When organizations come to us to pursue their information security goals, we make sure they know all the benefits of compliance accomplishments. This ranges from avoiding fines and answering to regulatory bodies to protecting and strengthening your business. What we want more organizations to take advantage of, though, is leveraging information security as a competitive advantage. How do you do that?

How Can You Use Information Security as a Competitive Advantage?

Information security efforts do more than assure your clients that their sensitive data is protected. When you partner with an audit or penetration testing firm that educates you and performs quality-driven assessments, your sales and marketing teams will learn how powerful compliance can be.

There are several marketing benefits to achieving compliance. It gives you an opportunity to display and explain the value of your compliance accomplishments, establishes your brand as one that’s committed to privacy and security, and gives you a competitive edge. There are so many possible ways to use compliance for marketing and branding tools. Is your organization using information security as a competitive advantage in these ways?

  • Marketing your product as reliable and secure, with an audit report to show for it.
  • Adding a landing page to your website that outlines all of your compliance achievements and goals.
  • Incorporating a compliance logo into company email signatures.
  • Using compliance logos on your company’s branded presentation templates.
  • Producing materials for conferences that highlight your information security program.
  • Distributing a press release announcing each audit report that you receive.
  • Publishing a blog post or a series of blog posts that outlines your compliance journey, like our client Paubox recently did with their HITRUST journey.

Educating Your Sales and Marketing Teams on Information Security as a Competitive Advantage

Does your competition have the same audit report that you do? Do they have the same information security standards that you do? Do they undergo penetration testing? If not, you’re ahead of the game. Your competitors are very likely considering how to accomplish challenging compliance expectations, and when you’re proactive about establishing an information security program, it will pay off. You can close deals that rely on SOC 2 attestations, you can go after business that requires GDPR compliance, you can expand your services to the healthcare industry through HIPAA compliance; the opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it.

Leveraging information security as a competitive advantage does require some extra work, though. Does your sales and marketing team understand or even know about all the effort that went into an audit? You need to take steps to educate your sales and marketing team on what types of audits you’ve been through so that they can explain the value of your information security program to prospects. When your team can have sales conversations that relay why your service is more secure than a competitor’s, you are fully utilizing all the work that went into your compliance accomplishments.

After going through a SOC 2 Type II audit at KirkpatrickPrice, Unqork’s CISO told us, “We want to be able to tell our clients and our clients’ customers that the framework that we’ve built and the design or architecture that we’ve built is as secure as is available on the market because that builds a lot of confidence and meets industry requirements. We knew that the sooner we could close that gap and prove to our customers and prospects that we’ve rolled out an information security program, thought about the processes and procedures, and considered privacy laws and requirements around the globe, that opens the door to more conversations and builds confidence in Unqork as a vendor.”

How KirkpatrickPrice Helps

We always recommend that our clients leverage information security as a competitive advantage and strive to help find creative ways to do so. When clients complete an audit with us, we’re dedicated to helping them find the best way to market their compliance. We offer our clients a complimentary press kit that includes compliance logos, the writing and distribution of a press release announcing their recent compliance accomplishment, copy to use in various marketing materials, and advice on how to best market their focus on information security. Want to learn more about how to leverage your compliance accomplishments as a competitive advantage? Contact us today.

More Compliance Resources

When Will You See the Benefit of an Audit?

Was the Audit Worth It?

5 Questions to Ask When Choosing Your Audit Partner

Why Quality Audits Will Always Pay Off: You Get What You Pay For

Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data?  Going through a PCI audit for the first time? Your organization will need an individual who can help you maintain PCI compliance and provide you with a high-quality PCI audit. Who can do that? A Qualified Security Assessor (QSA).

In fact, a QSA is the only individual who can deliver a PCI RoC for your organization.

Without hiring a company that has a certified QSA, you won’t be able to meet your PCI compliance requirements and are at risk for additional data threats. You know you need a QSA, but where should you start?

Let’s begin by defining what you’re looking for when choosing a QSA.

What is a Qualified Security Assessor (QSA)?

A Qualified Security Assessor (QSA) is an individual who is certified with qualifications from the PCI Security Standards Council that can test and prove an organization’s compliance with PCI DSS standards. A security expert who holds the QSA certification is highly esteemed as a credible source for reviewing compliance activities.

You can find a real QSA that will lead you on the path towards PCI compliance through the PCI SSC. The PCI SSC provides a detailed list of all QSA companies and individuals, but choosing a QSA takes more effort than simply searching a list.

Choosing a QSA That’s Right for You

Finding a list of QSAs may be straightforward, but choosing the best QSA for your organization is a more difficult choice. There is more to choosing a QSA than finding a company with the correct certification.

