Independent Audit Verifies ContractSafe’s Internal Controls and Processes

Malibu, CA – ContractSafe, a contract management software provider, today announced that it has completed its SOC 2 Type I audit. This attestation provides evidence that ContractSafe has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of ContractSafe’s controls to meet the standards for these criteria.

“Our customers trust us with their contracts,” said ContractSafe CEO Ken Button.  “We want them to sleep at night knowing that we have top-notch security and availability.  A SOC 2 audit is a great third party validation that our security meets and exceeds industry standards.  It’s one thing for us to say it…it’s another to provide independent verification from an expert.”

“The SOC 2 audit is based on the Trust Services Criteria. ContractSafe has selected the security and availability criteria for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “ContractSafe delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on ContractSafe’s controls.”

About ContractSafe

ContractSafe is a SaaS (software as a service) contract management system that is hosted on Amazon Web Services. ContractSafe helps companies organize and quickly find contracts and provisions, and also sends out alerts for any key dates (compliance, renewal, termination, payment, etc).  ContractSafe has award-winning ease-of-use, best-in-class customer service and ground-breaking Artificial Intelligence to allow quick implementation and simple management.  Find out more at www.contractsafe.com or info@contractsafe.com.

What would be the impact to your organization if your information security auditor did not conduct a thorough audit? How would it impact your organization if you partnered with an auditing firm whose quality of services and integrity was questioned by industry regulators? Too often, organizations must deal with the aftermath of receiving an audit that wasn’t thorough enough. This could mean public-facing S3 buckets, active directory policies do not reflect written policies, failure of physical safeguards, cardholder data that is inadvertently exposed to the public, or worse. These organizations have to deal with breaches, fines and penalties, and in extreme cases, losing their business altogether. At KirkpatrickPrice, we want to make sure that your organization never faces these consequences, and we do this by delivering quality audits. But what does that mean? Let’s discuss what a quality audit looks like and why it will always pay off.

What is a Quality Audit?

A quality audit can mean different things depending on the intention of the organization receiving the audit. If a business seeks out an audit firm for the sole purpose of checking a box off a to-do list, they probably aren’t looking for what we believe to be a quality audit. We want to partner with organizations who are committed to improving their security posture, finding and mitigating vulnerabilities in their systems, and collaborating with an auditor to ensure that the audit process is effective. To us, a quality audit has the following qualities:

  • The audit firm is qualified. This means that members of leadership have extensive experience in information security and the firm itself has the appropriate qualifications. For SOC 1 and SOC 2 audits, that would be a CPA firm. For a PCI audit, that would be a QSA. For a HITRUST CSF assessment, that would be a validated HITRUST CSF Assessor.
  • The audit will be conducted by senior-level information security specialists who hold industry certifications and are regarded as experts. If a junior-level auditor or an auditor with no relevant information security certifications has been assigned to perform your audit, consider how that lack of experience could impact your organization.
  • The organization has appropriate communication. If you have little to no communication with your audit team during the audit, this should be a red flag. If you are suspicious that any step in your process is being outsourced (penetration testing, report writing, etc.), this should be a red flag. How can an auditor conduct a thorough audit if they aren’t speaking with you about your systems? How can they understand your business without analyzing it firsthand?
  • There should absolutely be an onsite visit. If an audit firm offers to conduct an entire audit remotely, they are going to miss physical security vulnerabilities that could greatly impact your security posture. When our auditors go onsite, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. What would your auditor miss if they didn’t come onsite?
  • The audit firm would have a quality assurance program in place to ensure that auditors’ work is consistent and thorough. If there is no quality assurance program, how can you be sure that the auditor performed their due diligence?

The Cost of a Quality Audit

When it comes to an information security audit, it’s critical that those approving budgets for information security audits understand that you get what you pay for. If you’re being pressured to find the lowest-cost audit, ask yourself what you’re willing to give up in order to save money. If you see a quote that is significantly lower than the others, will the cheap price be worth a lack of thoroughness? How shocked would your supervisor be if you were considered to be, for example, PCI compliant, but then an undiscovered vulnerability was breached, and your organization’s reputation was compromised? Would a cheap audit be worth the aftermath of an expensive breach? Being able to explain the value of a quality audit to your team is crucial.

Misconceptions About Quality Audits

While financial considerations play a major role in why organizations partner with certain firms, there’s one other quality that many businesses look for in an audit firm: name recognition. Many organizations fall into the false perception that firms like the Big Four, who have names that are recognized across industries, deliver the most credible reports. That isn’t always the case. In fact, in recent years, the Financial Reporting Council (FRC) has investigated the Big Four due to significant decreases in the quality of their auditing practices. They’ve even gone so far as introducing harsher penalties for insufficient audit practices, because even after multiple fines and warnings, the Big Four still showed a lack of quality and integrity in their audits.

Ensuring that your organization receives a quality audit doesn’t have to be a difficult process; a little due diligence on your part can go a long way when vetting information security auditing firms. Don’t fall into the trap of engaging with a firm that won’t be able to deliver the kind of thorough audit that you need. Protect your organization’s financial stability, reputation, and operations and gain assurance by partnering with KirkpatrickPrice to receive a quality audit. Contact us today to begin learning about our quality guarantees.

More Resources

5 Questions to Ask When Choosing Your Audit Partner

Getting Executives on Board with Information Security Needs

When Will You See the Benefit of an Audit?

Independent Audit Verifies Costello’s Internal Controls and Processes

Indianapolis, IN Costello, a sales playbook software provider, has announced that it has completed its SOC 2 Type I audit. This attestation provides evidence that Costello has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of Costello’s controls to meet the standards for these criteria.

