t understand how they need to scale their information security program as their needs and risks evolve, they become more likely to experience data breaches. In other words, an information security program at the start of a company should not be the same information security program ten years later. When developing a business model then, startups must take into account how they plan to scale their business and how their information security program will evolve over time.

Startups are faced with enough challenges during the first years in business. Don’t let information security be one of them. Learn more about how you can avoid these pitfalls by contacting us today to speak to one of our Information Security Specialists or to learn more about how our services can help you ensure the security of your business.

More Resources for Startups

How to Lead a Cybersecurity Initiative

Top 4 Information Security Concerns for Shared Working Spaces

You’re a Target for Cyber Attacks No Matter Your Business Size

Getting Executives on Board with Information Security Needs

Why Startups Need to Make Information Security Policies a Priority

No matter what industry they’re in, startups are especially susceptible to cybersecurity attacks. This is largely due to financial reasons, as startups are far less likely to have the capital needed to implement robust information security management programs. Moreover, often times, startups neglect to place an emphasis on information security from the start because of a lack of understanding of the threats their industry is faced with. But here’s what all startups must realize: robust documentation of information security policies, standards, and procedures is one of the hallmarks of an effective information security management program – and it doesn’t have to be a daunting task to create them. With the right partner, you can create and implement a robust information security policy for your organization and help ensure the security and success of your startup. So, what should an information security policy for a startup include?

Information Security Policy Checklist for Startups

Depending on the industry your startup is in and the legal requirements and/or frameworks that you must comply with, there will be various topics that your information security policies should cover. Considering this, we’ve come up with a checklist of 15 recommended topics that information security policies should include. Please note that this checklist serves as a baseline overview of what policies should be included by a new information security program, and if your organization has to meet other compliance standards, such as SOC 2 or HIPAA, there will be additional requirements or topics that need to be included. A few such topics you might include in your information security policy are…

  • Risk Assessment Standards and Procedures: How often do you perform a risk assessment? Who is responsible for performing a risk assessment? Who communicates the findings of a risk assessment? What is done with the risk assessment findings?
  • Acceptable Use Policy: What constitutes acceptable use within your organization? Does this apply to both company-owned devices and/or bring-your-own-device policies? How do you monitor your acceptable use policy?
  • Monitoring and Logging Policies, Standards, and Procedures: What procedures are in place for monitoring and logging? Who is responsible for keeping logs up to date? Who is responsible for communicating anomalies found in logs?
  • Incident Response Procedures: What procedures are in place in the event of a natural or man-made disaster? What personnel are responsible for implementing your Incident Response Plan? Is your Incident Response team trained regularly with real-life simulated events? How is your Incident Response Plan updated to ensure that it is current based on your risks and needs?
  • Personnel Security Policies, Procedures, and Standards: What procedures are used to hire, train, and retain employees? How are employees trained on company policies and procedures? Do employees undergo security awareness training on a regular basis? If so, how frequently?