  • The best QSA for your PCI audit must understand your organization, what you do, the technologies you use, and the industry within your industry.
  • To get the most out of your journey to PCI compliance, you want an experienced QSA, not a junior auditor.
  • You need to find a QSA that can meet your needs. Do you have a quick turnaround time? Does the company fit your budget? Are they equipped to handle your specific scope? Can they handle visiting your third parties?
  • Do you need a gap analysis before going through the audit? The right QSA for your organization is one that provides you with remediation guidance and prepares you for the upcoming audit.
  • Do you need to go through multiple audits? Choosing a QSA that will benefit you by offering multiple services and gap analyses along with your PCI audit is necessary!

What to Look Out for When Choosing a QSA

You may hear from an auditing firm that they are qualified to complete your PCI audit, but if they’re not a QSA on the list from the PCI SSC, they’re most likely outsourcing the project.

The last thing you need when working towards PCI compliance is a company that leaves the security validation to a third-party. They may even misrepresent their PCI services because they want to get your business in another auditing or service area, such as SOC 2 or penetration testing.

What’s more, many times companies will claim to be a QSA when they only have PCI Professionals (PCIPs). PCIPs are valuable to the PCI audit process, but lack in the necessary certification to properly audit your organization for PCI compliance. You need to watch out for these possible misrepresentations when you’re choosing a QSA.

Choosing KirkpatrickPrice as Your QSA

At KirkpatrickPrice, we pride ourselves on providing a quality QSA experience that gives your organization a streamlined PCI audit experience.

How do we do it?

We partner with you to learn about your organization, your processes, your technologies, and your industry to ensure the scope of your engagement is accurate.

We utilize our Online Audit Manager to guide you through the audit control objectives and help you complete your audits together at the same, qualified firm. We work hand-in-hand with your information security team on remediation strategies to make sure that you get the most out of your audit. In addition, many of our audit support professionals, technical writers, and quality assurance personnel have the PCIP certification and work with your QSA, so you’ll have peace of mind that you’re receiving an expert PCI audit from start to finish.

Why settle for a company that outsources your PCI audit when you can choose a QSA that works alongside you to perform a quality audit completed by senior-level, expert auditors? Hire a QSA that’s right for you. Contact us today.

More PCI DSS Resources

Beginner’s Guide to PCI Compliance

PCI Demystified

What is a PCI audit?

In most healthcare settings, third parties are relied upon to provide secure offerings to assist covered entities in providing quality, secure healthcare services.  Covered entities ultimately bear the responsibility of validating their third party security standards, however, covered entities often times still fall short in ensuring that business associates guard protected health information (PHI) against advancing cybersecurity threats. In one of the most recent cases, Quest Diagnostics, one of the United States’ top blood testing organizations reported that nearly 12 million of their patients fell victim to a data breach caused by one of their business associates, American Medical Collection Agency (AMCA). What exactly caused this data breach? What lessons can covered entities and their business associates learn from it? Let’s take a look.

What Really Happened with American Medical Collection Agency Data Breach?

On May 31st, Quest Diagnostics received noticed from AMCA that an unauthorized user accessed AMCA’s system containing the personal information of patients from Quest Diagnostics via their web payment page between August 1, 2018 and March 30, 2019. According to Quest Diagnostics’ SEC filing against AMCA, the information on AMCA’s compromised system included some financial information, medical information, and other personal information, such as Social Security Numbers, but did not include laboratory test results.  LabCorp also used AMCA for collections and also suffered a breach affecting almost 8 million patients.  Now, Quest Diagnostics, LabCorp and AMCA are facing lawsuits and investigations from state regulators in at least Michigan, Illinois, New Jersey, and Connecticut.

What Lessons Can We Learn from AMCA’s Data Breach?

While it might seem redundant to continuously focus on the need for efficient third-party risk management, AMCA’s data breach proves that this is still something all healthcare organizations need to take more seriously. When partnering with a third party or business associate, healthcare organizations must perform their due diligence and properly vet the organizations they want to partner with. How can they do this? We’ll give you four key lessons learned from the AMCA data breach.