“At Costello, we prioritize any action that will provide increased protection for our clients,” commented Charlie Moad, VP of Engineering at Costello. “This certification reinforces our ongoing commitment to providing the most secure and reliable sales solution on the market.”

“The SOC 2 audit is based on the Trust Services Criteria. Costello has selected the security and availability criteria for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Costello delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Costello’s controls.”

About Costello

Costello is real-time sales playbook software that helps you have great sales conversations. Costello guides sales professionals to ask the right questions, tell relevant stories, handle objections, and answer questions about competitors confidently in real-time. Notes captured on the call are then easily synced back to your CRM. Visit andcostello.com to learn more.

During an age when information and data fuels businesses, understanding the value of cybersecurity in protecting data is crucial. Lawmakers and business owners are continuously recognizing the new, complex risks that come from doing business in cyberspace every day. That’s why on August 3, 2018, Ohio Governor John Kasich signed Senate Bill No. 220, the Ohio Data Protection Act. This legislation makes Ohio the first state to enact a law that incentivizes businesses to implement a cybersecurity program by providing a safe harbor to businesses that do so. Let’s discuss what the Ohio Data Protection Act requires of businesses and how it can protect them.

What the Ohio Data Protection Act Is and Isn’t

This legislation is a part of CyberOhio, an initiative led by Mike DeWine, Ohio’s Attorney General. CyberOhio aims to help businesses defend themselves against the ever-changing cyber threats. Legislation like the Ohio Data Protection Act is a major component of the CyberOhio initiative. It’s a way to protect businesses and consumers from the harm that data breaches cause.

The law clearly states that the Ohio Data Protection Act is not meant to be a minimum cybersecurity standard that must be achieved by businesses in Ohio. Unlike other states’ cybersecurity laws (like New York’s regulation for financial services companies), the Ohio State Data Protection Act is voluntary. It gives businesses a reason to be proactive with their cybersecurity program instead of introducing additional regulations required of them to follow.

The law does not alter any of Ohio’s current breach notification laws, but it does establish a legal safe harbor to be pled as an affirmative defense when a business is accused of failure to implement reasonable information security controls that resulted in a data breach.

Requirements of the Ohio Data Protection Act

A business seeking to comply with the Ohio Data Protection Act must do the following:

  • Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal and/or restricted information and that reasonably conforms to an industry-recognized cybersecurity framework
  • Design a cybersecurity program that protects the security and confidentiality of personal and/or restricted information
  • Design a cybersecurity program that protects against any anticipated threats or hazards to the security or integrity of personal and/or restricted information
  • Design a cybersecurity program that protects against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or fraud to the individual to whom the information relates

Because there are so many types of businesses in Ohio, the law does take scalability seriously. In 2018, the U.S. Small Business Administration reports that there are over 944,000 small businesses based in Ohio; those businesses must have the same opportunity for compliance as any other size business. The law states that the scope of a business’ cybersecurity program depends on the following factors:

  • Size and complexity of the business
  • Nature and scope of the activities of the business
  • Sensitivity of the information being protected
  • Cost and availability of tools to improve information security and reduce vulnerabilities
  • Resources available to the business

Basis for a Cybersecurity Program

The Ohio Data Protection Act has selected five industry-recognized cybersecurity frameworks that businesses should model their cybersecurity programs after. These frameworks include:

The law also says that if a business is subject to any other regulations, like HIPAA, FISMA, or PCI, its cybersecurity program must also be compliant.

When a revision to any of the frameworks listed above is released, businesses complying with the Ohio Data Protection Act have one year to conform to the revised edition.

If you are interested in complying with the Ohio Data Protection Act or want to learn more, contact us today. We’d be happy to discuss how your current or future compliance efforts could align with this legislation.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

What is an ISO 27001 Audit?

ISO 27001 is the only internationally-accepted standard for governing an organization’s information security management system (ISMS), created by the International Organization for Standardization (ISO). ISO is an independent, non-governmental international organization with a membership of 161 national standards bodies. It brings together experts to share knowledge and develop voluntary, consensus-based, market relevant international standards that support innovation and provide solutions to global challenges.

The ISO 27001 standard regulates how organizations create and run an effective ISMS through policies and procedures and associated legal, physical, and technical controls supporting an organization’s information risk management processes. An ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It’s vital that an ISMS is integrated with the organization’s processes and overall management structure, and that information security is considered in the design of processes, information systems, and controls.

How Can ISO 27001 Compliance Benefit Your Organization?

Do you want to give clients and prospects a reason to trust your services? Do you want to demonstrate your commitment to security to global business partners? ISO 27001 certification provides organizations with an evolving ISMS that can adapt to new challenges and validates your commitment to security. It’s the gold standard for information security management and can be used in any vertical. Implementation is customized for each organization to treat their particular risks.

ISO 27001 certification brings value to organizations through:

  • Demonstrating to your business partners that you have a mature and risk-based information security program in place.
  • Helping you prioritize your information security budget and resources based on risk, because ISO 27001 is customized for your environment and based on your specific risks.
  • Effectively managing disparate standards like PCI, HIPAA, HITRUST CSF, and FISMA in a comprehensive and repeatable way.
  • Recognizing that you use and implement international best practices.

Undergoing an ISO 27001 audit is also a way to be proactive in your information security and compliance efforts, which could be just what you need to stay ahead in your industry.

Connect with an ISO 27001 expert.

Still have questions about ISO 27001? We’ve got you covered. Connect with one of our ISO 27001 experts today to become unstoppable.