Independent Audit Verifies Inovatec’s Internal Controls and Processes

Burnaby, BC – Inovatec, a cloud-based software solutions provider, today announced that it has completed its SOC 1 Type I audit. This attestation verifies that Inovatec has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of Inovatec’s controls that may affect its clients’ financial statements. SOC 1 Type I is a reporting on the controls at a service organization, established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type I audit report includes Inovatec’s description of controls as well as the detailed testing of its controls.

“Many of Inovatec’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, Inovatec has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Inovatec.”

About Inovatec

Inovatec Systems provides industry leading, cloud-based software solutions for any financial institution, any type of transaction. All solutions can be brought together in a single seamless and branded platform that can be opened to external partners and customers. Capture any marketplace – Full, robust ecosystem to drive the online customer/lead to you, streamline and facilitate the processes of crediting, auditing, funding and income verification for financing applications plus full servicing & portfolio analytics in the leading-edge LMS.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

When you send your child to school, whether it’s a K-12 or higher education institution, you expect them to be safe – but that should go beyond physical security. You should want to know that your child or family member’s personal data is secure, too. From names, dates of birth, standardized testing scores, attendance and grade records, medical data, email addresses, phone numbers, Social Security Numbers, and financial aid information, there’s ample sensitive assets that malicious hackers can compromise.

The Need for Effective Cybersecurity Strategies at Educational Institutions

Aimed at protecting the privacy of students and their parents, FERPA lays the groundwork for the need for effective cybersecurity strategies, but unfortunately, breaches are still likely to occur. The University of Louisville, Georgia Tech, and The College of Southern Idaho have all experienced data breaches within the last two years. K-12 organizations are also just as likely to encounter a data breach or security incident. For instance, just last month, Kentucky’s Scott County School District announced that it fell victim to a multi-million-dollar phishing scam.

While it may seem like educational institutions would be less likely to experience a data breach or security incident, the reality is that they are just as likely as many other industries. Why? Because beyond student data, there’s research, endowments, and more to be compromised. Additionally, if an educational institution experiences a data breach, it’s more than the students or organizations themselves that will likely feel the impact. Think of the parents’ personal data. Often times, they provide their Social Security Numbers, financial information for student loans, credit card information, phone numbers, email addresses, and more. Consider vendors or other research institutions that contribute to student and faculty research. How would a data breach or security incident impact them? What about employees?

Key Cybersecurity Challenges Faced by Educational Institutions

Educational institutions face a number of cybersecurity threats, ranging from open access infrastructure and loose security controls to human errors and disgruntled employees. Mitigating these risks can take a lot of work, but if done effectively, your educational institution can provide peace of mind to students, parents, and personnel alike. Let’s look at these cybersecurity challenges more in-depth.

  1. Loose Security Controls: For many educational institutions, loose security controls are a major weakness in their security hygiene. With a range of web and mobile applications, various WiFi networks, IoT devices and more, implementing strong security controls can be a challenging task.
  1. Lack of IT Personnel: Working within tight budgets, as most educational institutions are, makes it difficult to implement a robust information security program. Often times, this leads to a lack of IT personnel capable of managing an entire organization’s network and vulnerabilities going unnoticed for long periods of time.
  1. Human Error: Employees pose one of the largest threats to the security of educational institutions. While they may seem like minor security breaches, employees often leave their computers unlocked, open unsecure emails or click on malicious links, or even leave post-it notes with passwords on them visible to unauthorized personnel. Disgruntled employees also pose a major risk. If an employee is terminated and they still have access to their email accounts, educational institutions could experience major data breaches.

As an educational institution, your organization has the responsibility of shaping the minds of students and turning them into productive members of society, while also making sure that they remain safe and secure. Make sure your organization follows through with these responsibilities by implementing effective cybersecurity strategies. Not sure if you’re meeting the security, privacy, and cybersecurity obligations expected of you? Contact us today!

More Cybersecurity Resources

What is a FERPA Audit?

FERPA FAQ: What You Need to Know About FERPA Compliance

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?

Independent Audit Verifies Richweb’s Internal Controls and Processes

Glen Allen, VA – Richweb, a hosting and virtualized network engineering service provider, today announced that it has completed its SOC 2 Type I audit. This attestation provides evidence that Richweb has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of Richweb’s controls to meet the standards for these criteria.

Richweb CEO Mark Lea said, “Richweb is very excited and happy to be able to make this announcement. The SOC 2 audit was one of our key targets for this year, so achieving this SOC 2 Type I attestation is a major accomplishment. We are especially happy to be able to include this attestation from KirkpatrickPrice as part of our portfolio of service and security assurances for customers.”

“The SOC 2 audit is based on the Trust Services Criteria. Richweb has selected the security category for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Richweb delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Richweb’s controls.”

About Richweb

Richweb, Inc. is a growing technology company located in Richmond, Virginia with over 500 customers in Virginia and across the USA. Since 1995, Richweb has specialized in developing comprehensive technology solutions that have been the key to success for enterprises and non-profit organization of all sizes. With over 24 years of experience, Richweb had developed expert technology and engineering services, offering a wide variety of software, internet, and networking solutions to fit the needs of our customers.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 900 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Infiltrating technology at local governments is an attack method with big pay-off for hackers. Phish a county employee? You can take the whole county, city, or state down. Because local governments rely on the data they hold to fuel their economies and keep their citizens safe, understanding the need for effective cybersecurity strategies and how to mitigate the numerous cybersecurity challenges cities are faced with needs to be a top priority of municipal governments. If a hacker gains access to a city’s data via a phishing attack and holds it for ransom, what would the impact be? Could your city recover?

