Independent Audit Verifies CBOSS’s Internal Controls and Processes

Boardman, OH – CBOSS, a payment processor, today announced that it has received their SOC 1 Type II, SOC 2 Type II, and PCI DSS compliance reports. These reports provide evidence that CBOSS has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place to deliver quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of CBOSS’s controls that may affect its clients’ financial statements, non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, and controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards.

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes CBOSS’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of CBOSS’s controls to meet the standards for these criteria.

The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card. In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted CBOSS in becoming PCI compliant.

“Many of CBOSS’s clients rely on them to protect, process, and store consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, CBOSS has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by CBOSS.”

“CBOSS is committed to delivering robust, secure solutions for payment processing to all our customers,” stated Mike Lendvay, Security & Compliance Manager for CBOSS, Inc. “To that end, we strive to make security and reliability integral to every aspect of our operations. We appreciate the KirkpatrickPrice’s thoroughness and we are proud to have met or exceeded all the requirements they validated.”

About CBOSS

The expertise of CBOSS’ specialists empowers all of its clients to focus on their core business, including industry segments such as services, manufacturing, non-profit sector and education.  Solutions include online payment processing, web applications and business process automation.  Since 1994 over 700 businesses and government agencies across the United States and Latin America have looked to CBOSS to deliver feature-rich services and solutions that are cost-effective, reliable and secure.  CBOSS is a validated PCI Compliant Level 1 Service Provider for the Payment Card Industry Data Security Standard (PCI-DSS), which provides the highest levels of security for e-commerce and other e-payment processing services.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

 

Computer hardware and software is not built to last forever. End-of-support operating systems are one of the most common vulnerabilities discovered on enterprise networks. Why? Typically, it’s for one of two reasons. First, the organization could just lack a refresh of technology.

But, end-of-support vulnerabilities could also occur because organizations need legacy software that will only function on an older operating system. Here’s some end of support guidance for common operating systems.

Do You Have End-of-Support Operating Systems?

What’s classified as an “end-of-support” or “end-of-life” operating system? End-of-support means that the developer of the operating system will no longer provide technical support, and more importantly, will no longer provide updates to the operating system. No more automatic updates, no patches, no help line to call – serious security issues begin to occur because of this.

Take end of support for Windows 7, for example. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running Windows 7. They’ve given their users plenty of time and warning of this change, but still, some will stay on the end of support operating system. Microsoft does their due diligence by explicitly telling their users, “You can continue to use Windows 7, but once support ends, your PC will become more vulnerable to security risks. Windows will operate but you will stop receiving security and feature updates,” and encouraging them to transition to Windows 10.

During the infamous WannaCry attack, which spread to 150 countries in May 2017, the National Health Service was victimized because of outdated operating systems. BBC reported that before the attack, there was no formal mechanism for assessing whether NHS organizations complied with security guidance from NHS Digital. Critical alerts from NHS Digital and other warnings about the vulnerability of end of support operating systems were ignored.

Amyas Morse, Comptroller and Auditor-General of the National Audit Office, said:

“WannaCry was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practices. There are more sophisticated cyber-threats out there than WannaCry, so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

End-of-Support Vulnerabilities in Action

So what happens when organizations use end-of-support or end-of-life operating systems? Hackers know how to exploit these vulnerabilities, and also know how hard it is to keep an end-of-support operating system secure. End-of-support software brings issues like these to your organization:

  • More Security Vulnerabilities – By using end-of-support software and hardware, you’re putting your organization at a higher risk for exploitation by malicious hackers.
  • Technology Incompatibility – Holding onto end-of-support technology forces you to hold onto legacy software. The newest, more secure applications and software aren’t optimized for end-of-support or end-of-life.
  • Higher Cost – If you’re holding out on switching to a new operating system or away from legacy software because of operating costs, you’ve got the wrong mindset.
  • Poor Performance and Availability – Is critical application downtime worth the cost of a software or hardware upgrade?
  • Non-Compliance Issues – Using end-of-support or end-of-life products could endanger the data you are responsible for. How will an auditor or regulator view that lack of effort?

When using an end-of-support operating system, the end user doesn’t have many options to mitigate the threat to their network other than upgrading the operating system. We recommend keeping operating systems up-to-date by performing regular inventory and planning ahead for technology refreshes, so that legacy software migration or other unforeseen issues don’t pose a problem. It’s also helpful to check with vendors and keep up with any news about upcoming changes to the support status of their operating systems.