  1. Breach Notification Matters: All the key players made several potential missteps related to breach notification timing and process. First, there are allegations that AMCA knew about the breach in March 2019 and failed to respond to concerns from cybersecurity analysts until the end of May while Quest waited two weeks from the date it received notice from AMCA about the breach to make its “public” statement.  Second, there is nothing on AMCA’s website while Quest and LabCorp’s impact became public through SEC filings rather than any notification posted to their corporate websites.   These choices are being used as evidence of negligence in class action lawsuits and may violate HIPAA breach notification requirements.  Instead, covered entities and business associates must clearly and promptly notify impacted patients within 60 days of breach discovery and notify the Department of Health and Human Services (within 60 days of the breach discovery) and media when the breach impacts more than 500 patients.
  2. Implement a Formal Risk Assessment Policy: In order to comply with HIPAA Privacy and Security Rules, covered entities and business associates must conduct a risk assessment. By doing so, organizations can ensure that they have identified, assessed, and prioritized organizational risk and have proactively worked to mitigate any potential vulnerabilities in their system. Online payment processes, like the web portal used by AMCA, should be considered particularly sensitive to security threats and therefore given great consideration.
  3. Understand Shared Risk: When working with a business associate, covered entities must understand that when they share their patients’ PHI with a vendor, it’s not solely up to the vendor to protect that information. In this case, Quest used Optum 360, another billing service provider, to partner with ACMA so there are multiple layers of shared risk.
  4. Undergo Quality, Thorough Information Security Audits: In many instances, organizations view information security audits as an item to check off a to-do list, or worse, they don’t see it as a valuable investment. If your healthcare organization is committed to delivering quality, secure healthcare services, how exactly can you guarantee that you’ll do this? Undergoing thorough information security audits, like those performed by KirkpatrickPrice, can help your organization ensure that you’re able to deliver quality, secure healthcare services by evaluating the effectiveness of your internal controls and your business associates’ internal controls.

When your patients entrust you with their personal information, especially their PHI, it’s your responsibility to make sure that it remains secure. This includes performing your due diligence when partnering with business associates and validating that your vendors will do everything they can to keep PHI secure. Are you sure your business associates are performing their due diligence? How are you staying on top of your vendors’ compliance efforts? Contact us today to learn more about KirkpatrickPrice’s services and how they can help you ensure that you’re able to deliver the quality, secure healthcare services that your patients deserve.

More HIPAA Compliance Resources

What is a HIPAA Audit?

Penetration Testing in Support of HIPAA Compliance

Road to HIPAA Compliance: Managing Business Associate Compliance

5 Ways Business Associates and Covered Entities Can Prepare for HIPAA Compliance

What is Risk Management?

Have you been asked by a client to undergo penetration testing? Do you want to ensure the security of your critical systems? Getting the most out of your investment in penetration testing means that you must perform your due diligence and make sure that the penetration tester you’ve hired can deliver quality, thorough penetration testing services. How can you do that? By taking the following five things into consideration when choosing your penetration tester.

1. Should You Use an Outsourced Penetration Tester?

We understand that finding a penetration tester might be daunting. During your initial stages of searching for a penetration tester, you might question if it’s okay to hire a firm that outsources penetration testing. After all, they just hack from remote locations, right? Wrong. At KirkpatrickPrice, we believe that if you want to get the most out of your investment in penetration testing, you should never partner with a firm that outsources penetration testing engagements. We’ll give you three reasons why:

  • Other countries have different internet laws and protections. Even though a pen tester might be working from a secure network or a US VPN, it’s not always guaranteed. This introduces many unnecessary risks into an organization’s environment – risks that wouldn’t appear if your penetration tests aren’t outsourced.
  • There’s no oversite. Would you be willing to give just anyone access to your most valuable data? When organizations outsource their penetration testing services, there’s no way to guarantee that the penetration tester won’t cause harm while testing or that they will keep the results of the penetration test confidential.
  • The personal relationship between the client and an outsourced pen tester is virtually non-existent. When you hire a pen tester located within the US, you won’t have to deal with major time zone differences, and you should be able to meet in-person if needed.

2. What Certifications Should a Penetration Tester Have?

In order to receive quality, thorough penetration testing services, your pen tester – at a minimum – should have several certifications. At KirkpatrickPrice, we believe that penetration testers with Offensive Security Certified Professional (OSCP), GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT) certifications have a standard baseline education that is necessary to deliver quality, thorough penetration testing services. What do those certifications mean?

  • GPEN: The GPEN is an 82-115 question exam that covers “penetration testing methodologies, the legal issues surrounding penetration testing and how to properly conduct a penetration test as well as best practice technical and non-technical techniques specific to conduct a penetration test.”
  • GWAPT: The GWAPT is a 75-question exam covering web application exploits and penetration testing methodologies.
  • OSCP: Unlike the GPEN and GWAPT certifications, OSCP isn’t a proctored exam. Instead, it’s a real world, 24-hour exam in which the student performs a penetration test and has to submit an in-depth report on their findings.

3. What Kind of Experience Should a Quality Penetration Tester Have?

While a penetration tester should absolutely have certifications, they also need to have ample experience to deliver quality penetration testing services. Typically, we suggest that a quality penetration tester will have three- to five-years of experience in ethical hacking and consulting. Why? Because it’s not enough for your pen tester to just perform the penetration test. Instead, a quality penetration tester should be able to perform thorough penetration testing services and provide consulting on how you can remediate any vulnerabilities found during the assessment.

