Ensuring that your organization is GDPR compliant is paramount if your call center collects, stores, processes, or transmits the personal data of EU data subjects. Because of this, we suggest following these GDPR best practices:

  1. Data Mapping: Organizations need to identify where their data is coming from and where it goes. A call center associate might collect a name, date of birth, and email address, but a payment collection associate might collect just payment card information. If a data subject requests that data is erased, you must be able to identify where each piece of information lives and which channels it goes through.
  2. Identify and Document Each Legal Basis for Processing: Organizations may have multiple processing activities occurring at the same time. For example, if your call center associate was an EU data subject, then you might have to establish a legal basis not only for processing the data of the consumer, but you would also have to establish a legal basis and document the legal basis for processing the legal basis for processing personal data of your employee.
  3. Create a Flow Chart for Data Subject Rights: Organizations must understand each right that GDPR gives EU data subjects. For example, if a data subject submits a request for erasure based on a withdrawal of consent, your organization must be able to identify if it can refute that request for erasure because it has a legal requirement to keep that data, if it’s in the public interest, or if the data is being used for litigation purposes.
  4. Establish and Monitor Security Standards: Organizations must identify appropriate technical and organizational measures to ensure security based on the risk of processing. If your organization, for example, processes special categories of data such as genetic data, healthcare data, biometric data, or racial data, you’re going to have greater risk and thus will need greater security measures.

Following these four GDPR best practices will help your organization demonstrate your commitment to GDPR compliance, but it’s just the tip of the iceberg. For more information about GDPR compliance or to learn about our GDPR services, contact us today.

In the 2017 Internet Crime Report, an estimated $1.4 billion was lost due to different types of cybersecurity attacks. So, what does that mean for your industry? Simply put: no organization is safe these days. Data breaches have been occurring much more frequently, and malicious hackers are looking for any weak link in your organization to compromise your security posture. You must learn how to protect yourself, your clients, and your data from malicious hackers by ensuring that your security posture is up-to-date, in place, and functioning properly. Let’s take a look at the common types of cybersecurity attacks, how organizations have been affected by them, and what you could be paying in the event that an attack happens to you.

Types of Social Engineering

Social engineering attacks occur every day and can put your organization, your employees, and your clients at risk. Social engineering is a type of cybersecurity attack that leverages and manipulates human interactions in order to gain unauthorized access to your organization. Social engineering targets your employees, from entry-level to C-level, in hopes that they will unintentionally compromise your organization. Types of social engineering attacks include:

  • Phishing: Involves some type of deceptive, false communication, usually intended to compromise credentials or inject malware. I’m guessing that in the last year, you’ve gotten at least one phishing email. These emails attempt to look legitimate, but when you click the embedded link or download the PDF, you compromise your systems.
  • Spear-Phishing: A more targeted, customized attack than phishing. In a spear-phishing attack, the target will see their name, position, office number, or some other piece of personalized information in an email, which tricks them into thinking the email is legitimate.
  • Whaling: When a spear-phisher makes a conscious decision to target C-level employees, this is considered whaling. The logic behind whaling is to attack the most senior-level employees because of their authority and amount of access. It’s not uncommon for whaling attacks to work, because so many executives do not participate in the same security training as other employees.

In 2017 alone, the Internet Crime Report attributes $29.7 million lost due to social engineering attacks. Organizations such as LifeLock, SnapChat, and Seagate have been notable victims of social engineering attacks. Each of these organizations lost critical data such as employees’ social security numbers, W-2 tax information, email addresses, phone numbers, and dates of birth.

Can every single employee at your organization quickly identify a social engineering attack? Social engineering specifically counts on employees’ lack of awareness, inadequate security training, and informal usage policies. With the amount of phishing, spear-phishing, and whaling that occurs every day, employee awareness is crucial to the security of your organization.

Cybersecurity and Malware

Malware is a type of cybersecurity attack that compromise systems through external software that’s specifically been written to harm. Ransomware, a type of sophisticated malware, is the attack method that you’ve seen over and over again in the headlines. Ransomware essentially holds data hostage using encryption keys until the target pays the ransom. This type of malware attack exploits both human and technical weaknesses, and the result is usually a lose-lose scenario. Your organization could pay the ransom and recover the data, but then your ransom is funding other cybersecurity attacks. You pay the ransom but never recover your data, plus have to pay the costs of repair. Or you could choose to not pay and not recover, but then you’ve lost your data and now have to pay the costs of repair. Think about the City of Atlanta – the Ransomware attack by SamSam cost the city over $2.6 million in recovery efforts and took down major department. The financial, reputational, and operational implications are exactly the reason why malware prevention is so important.

