Independent Audit Verifies Fireproof’s Internal Controls and Processes

Columbus, OH – Fireproof, an information and data management service provider, today announced that it has completed its SOC 2 Type I audit. This attestation provides evidence that Fireproof has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 audit reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s audit report verifies the suitability of the design of Fireproof’s controls to meet the standards for these criteria.

“Our customers concerns are our concerns. We take every measure to ensure the safety and security of our customer’s information,” said Mistie McMillin, Administrative Services Manager for Fireproof.

“The SOC 2 audit is based on the Trust Services Criteria. Fireproof has selected the security, availability, and confidentiality criteria for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Fireproof delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Fireproof’s controls.”

About Fireproof

Being in business for over 100 years, Fireproof is a respected member of the Central Ohio business community. Fireproof is a trusted advisor for its clients and their information management needs; with 100 employees, half of which have been with the company longer than 10 years and a management team who has over 125 years combined expertise in the industry. Fireproof’s solutions are designed to streamline processes, and maximize efficiency. Fireproof solutions include Workflow Automation, Document Scanning, Document Management, Offsite Document Storage, Litigation Support, and Document Destruction.

When you vet a company or an individual to perform penetration testing on your organization, what do you look for? Price, certifications, experience? Those are all important aspects, but you must also consider the quality of the penetration testing you will receive. All too often, we see organizations who pay for a penetration test and are expecting a thorough service receive a vulnerability scan labeled as a penetration test from a misleading firm, giving security officers a false sense of security.

Penetration Testing - How sure are you that your employees can withstand a social engineering attempt?Even if you’ve been undergoing penetration tests for years, how sure are you that your employees can withstand a social engineering attempt? Social engineering is creative, it’s cunning, and it’s a form of penetration testing. Social engineering leverages and manipulates human interactions to compromise your organization. The stories that come out of social engineering engagements can be shocking to security officers who believe that the outcomes or situations in these stories could never happen to their organization. Here’s your wake-up call: they absolutely could happen to you.

Social Engineering Stories from the Field

“You won’t be able to do that.”

“You will never get into that secure area.”

“We will see the traffic.”

“None of our employees will give you that type of access.”

We’ve heard it all. It’s hard to convince organizations that our team of penetration testers will be able to manipulate its employees or environment until they see the results. What are some of our stories from the field?

  • Tailgating is an easy way to enter secure areas with minimal effort. We’ve had employees hold a door open for us to re-enter their building after hours. Because they’re so ready to leave at 5:00, they don’t ask questions. Once we’re in the building, it’s easy enough to tailgate through doors or hallways with some type of access system. We could act like we’re talking on the phone while waiting for an employee to use that same door or hallway, then walk in after them. Doesn’t look suspicious, right? From there, the penetration tester would have access they need.
  • If not tailgating, how about just waiting? We’ve been known to wait in a restroom stall or some other remote area until no one else is in the building, and then we have the access we need to find a network jack and hook our device to it.
  • What could happen when administrators aren’t present to ensure employees are following policies and procedures? We’ve sent our team into our clients’ offices with fake work orders and deceived their way into a data center, where they’re then left alone. Easy enough to find a switch in a data center while no one’s watching, right?
  • What could happen during business hours? We’ve seen clients with network jacks in open areas, like next to a public coffee station or restroom. It’s easy enough to plug a device in without anyone seeing or questioning it.
  • What could happen while you’re physically with a penetration tester? If you’re the data center manager and you’re at dinner with a penetration tester, is there any possible way he/she could copy your badge? It’s happened before.

At KirkpatrickPrice, our goal in penetration testing is to make the test as real of an experience as possible for the client. When we say “simulate a real-world attack,” we mean it. If a hacker is determined to attack you, how far will they go? What methods will they use? We will think outside the box to make our security testing more real. Our penetration testers will work all hours to find the perfect attack window; they’re going to work 5:00 pm to 5:00 am, not 8:00 am to 5:00 pm. They will hack while sitting in your parking lot overnight, not in your conference room. We will enlist as many team members as needed to find your areas of weakness. Penetration testing, and especially social engineering, is at the core of why KirkpatrickPrice operates the way that it does. Hackers are intelligent and sneaky, and organizations need to be ready for whatever threat comes their way.

More Penetration Testing Resources

Components of a Quality Penetration Test

Auditor Insights: Vulnerability Assessments vs. Penetration Testing

Ask the Expert: Penetration Testing

The use of mobile devices has absolutely transformed healthcare. Have you ever checked into a walk-in clinic on a tablet? Has a doctor shown you X-rays through a digital screen, rather than on film? Have you paid a medical bill through an app? Mobile devices are altering patient care. The need for mobility in healthcare settings is pervasive and the security threats that mobile devices pose are only going to proliferate. Think about all the elements that support mobile devices in a healthcare setting. Servers, networks, data storage, policies – the list goes on and on. As technology advances, so does the threat landscape. Mobile devices present many advantages to healthcare, especially to patient care, but they do impact protected health information.