4. What Kind of Skills Should a Quality Penetration Tester Have?

Penetration testers should have strong technical skills when it comes to ethical hacking, but soft skills are nearly just as important. Pen testers should be able to run more than just automated tools. For example, your penetration tester should…

  • Be able to adapt quickly to changing environments, because the cyber space is always changing.
  • Be able to work independently or as a team. While ethical hacking is often viewed as a solo job, if a penetration tester can’t work with your information security team, how will you be able to understand the findings?
  • Have time management skills. If they can’t manage their time effectively, how will they help keep your engagement on schedule?
  • Have the ability to think like an attacker.
  • Have knowledge of common programmer shortcuts that can be exploited.
  • Have experience in writing scripts and exploits to test unique vulnerabilities.
  • Be dedicated to the craft of ethical hacking.
  • Be immersed in the ethical hacking community.

5. Is the Penetration Tester Affiliated with Expert Information Security Specialists?

At KirkpatrickPrice, we know that there are many options for penetration testers. There are various companies that solely focus on ethical hacking, there are freelance penetration testers, and then there’s us: a CPA firm that delivers both quality, thorough penetration testing services and quality, thorough information security audits. Because we provide both services, we can help you get even more out of your investment in penetration testing. Not sure what legal regulations or frameworks require you to undergo penetration testing? We have Information Security Specialists who can help. Unsure of how your pen test findings will impact your compliance efforts? Your KirkpatrickPrice penetration tester can pull in one of our Information Security Specialists for consulting and remediation guidance.

Selecting a penetration tester for your organization is a decision that carries more weight than it might initially appear. Make sure you get the most out of your investment in penetration testing by partnering with KirkpatrickPrice and our expert penetration testers. Contact us today and let’s get started!

More Penetration Testing Resources

Auditor Insights: Vulnerability Assessments vs. Penetration Testing

Ask the Expert: Penetration Testing

5 Benefits of Regular Penetration Tests

Penetration Testing Steps for a Secure Business

If you’re new to the HITRUST CSF® assessment process, you might be wondering just how different the audit process is from other audits. The requirement of the interim assessment is one of the main ways that HITRUST® certification is unique. What happens during this interim review? Let’s take a look at what you can expect during a HITRUST interim assessment.

Overview of the HITRUST CSF Assessment Process

The HITRUST CSF is a security and privacy framework that is the foundation of all HITRUST programs. It leverages federal and state regulations, industry standards and frameworks, and a focus on risk management to create a comprehensive standard. The framework originally developed for the healthcare industry but now has applicability in financial services, travel and hospitality, media and entertainment, telecommunications, and with start-ups. HITRUST reports that because of its continued effort to improve and update the framework, the HITRUST CSF is the most widely-adopted security framework in the US healthcare industry.

When you engage in a HITRUST CSF Assessment and are seeking certification, the typical audit process with KirkpatrickPrice looks something like this:

  1. Undergo a Gap Analysis
  2. Perform a HITRUST Self-Assessment
  3. Remediate Findings
  4. Undergo a HITRUST Validated Assessment
  5. Go through HITRUST Quality Assurance
  6. Receive the Final Report
  7. Undergo a HITRUST Interim Assessment

What is a HITRUST Interim Assessment?

What sets the HITRUST CSF apart from many other frameworks is that the audit process isn’t a one-time engagement; it’s a continuous work-in-progress to maintain compliance. Recognizing this, part of the HITRUST CSF certification process includes an interim assessment, a review that takes place exactly a year after the initial HITRUST Validated Assessment takes place. So, what will your auditor be assessing during the HITRUST interim assessment?

What Can You Expect During a HITRUST Interim Assessment?

During a HITRUST interim assessment with KirkpatrickPrice, we will:

  • Review your policies, procedures, systems design, personnel, and inventory to determine whether significant changes to your organization have occurred. If significant changes have taken place, HITRUST requires a full re-assessment. If no significant changes have taken place, organizations are eligible to be re-certified without re-assessment.
  • Select 19 controls – one randomly from each domain – and re-test that control statement completely. This process typically takes 1-2 weeks.
  • Review all Corrective Action Plans (CAPs) for appropriate physical security and conduct any required interviews to reach reasonable assurance the control environment continues to meet the CSF requirements.
  • Document and submit the interim assessment results in MyCSF®. From there, HITRUST makes the final decision on whether or not to issue the re-certification.
  • Discuss your organization’s upcoming full assessment renewal and plan a strategy for a successful renewal engagement. Each full assessment is often under a new version of the CSF and will include new or changed requirements. Because of this, the sooner your organization begins to self-assess against the new requirements, the better.

Has your organization been asked to demonstrate HITRUST compliance? Are you unsure where you need to start? We’re here to help! Contact us today to learn more about our HITRUST assessment process and how we can assist you on your journey toward HITRUST certification.

More HITRUST Resources

Navigating the HITRUST CSF

Preparing for a HITRUST CSF Assessment

7 Deadly Sins of a HITRUST CSF Assessment