Ransomware attacks that have made headlines recently include:

  • WannaCry: Resulted in more than 200,000 infections across 100 countries within days, using leaked vulnerabilities found by the NSA. Britain’s National Health Service and Germany’s Deutsche Bahn were among the hardest hit. Ironically, the critical patch needed to prevent WannaCry was available before the attack began.
  • Petya: Global attack using the EternalBlue vulnerability in Microsoft Windows.
  • NotPetya: Suspected as a state-sponsored attack that represents a weaponization of ransomware; traditional recovery vectors outside of backups and business continuity planning were largely ineffective.

It’s worth noting that no type of malware completely fades away. Every threat that has ever been classified remains at large. The very first worms and malware ever written still exist and are capable of system infection. Black Energy, Storm, Cornficker, and Duqu remain actively developed, maintained, and deployed by proficient black hat hackers. Other older viruses just persist, allowed to continue by poorly maintained systems, old distribution networks, and user complacency. Even when not actively used for data destruction, malware can remain a threat to system stability and continuity.

Denial of Service Attacks

A Denial of Service (DoS) attack is a type of an external intrusion used by malicious hackers to shut down the web servers of organizations – banking, commerce, government, and trade companies – by flooding or crashing them and exploiting vulnerabilities in their systems. Similarly, a Distributed Denial of Service (DDoS) attack is a more extreme, complex form of DoS because hackers infiltrate a system from more than one location, increasing the volume of machines flooding a system and making it more difficult to track and shut down.

These types of cybersecurity attacks prevent employees and other network users from using an organization’s systems, causing organizations to lose both time and money while trying to get their systems back up and running. Although DoS/DDoS attacks don’t often result in the loss of sensitive information, hackers frequently request a ransom. Cryptocurrencies have recently become large targets of Dos/DDoS attacks, with an attack against the cryptocurrency Verge resulting in around $1.7 million being stolen.

What do each of these types of cybersecurity attacks have in common? They each pose major financial, organizational, and reputational risks to all industries, regardless of the size or type of a business. Are you prepared for when, not if, one of these attacks happens to you? Contact us today for information on how we can support you and ensure that you have a strong security posture in place.

More Resources

5 Best Practices for Preventing Ransomware

Defend Yourself Against WannaCrypt

PCI Requirement 5: Protect All Systems Against Malware

Using the NIST Cybersecurity Framework to Protect PHI

SOC for Cybersecurity FAQs

If your organization utilizes a third-party vendor to conduct part of your business process – whether that be billing, customer service, data processing, etc. – the risks associated with that partnership could ultimately put you out of business. Because of this, establishing a formal risk assessment process allows organizations to do their due diligence and lays the foundation for effective vendor compliance management. But how can it be done? You can first start by identifying the types of risks that your vendors pose to your enterprise. By properly vetting your vendors and having a formal, documented risk assessment in place, you’ll be able to mitigate any potential threats to your organization. Let’s take a look at what a formal risk assessment is and some of the most notable risks that your vendors could pose to your security posture.

What is a Formal Risk Assessment?

What is a Formal Risk Assessment? The First Step in Vendor Compliance ManagementWhile a gap analysis allows organizations to compare the controls they have in place with the controls they are trying to attest to and then remediate the identified vulnerabilities, a risk assessment goes a step further: it allows organizations to identify, assess, and prioritize organizational risk. Risk assessments evaluate the likelihood and impact of those threats actually happening and give you an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack. Without a risk assessment, an organization can be left unaware of where their critical assets live and what the risks to those assets are. This is why most information security frameworks require a formally documented, annual risk assessment and why we suggest that a risk assessment should be your first step in implementing an effective vendor compliance management system. When it comes to vendors, think of it this way: conducting a formal risk assessment allows your organization to be proactive rather than reactive. Risk assessments will give your organization the upper hand by allowing you to stay ahead of a malicious attack and address the potential adverse impact, saving your business from any operational, financial, or reputational loss.

Types of Third-Party Vendor Risk

Without a vendor compliance management system in place, an organization is much more likely to suffer some sort of loss. Thus, understanding the types of risks that your vendors could carry is critical in maintaining a strong security posture, avoiding fines and penalties, and safeguarding your business’ reputation. Conducting a risk assessment ensures that your organization performs its due diligence and is committed to upholding a strong security posture.