Want more information on how to secure your network? Contact us today.

More Assurance Resources

What is Cybersecurity?

Compliance is Never Enough: Secure Software Development

4 Ways to Ensure Security and Maintain Compliance

Imagine if you could search someone’s name on Google, and their full span of medical data and complete medical history was available. An employer could do it, a potential date could do it, an estranged family member could do it – how scary would that be?

There’s debate about how much the average piece of medical data is worth, but trust us, it adds up. The many facets of the healthcare industry – hospitals, pharmacies, insurers, clinics, outpatient facilities, any type of doctor’s office, and every vendor that supports them – combined with healthcare’s under-developed information security and cybersecurity strategies, makes it the perfect industry for malicious attackers to target. But why would someone even want to steal or compromise medical data? What is it worth to them? How can penetration testing help?

It could be personal.

In 2018, a Canadian pharmacist was caught using electronic health records to snoop on 46 people she knew. It had been her routine for years. This included spying on family members, coworkers, former classmates, someone she’d been in a car wreck with, her child’s therapist, her child’s girlfriend, and her own medical professionals. Even after she was fired, the pharmacist still found unauthorized access to the electronic health records and continued to take advantage of it. Sounds random, harmless, but personal, right?

Medical data could also be used for personal, yet malicious, reasons. Sensitive information like plastic surgery history, any medical condition with a social stigma, or behavioral health challenges could be used as blackmail.

It could be financially-motivated.

Family history, Social Security Number, date of birth – elements of medical data rarely change, making it have more lasting value than most other types of personal data. This is why medical data is a major component of identity theft. There’s enough information gleaned from medical data to completely steal an identity and commit medication fraud, financial fraud, insurance fraud, or worse. Identity theft succeeds through medical data because the data is so private and difficult to alter, for both the living and the deceased. Selling medical data for the purpose of identity theft could be an entire career for some hackers.

Hackers don’t sell medical data only on the black market, though. Research and marketing companies want information about their consumers, right? What about competitors? Would they pay a hacker to steal a medical organization’s expensive research, clinical trial results, or prototypes? How much would a news outlet pay for a professional athlete’s medical data? Or a tabloid for a celebrity’s pregnancy update or plastic surgery history?

It could be an accident.

Employees or business partners to the healthcare industry could compromise medical data unintentionally. It’s unfortunate, but true. The HHS gives example after example of cases where this has occurred. For example, a municipal social service agency disclosed medical data while processing Medicaid applications by sending data to vendors that were not business associates. In another case, due to a flaw in a computer system, a national health maintenance organization sent explanation of benefits by mail to a complainant’s unauthorized family member.

Some employees may think they’re complying with HIPAA or not doing anything wrong, but still inadvertently compromise medical data. An outpatient surgical facility believed that under the Privacy Rule, it could disclose PHI to a research entity for recruitment purposes. But when the facility didn’t get the patient’s authorization or any other type of waiver of authorization, it found itself violating HIPAA’s permissible uses and disclosure rules.

Penetration Testing to Protect Medical Data

Patient engagement, innovative tools, quality of care, and managing the cost of healthcare are all priorities among healthcare providers, and new technology can be a way to meet all of those needs. With this new shift, though, comes more data, more processes, and more ways for an attacker to breach a healthcare organization.

Regular, thorough penetration testing could be an appropriate security solution for many healthcare organizations. With the amount of security updates, segmentation, logging, and monitoring that has to be done across healthcare organizations’ networks and systems, penetration testing could provide that extra set of eyes to observe any vulnerabilities that could put patients at risk. When penetration testing is performed to support healthcare organizations, the goal is to identify issues that could result in unauthorized access to electronic medical data. Internal or external network penetration testing, web application penetration testing, API testing, mobile app penetration testing, code review, social engineering – there are many options that could be useful to a healthcare organization’s security efforts.

If you’re thinking, “We’re already HIPAA compliant,” what extra efforts are you putting in to ensure medical data is protected? If you have an internal audit team or internal penetration testers, don’t you want outside professionals to come in and validate your security? The severity and complexity of the threats facing healthcare organizations are only increasing. Healthcare organizations need to go above and beyond required testing and compliance to actually secure medical data and protect patients. Could penetration testing be of value to your organization? Let’s find out.