The Need for Effective Cybersecurity Strategies

Phishing is one of the most common sources of attacks on local governments. Why? Because it’s so easy. Hackers can easily trick employees into opening a malicious link or file via email or other modes of electronic communication, leaving local governments at a high-risk for data breaches. In fact, cities, counties, and states alike are all susceptible to falling victim of a cyberattack caused by phishing attacks – just look at these examples:

  • When SamSam attacked Atlanta, thousands of city employees couldn’t access their computers and other connected technology for weeks, court dates had to be rescheduled, utility payments had to be made in person, traffic tickets could not be processed—this ransomware attack completely obstructed many day-to-day operations of the City of Atlanta.
  • In 2016, 108 L.A. County employees fell for a phishing email and the hacker was able to gain usernames and passwords for employees with access to confidential information. Through a forensic investigation, the county found that the names, dates of birth, Social Security numbers, driver’s license numbers, banking information, payment card information, and medical treatment information of 756,000 individuals were potentially impacted by this one successful phishing attempt.
  • A hacker was able to access one Mecklenburg County employee’s log-in credentials through a phishing email. About 200 systems were impacted, causing the county to shut down many parts of its network. Fortunately, back-up data was available so that the county did not have to consider paying the $23,000 ransom. To prevent a second attack wave, the county disabled employees’ ability to open certain types of emails. It took almost six weeks and thousands of dollars to rebuild servers, get employee email up and running, and secure the rest of their systems.
  • In 2017, Ohio Governor Josh Kaisich’s website was hacked with pro-ISIS propaganda. This breach points to how susceptible elected officials are to encountering cybersecurity breaches. Many officials use their websites to power their campaigns, raise funds for re-election efforts, and inform the public of their policies. If malicious hackers find ways to compromise those websites, whether through phishing attacks or DDoS attacks, significant harm could be done including the spread of misinformation.
  • Over the last year, many other elected officials, ranging from U.S. Senators to state governors, have been targets of phishing attacks. For example, Sen. Patrick J. Toomey’s campaign experienced an unsuccessful phishing attempt on dormant email accounts, Missouri Sen. Claire McCaskill experienced an unsuccessful phishing scam caused by Russia-based GRU, and Sen. Jeanne Shaheen also fell victim to an attempted phishing attack. If our lawmakers are top targets of phishing scams, how can we be sure that other areas of our local government will stay protected?
  • In September 2018, 12 state government email accounts from the Kentucky Finance and Administration Cabinet’s Department of Revenue were compromised via a phishing attack that was likely caused by malicious email attachments. Those impacted by the attack had access to highly confidential information about Kentucky taxpayers.

Key Cybersecurity Challenges for Local Governments

No matter if your city has 5,000 residents or 500,000 residents, establishing robust cybersecurity programs for local governments can be a challenging task. Local governments are faced with overcoming tight budgets, personnel with a lack of understanding of cybersecurity best practices, and a lack IT expertise to overcome today’s threat landscape. So, what should public sector organizations invest in? Cybersecurity awareness training programs for citizens and elected officials, use of forensic services after incidents or breaches, cybersecurity exercises, vulnerability scanning and penetration testing, and competitive compensation for IT personnel.

These examples don’t even come close to the number of reported breaches by local municipalities. Have you been victimized the cyber threats targeting the public sector? Don’t leave the security of your city and your citizens up in the air – let us help! Contact us today to learn how you can stay abreast of phishing attacks and other cybersecurity threats.

More Cybersecurity Resources

Ransomware Alert: Lessons Learned from the City of Atlanta

Horror Stories – 5 Cities Victimized By Cyber Threats

How Can Penetration Testing Protect Your Assets?

From GDPR, CCPA, PIPEDA, and so many other new data privacy laws going into effect, knowing which laws you need to comply with and how you should go about complying with them may seem like a daunting task. In this webinar, our Director of Regulatory Compliance, Mark Hinely, will discuss how organizations can perform their due diligence to ensure that they’re protecting their consumers’ privacy and will cover industry-accepted best practices that you can follow to lay the groundwork for future data privacy frameworks.

What are Best Practices for Data Privacy?

If your organization is questioning what best practices for data privacy you should follow, Mark Hinely provides four that can help you get started:

  1. Create an internal privacy framework
  2. Do more with less data
  3. Automate compliance efforts
  4. Get specific about your internal and external privacy posture

How Can You Establish an Effective Internal Privacy Framework?

An effective internal privacy framework is the foundation of your organization’s data privacy compliance efforts because it lays out what and how you’ll comply with the many privacy requirements applicable to your organization. Typically, when an organization creates an effective internal privacy framework, they’ll take the following into consideration:

  • Notices and disclosures
  • Access (Internal and External)
  • Breach notification
  • Consent
  • Risk
  • Designated responsibilities
  • Data retention
  • Vendor management

Like internal security programs established by organizations, however, there’s always sector- and organization-specific considerations that must be taken into account when creating an effective internal privacy framework. For industries such as healthcare, marketing, or education, there might need to be additional considerations regarding access to data or data retention. Organization-specific considerations, such as a debt collection agency, also needs to consider the types of data and processing they’ll use. Once these considerations have been made and the internal privacy framework has been designed, organizations need to document and implement it.

Overall, when you establish an effective internal privacy framework, you set your organization up for success when you’re faced with achieving multiple privacy considerations. If you want to learn more about industry-accepted best practices for data privacy and how they could benefit your business, watch the full webinar now. For more information on how KirkpatrickPrice can help you with your data privacy compliance efforts, contact us today.