  1. Operational Risk: Because organizations who enter into contracts with third-party vendors typically do so to fulfill a business need or because the vendor excels in a certain function, the operational risk that a vendor poses needs to be strongly considered. If a vendor’s processes fail, how would your operations continue? If one of your vendors was a cloud service provider and their service was suspended, how would your organization recover?
  2. Financial Risk: Determining the financial risk that your third-party vendor carries goes hand-in-hand with operational risks. If one of your vendors was breached, how would your organization be financially impacted? Would you have to pay legal fees, regulatory fines, or for the cost of an investigation?
  3. Reputational Risk: The reputational risk that a third-party vendor poses to your organization should not be looked over. If a third-party vendor is known for security breaches or ethical violations, what impact could that have on your business? Does the vendor you’re partnering with hold the same core values that your organization does? If a vendor causes your organization to be breached, how will your clients view your organization – as a trusted resource or an insecure service?
  4. Compliance Risk: Regulatory compliance efforts are at an all-time high and organizations are requiring their third-party vendors to demonstrate compliance more frequently. When implementing a vendor compliance management system, you’ll need to consider what the risks are if your vendor violated a regulation. For example, if your third-party vendor is considered a data processor, what would be the impact be if they violated GDPR? If your payment processor violated the PCI DSS, what would the implications be on your compliance?

Many of these third-party vendor risks go hand-in-hand, but analyzing each category is a useful strategy when properly vetting a potential vendor. If you rely on a third-party vendor to perform a critical part of your business process, establishing a vendor compliance management system is crucial. Have you assessed the risks that your third-party vendors pose?

Need help identifying your vendors’ risks? We’re here to help! Contact us today to learn more about our Third-Party Onsite Assessment and how KirkpatrickPrice can help you ensure that you’re properly vetting your vendors.

More Resources

Learn the 5 Steps to a Risk Assessment

9 Regulatory Risk Types Involved in a Vendor Risk Assessment

How a Risk Assessment Can Save Your Business

What is an Executive Charter?

When your organization begins preparing to undergo a HITRUST CSF assessment, management needs to review what their own responsibilities are, regardless of how seemingly small some of them might seem. For example, does your organization have an executive charter in place that delegates the responsibilities of the CISO? What level of involvement do your C-level executives have in your information security program? In this webinar, Shannon Lane dives into one of the most commonly missed components of a HITRUST CSF assessment, the executive charter, and provides guidance on how your organization should go about ensuring that one is in place.

An executive charter is a a policy that drives your entire organization’s security posture. It demonstrates whether or not your senior-level executives are involved in your information security program, grants rights, responsibilities, and power to departments, defines responsibilities of individuals, establishes baseline accountability and reporting structure, and should be built into your organization’s foundational documentation.

Because the executive charter sets aside who does what at each level, it serves as a type of check-and-balance system for an organization. Specifically, the executive charter for an information security management policy does this by outlining the following:

  • Addressing the CISO role and IS department
  • Defining the powers and responsibilities of the CISO/ISO
  • Defining the reporting structure of the CISO/ISO
  • Establishing the independence of the IS department
  • Allowing the IS department to set appropriate policies to the limits allowable by the CEO
  • Empowering the IS team within he who of the corporate structure
  • Defining the limits of the IS team operation

Is My Executive Charter Compliant?

When you’re engaging in HITRUST CSF assessment, KirkpatrickPrice Information Security Specialists will be looking to validate that your executive charter adheres to HITRUST CSF protocols. In order to ensure that your executive charter meets the expectations of the HITRUST CSF, you’ll need to ensure that your senior management officials have assigned an individual or group to do the following:

  • Ensure the effectiveness of the information protection program through program oversight
  • Establish and communicate the organization’s priorities for organizational missions, objectives, and activities
  • Review and update the organization’s security plan
  • Ensure compliance with the security plan by the workforce
  • Evaluate and accept security risks on behalf of the organization

You’ll also need to ensure that your executive charter meets the following HITRUST CSF requirement statements:

  • A senior-level information security official is appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and consider and address organizational requirements.
  • The owner of the security policies has management’s approval and is assigned the responsibility to develop, review, update, and approve the security policies, and such reviews, updates, and approvals occur no less than annually.
  • An individual or dedicated team is assigned to manage the information security of the organization’s users.

The executive charter lays the foundation for a strong security posture. To learn more about how to establish and implement an executive charter to prepare for your HITRUST CSF engagement, watch the full webinar. To get started on your HITRUST CSF journey, contact us today to speak to an expert.