More Penetration Testing Resources

Not All Penetration Tests Are Created Equal

Components of a Quality Penetration Test

7 Reasons Why You Need a Manual Penetration Test

Penetration Testing for HIPAA Compliance

When choosing an audit firm to partner with, it should be more than just a business transaction: you should be thinking about building a relationship with an organization and how its employees will help your organization in the long run. Like any relationship, there are sure to be challenges along the way, and the auditor-auditee relationship is no exception. Whether it’s your first time partnering with an audit firm or you’ve been working with a firm for years, there’s a few ways to know that you’re in a good relationship with your audit firm. Let’s take a look at six key signs that prove your audit partner is the right firm for you.

Your audit partner wants you to succeed.

The first prominent sign that you’re in a good relationship with your audit partner is that they want you to succeed. As an information security auditing firm, we often have clients who fear the audit process because of the misconception that audits are pass/fail. This is not the case. At KirkpatrickPrice, our mission is to educate, empower, and inspire our clients to greater levels of assurance by partnering with them to achieve their challenging compliance objectives. As your partner, we will do what’s necessary to guide you toward accomplishing your compliance goals, such as providing additional consulting services and free educational resources. If an audit firm simply treats the audit engagement as a business transaction, meaning they reluctantly come onsite or don’t come at all, show little interest in helping your organization succeed, neglect to provide remediation strategies, or fail communicate how vulnerabilities can be mitigated, they aren’t helping your organization succeed.

Your audit partner holds you accountable to your goals.

Whether you’ve been asked by a client to undergo an information security audit or your organization has decided to proactively pursue compliance on your own accord, tackling the audit process can be tedious. That’s why you need a partner to hold you accountable. With our Online Audit Manager, senior-level Information Security Specialists, Audit Support Professionals, and client success team, our clients can rest assured that they have a partner that holds them accountable to their goals. At KirkpatrickPrice, we know that pursuing compliance requires a time, personnel, and financial investment that is not to be taken lightly, and we’re committed to ensuring that our clients accomplish what they set out to achieve by the end of the engagement period. Does your audit firm let you frequently put off answering questions? Do they let you keep pushing back the engagement period? If so, they aren’t holding you accountable to your goals and are missing a critical opportunity to exhibit one of the most important signs that you’re in a good relationship with your audit partner.

Your audit partner goes above and beyond for you.

The audit process is more than just uploading documents, answering auditors’ questions, and going through the onsite visit. It’s about achieving challenging compliance goals to strengthen your security posture. At KirkpatrickPrice, we recognized this and have hired personnel to ensure that not only are our clients receiving quality, thorough services from our senior-level Information Security Specialists, but that they also receive quality, thorough reports that are written by a team of technical writers and are thoroughly reviewed by our Quality Assurance team.

We also know that compliance efforts shouldn’t stop when the engagement ends. Because ensuring that your security posture remains strong is an ongoing effort, any audit firm that stops partnering with you after the audit period is complete is doing you a disservice. Does your audit firm currently update you with information security best practices? Do they provide additional consulting services to assist you in maintaining your information security system once the audit period is complete? An audit firm that goes above and beyond the basic audit process is one of the key signs that you’re in a good relationship with your audit firm.

Your audit partner has strong communication skills.

Good communication is one of the staple signs that you’re in a good relationship with your audit partner. We understand that the audit process is challenging enough and adding poor communication into the mix only makes undergoing audits seem that much more daunting. If you have little to no communication with your audit team during the audit, you’re not in a good relationship. If you are suspicious that any step in your process is being outsourced (penetration testing, report writing, etc.), this should also be a red flag that you’re not in a good relationship with your audit firm. Think about it: how can an auditor conduct a thorough audit if they aren’t speaking with you about your systems? How can they understand your business without analyzing it firsthand?

Your audit partner knows more than you do.

Getting into a relationship with someone who has very little experience can be challenging and extremely frustrating. When you’re undergoing something as complex as an information security audit, you don’t want someone performing the audit who is still learning the ropes. You want a senior-level professional who has decades of experience working in the industry. If your audit firm sends a junior-level auditor to perform an onsite visit, chances are you won’t be building a good relationship. As part of performing your due diligence when vetting audit firms, make sure you’re verifying that only an experienced professional will be carrying out the engagement.

Your audit partner has a good track record.