The Need for Mobile Devices

In any type of healthcare setting, consider the vast amount of tasks that can be completed using mobile devices. Patient management, record maintenance, time management, information gathering, dictation, clinical decision-making, administration, education – it can all be done through tablets, laptops, smartphones, etc. Mobile adoption has replaced pagers, charts, X-rays, calculators, and other formerly key aspects of healthcare.

On a personal level, mobile devices are a must-have. You can bet that any healthcare professional you interact with has a personal mobile device on them. How does this impact your PHI? Well, what controls are set up so that they cannot access PHI from a personal mobile device? What does the organization’s proper usage policy state; when can they use their device while in the workplace? Mobile devices are pervasive in healthcare settings, especially when the majority of employees are walking around with one in their pocket.

Data supports the notion that mobile devices require different controls than other devices, like a printer or scanner. According to the Department of Health and Human Services’ HIPAA breach portal, or “wall of shame,” over 45,000 individuals have been impacted so far this year (January 1-September 1, 2018) by a breach of a mobile device. Note that these are only reported breaches to date this year; who knows how many have gone unreported. While hacking, improper disposal, and unauthorized access are factors, the majority of these incidents are due to theft or loss. This highlights the fact that physical safeguards are a major component of securing mobile devices.

How Mobile Devices Impact Protected Health Information

How to Safeguard Protected Health Information

Because HIPAA covers the smallest of healthcare providers to the largest health plans in the country, the Security Rule is scalable. It doesn’t require specific technological solutions, but rather, requires organizations to implement reasonable and appropriate security measures to protect PHI and ePHI in their daily operations.

HIPAA Mobile Device Security Policy

  • If a covered entity allows staff to use smartphones as part of its BYOD policy, the organization would need a mobile device management policy. This approach gives control to PHI at all times and provides secure applications. This policy would require organizations to keep a list of all devices and personnel with access to the device, create a method to determine the owner and purpose of the device, and document authentication for the use of the device. It could also provide a remote wipe capability in case of a lost or stolen device.
  • In a BYOD policy or a company-owned mobile device plan, organizations should develop a usage policy. If usage policies are not implemented, personnel could use mobile devices in a way that violates company policy, allowing malicious attackers to gain access to critical systems and PHI. Use PCI Requirement 12.3 as reference for the basics of a usage policy.
  • A policy for access and privileges based on business need to know is a smart choice for HIPAA compliance. This is a more technical policy that limits who can access PHI and makes access trackable, in case a breach does occur and you need to trace the source.
  • While HIPAA doesn’t require encryption, it’s another way for covered entities to secure the use of mobile devices. Encryption allows an organization to convert the original form of information into encoded text, making the information unreadable unless an individual has the necessary key to decrypt it.

The National Cybersecurity Center of Excellence developed Cybersecurity Practice Guide SP 1800-4, which provides other best practices for safeguarding PHI when using mobile devices. As you develop safeguards to protect PHI during the use of mobile devices, remember that mobile devices require different physical security controls than other devices and in-depth usage policies.

Are you unsure if your policies protect PHI during the use of mobile devices? Want to learn more about HIPAA compliance obligations? Contact us today to begin your compliance journey.

More HIPAA Resources

Using the NIST Cybersecurity Framework to Protect PHI

Managing Business Associate Compliance

Penetration Testing for HIPAA Compliance

Enforcement Trends: Lessons from the HIPAA Privacy Rule

Are you a CISO, CCO, ISO, or member of the IT department that’s building and leading a cybersecurity strategy? Don’t know where to start? The foundation of a cybersecurity strategy should be built on basic principles of security – patch management, risk assessment, network monitoring, vulnerability management. From there, you must cultivate awareness of the evolving threat landscape, observe regulatory responses, continue to train and invest in your team, and have executive support of your strategy.

The Threat Landscape

Modern businesses require some type of connection to cyber space, opening them up to new risk factors. When building a cybersecurity strategy and a cybersecurity risk management program, it’s crucial to assess internal and external threats that pose risk to your organization. Cyber threats are becoming more and more sophisticated every day. Cyber threats pose major financial, organizational, and reputational risks to all industries, regardless of the size or type of a business. Phishing, whaling, Petya, WannaCry, DoS/DDoS – organizations must learn from others’ mistakes about the complexity of these threats and the amount of damage they cause.