Most organizations outsource some aspect of their business to vendors, whether it’s to perform a specific, integral task or replace an entire business unit. Vendors can be in roles like customer support, financial technology, record storage, software development, or claims processing. Using vendors can further an organization’s business objectives, enable them to function more effectively, and may be more cost-efficient. With all these opportunities, organizations must remain aware of the risks vendors carry with them.

As a result of the additional risks that vendors bring, more and more organizations are asking vendors to receive SOC 1 or SOC 2 attestations. But, when you do receive a SOC 1 or SOC 2 report from a carved-out vendor, do you know how to read it? Which areas do you focus on and what do the results mean? SOC 1 and SOC 2 reports are lengthy and complex, but incredibly important in understanding the risks posed to your organization. Let’s take a look at some key components of SOC 1 and SOC 2 reports that will help you analyze the security of your vendors.

Who Issued the SOC 1 or SOC 2 Report?

SOC 1 and SOC 2 reports follow a pattern. Each gives the vendor’s management’s assertion, the independent service auditor’s report, the vendor’s description of its system, and tests of controls. Before you begin reading, though, there’s one initial question to ask when reviewing a SOC 1 or SOC 2 report: who issued the report? As stipulated by the AICPA, SOC reports can only be issued by a CPA firm. We recommend looking to see that the firm who issued the report is a licensed CPA firm; no CPA firm license means that the firm doesn’t undergo a peer review, which is a review of its accounting and auditing practices once every three years after its initial peer review.

Who Issued the SOC 1 or SOC 2 Report?

Although CPAs and CPA firms can issue a SOC report, you should also be asking if the individual or firm has information technology or information security certifications. Let’s not forget: SOC 1 and SOC 2 audits are information security audits. These aren’t your typical financial audits that you usually get from a CPA. We recommend encouraging your vendors to engage a CPA firm that specializes in information security for SOC 1 and SOC 2 audits. Certified Information Systems Security Professional (CISSP), Certified Information System Auditor (CISA), and Certified Risk and Information Systems Control (CRISC) are rigorous certifications showing expert knowledge of information security and cybersecurity. These types of certifications are crucial to receiving a quality audit and what you should be looking for from your vendor’s licensed CPA firm.

The Auditor’s Opinion in a SOC 1 or SOC 2 Report

A SOC 1 or SOC 2 report contains an independent service auditor’s report, which states the auditor’s opinion regarding the description of the vendor’s system, whether the system was presented fairly, and whether the vendor’s controls are suitably designed. When reviewing a vendor’s SOC 1 or SOC 2 report, you will want to pay attention to the controls that impact your security. The auditor’s opinion can be presented in four possible variations:

SOC Unqualified Opinion

Issued when the auditor fully supports the findings, with no modifications.

SOC Qualified Opinion

Issued when the auditor cannot express an unqualified opinion, but the issues are not so severe that they need to issue an adverse opinion.

SOC Adverse Opinion

Issued when the auditor believes that report users should not rely on the vendor’s systems.

SOC Disclaimer

Issued when the auditor cannot express an opinion because they were unable to obtain sufficient evidence on which to base their opinion.

An unqualified opinion from your vendor’s independent auditor is what you should be looking for, because any other opinion should cause your organization to evaluate the impact of the qualifications.

What Was Audited During the SOC 1 or SOC 2 Audit?

Your vendor will decide what will or will not be in-scope for the SOC 1 or SOC 2 audit, and this will be described in your vendor’s description of its system. This provides background information on the vendor to the report user and provides a description of the software, people, procedures, and data within the organization’s in-scope environment. Because you’re familiar with your vendor’s systems and infrastructure, you’ll be able to gauge anything they’ve chosen to exclude from the audit, which may or may not be important to the security of your system and data.

Analyze Exceptions and Non-Compliance in the SOC 1 or SOC 2 Report

For each control objective of a SOC 1 and Trust Services Criteria category for SOC 2, the report will outline whether any relevant exceptions were noted during testing. This is an incredibly important element of a SOC 1 or SOC 2 report. Which of your vendor’s controls are critical to the security of your data? You need to evaluate if they have any exceptions or non-compliant controls in those critical areas and determine how this will impact the security of your system and data.

Do you struggle with how to evaluate your vendors’ compliance efforts? Do you know how to read a SOC 1 or SOC 2 report? Contact us today to speak with an information security expert.

More SOC Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

What’s the Difference between SOC 1 Type I and SOC 1 Type II?

What’s the Difference Between SOC 2 Type I and SOC 2 Type II?