Before you enter any business relationship, it’s especially important to make sure that the organization has a good track record. Why? Because if you’re making the investment in compliance, you must practice your due diligence to ensure that you receive a quality, thorough audit. What would be the impact if your client wasn’t satisfied with the quality of your audit? You would have wasted weeks of your personnel and financial resources, opened your organization up to possible breaches, and/or faced steep fines and penalties for non-compliance. There’s a reason why KirkpatrickPrice has partnered with businesses of all sizes and in all places to deliver our quality, thorough audit services. We’ve streamlined the audit process, hired expert professionals to ensure that quality reports are delivered, and committed ourselves to partnering with our clients to achieve their compliance goals.

If you’re just starting out on your compliance journey or are looking to re-evaluate your current relationship with your audit partner, ask yourself: does your audit firm demonstrate these signs that you’re in a good relationship? It’s never too late to make sure that you’re in a good relationship with your audit partner, so contact us today.

More Assurance Resources

When Will You See the Benefit of an Audit?

Getting Executives on Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For

5 Questions to Ask When Choosing Your Audit Partner

On November 1, 2018, Canada’s Data Privacy Act amended the Personal Information Protection and Electronic Data Act (PIPEDA) to include Breach of Security Safeguards Regulations.

Organizations subject to PIPEDA will now have to report breaches that pose a “real risk of significant harm” to affected individuals to the Office of the Privacy Commissioner of Canada (OPC).

What does this new regulation mean for organizations and how can they operate in a way that supports the regulation?

Why Did Canada Introduce a New Breach Notification Law?

The entire world is stepping up its game when it comes to privacy laws because of the continual growth of personal data sharing, unauthorized disclosures, and controversial uses of personal data. PIPEDA is Canada’s federal privacy law that regulates how organizations and businesses handle personal information. Like many privacy laws, it applies when personal information is collected, used, or disposed of for commercial purposes.

The purpose of PIPEDA is similar to that of GDPR or CCPA: to facilitate growth in electronic commerce by increasing the confidence of digital consumers, and to contribute positively to the readiness of Canadian businesses. PIPEDA aims to balance the privacy rights of individuals with the legitimate needs of businesses. Because so many Canadian organizations are required to comply with GDPR, this new regulation will further align PIPEDA with GDPR.

What Does My Organization Need to Know About Canada’s New Data Breach Notification Law?

If you’re not familiar with PIPEDA, Canada’s Data Privacy Act, or the new Breach of Security Safeguards Regulations, the following basic principles will help you understand the basics of Canada’s new breach notification law:

  • PIPEDA defines a breach of security safeguards as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
  • PIPEDA defines significant harm as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
  • Whether the breach of security safeguards impacts one individual or thousands, it still needs to be reported if there is a real risk of significant harm.
  • Under PIPEDA’s accountability principle, even if an organization transfers personal information to a third party for processing purposes, it’s still responsible for the security of that personal information. Organizations must have appropriate contractual agreements in place to ensure that the relationship complies with PIPEDA.
  • Under the Breach of Security Safeguards Regulations, the contents of notification must include the description and/or cause of the breach, date or period of the breach, description of the personal information that was breached, number of individuals impacted, what the organization has done to reduce risk of harm to victims, how the organization will notify the victims, and a point of contact for information about the breach.
  • When a breach has occurred, the organization must maintain a record for a minimum of 24 months.
  • Failure to report a breach that poses real risk of significant harm could result in fines of up to $100,000 for each individual affected by the breach, if the federal government decides to prosecute a case. Under the current law, the OPC cannot issue fines or corrective actions, only advise organizations on how to make changes.

How Can Organizations Prepare for the Breach Notification law?

This new breach notification law was released in April 2018, but went into effect in November, giving organizations six months to prepare themselves. Some reasonable preparation steps for your organization include the following:

  • Create a formal incident response plan that has been tested and implemented.
  • Create breach notification templates that include fields for all required content.
  • Conduct a formal risk assessment to determine the likelihood of a breach and the factors that are relevant to a real risk of significant harm.
  • Perform data mapping to determine where personal information is collected, processed, or stored.
  • Assess user access activities and consider operating under a business need to know basis.
  • Stay aware of other breaches in your industry and learn from them. Don’t make the same mistakes as your competitors.

More Resources

Privacy Compliance Audits

OPC’s Tips for Containing and Reducing the Risks of a Privacy Breach

OPC’s Self-Assessment Tool for Securing Personal Information

OPC’s Breach Report Form