Observing Regulatory Responses

Regulators have responded to the evolving cyber threat landscape, and so should your organization. The AICPA saw a need in the industry that it could fill: a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls. Thus, SOC for Cybersecurity was created. NY CRR Part 500 established cybersecurity requirements for financial services companies in New York, which requires that companies develop a cybersecurity program that protects sensitive customer information and the confidentiality, integrity, and availability of companies’ information technology systems. NIST, PCI DSS, penetration testing, vendor compliance assessments – these are all responses to the ways information systems are incredibly interconnected and how organizations can protect their data, network, systems, and assets.

As new tools, requirements, and frameworks become available, evaluate which ones apply to your organization or which you should consider being tested against. A strong cybersecurity initiative requires that your team know how industries and regulators are responding to cybersecurity threats.

Investing in Your People

There are threats coming specifically for your employees, so there are many new policies and procedures to introduce to them as a part of your cybersecurity strategy – system access and privileges, appropriate use, logging methods, new tools. Your employees need to know what all of this means and how to protect themselves. You never want your cybersecurity strategy to be secretive, confusing, or unengaging; this will leave your team uninterested and unmotivated to support the initiative.

A cybersecurity strategy must also involve training. Security awareness is your first line of defense, so invest in relevant, engaging, consistent training. For those team members who are an integral part of your cybersecurity strategy, provide appropriate professional development to keep them up-to-date on methods and techniques that could be used against new threats.

Executive Buy-In

Executives, management, stakeholders, boards, and integral business partners all need to support your cybersecurity initiative. Without the tone from the top attitude, cybersecurity risk management programs cannot thrive and function the way they are intended to. How do you gain their support?

  • Communicate that your cybersecurity strategy aligns with business objectives.
  • Provide examples of real cybersecurity incidents, whether they’ve occurred at your organization or to someone else in your industry, and then explain how your cybersecurity strategy could’ve prevented that incident. You want to use real-world examples to explain the gravity of the threats and the need for your program.
  • Data breaches take a financial hit on any organization. Communicate the cost of a breach to management and then explain how your strategy is a form insurance.
  • Explaining the competitive advantage of cybersecurity efforts is always a safe bet for securing executive buy-in. Your clients want to know that you’re doing everything possible to keep their data and assets safe; they may be more loyal to you if you can demonstrate the cybersecurity controls and program that you have in place.
  • Describe the types of cybersecurity attacks that target them. The logic behind whaling attacks is to target the most senior-level employees because of their authority and amount of access. It’s not uncommon for whaling attacks to work, because so many executives do not participate in the same security training as other employees.

Interested in learning more about protect your organization from cyber threats? Contact us today and we’ll get you started on the right path!

What would it cost you if your top client was not satisfied with the quality of your audit? In the current threat landscape, it’s absolutely crucial for organizations to find information security audit firms who take risk factors, security and privacy obligations, and cybersecurity seriously. In order to successfully protect your data and your reputation, you must first choose an audit firm. This can be an overwhelming task, but it’s extremely important. Hiring a firm to provide information security audit and assurance services to your organization is the first step in developing a relationship with the professionals who will be uncovering any unknown vulnerabilities, testing your security and privacy methods, and preparing you for future compliance efforts.

How to Choose an Audit Partner?

In order to successfully protect your data and your reputation through an information security audit, you must first choose an audit firm. This firm is the entity that will have access to your people, our assets, your data, and your risks. This can be an overwhelming task, but it’s extremely important. Hiring a firm to provide information security audit and assurance services to your organization is the first step in developing a relationship with the professionals who will be uncovering any unknown vulnerabilities, testing your security and privacy methods, and preparing you for future compliance efforts. Choosing an audit firm to partner with is a financial investment, but it also requires your time and your resources. We know this is an important decision, so let’s look at a few qualities to consider when choosing an audit firm.

First and foremost, you’ll need to determine if the firm is qualified. When you’re undergoing something as important as an audit, you want to work with the best. For any information security audit, you need to hire a firm that is appropriately qualified and hires experts. What makes someone an expert? It may sound obvious, but for an information security audit, your auditor needs to have information security certifications, such as CISA, CISM, CRISC, or CISSP.

When vetting an audit firm to work with, you should also ask about the experience of their auditors. Would a junior auditor or recent graduate be managing your project? For a quality, thorough audit, you want to work with a skilled professional who has a diverse or extensive background in information security and technology. This enables them to comprehensively test, analyze results, and use those results to support future compliance efforts. You may need to do some extra research to find out this information but hiring a firm with qualified auditors will make a major difference in the quality of your audit.