Independent Audit Verifies iVenture’s Internal Controls and Processes

Jacksonville, FL – iVenture Solutions, a premium IT services and solutions provider, announced that it has completed its annual SOC 1 Type II audit. This attestation verifies that iVenture has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of iVenture’s controls that may affect its clients’ financial statements. Established by the American Institute of Certified Public Accountants (AICPA), SOC 1 Type II is a reporting on the controls at a service organization.

This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes iVenture’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

“For us, compliance is critical,” says Gray Mabry, chief executive officer, iVenture Solutions. “Our reputation is built on the trust of our clients. We do everything possible to safeguard client information because it’s our responsibility and privilege to do so.”

“Many of iVenture’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “As a result, iVenture has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by iVenture.”

About iVenture

iVenture Solutions is an award-winning managed services provider delivering superior IT solutions to clients across Florida and beyond. As a leading-edge IT firm for small and medium-sized businesses, we provide a diverse range of services covering the entire scope of IT including maintenance, support, hosting and more. Through rapid response, reduction of IT-related chaos and the right people, our team of certified technology professionals aim to give you more time to do what matters most. At iVenture, we provide business friendly IT. Get started here, or give us a call at 888-380-1235.

With the complexity of the current threat landscape, organizations must be more alert than ever to potential data breaches. Who will be next? What happened? What will the fine be? While we’re only midway through 2018, we’ve seen headline after headline from organizations who have come forward to notify their customers of breaches. Let’s a take look at some of the top data breaches of 2018 to learn what went wrong and how you can prevent a costly data breach from occurring at your organization.

Under Armour Data Breach 2019

The data breaches of 2018 began with a household name. In March, Under Armour announced that it had become aware of a February data breach of its subsidiary fitness and nutrition app, MyFitnessPal. 150 million users’ data was acquired by an unauthorized party, ranging from usernames, email addresses, and hashed passwords. Fortunately, cardholder data was not compromised because that data is collected, processed, and protected separately.

What can we learn from this? Under Armour and MyFitnessPal’s incident response was timely and factual. Four days after discovering the data breach, MyFitnessPal notified their users and gave specific instructions of what to do next: change your password and look for suspicious activity on your account. What is your organization’s incident response plan?

SunTrust Data Breach 2019

While many data breaches of 2018 were due to malicious hackers, approximately 1.5 million SunTrust customers’ data was stolen by an ex-employee with the intent to share the records with a criminal third party. The compromised records included names, addresses, phone numbers, and account balances, but no PII like user IDs, Social Security numbers, account numbers, PINs, or driver’s license information.

What can we learn from this? Malicious insider threats need to be taken just as seriously as third-party threats. Establishing, implementing, reviewing, and updating policies that determine who has access to your organizations sensitive data is critical. The more employees who have access, the more risk there is. Are you operating on a policy of least privilege? How are you updating access to PII if an employee resigns, is terminated, or promoted?

MyHeritage Data Breach 2019

Family networking and genealogy provider MyHeritage recently announced a data breach spanning from October 2017 to June 2018. A security researcher discovered a file containing email addresses and hashed passwords on a private server, impacting 92 million users, with no evidence that the information was ever used. MyHeritage reported that no other sensitive information was compromised because users’ cardholder information is not stored on MyHeritage systems and other types of sensitive data (like family trees and DNA data) are stored by MyHeritage on separate systems with added layers of security.

What can we learn from this? While no cardholder information or DNA data was compromised, the breach at MyHeritage underscores the need for organizations (and users) to utilize some type of multi-factor authorization.

Exactis Data Breach 2019

In late June, a security researcher discovered that Exactis, a Florida-based marketing and data aggregation firm, left its database exposed on a publicly accessible server, leaving the data of nearly 340 million individual records visible. Aside from including basic contact and public information, the data also includes more than 400 variables on a range of specific characteristics: what religion a person belongs to, whether or not they smoke, what hobbies they’re involved with, etc. The company has yet to make a public statement about the breach but secured its database upon notification of the breach.

What can we learn from this? With GDPR compliance on the rise, the Exactis breach highlights the need for marketing firms to think about their data handling practices. This data breach also probes digital consumers to consider their data rights and what type of personal characteristics they want in the public. Phone numbers, home addresses, email addresses, interests and habits, the number, age, and gender of your children – it’s all out there.

Ticketmaster Data Breach 2019

In June, Ticketmaster UK discovered that its customer support chatbot software from Inbenta was hacked. We’ve now discovered that this breach exposed a much greater one: a massive credit card skimming campaign by the threat group Magecart. Magecart’s pattern seems to be targeting third-party software companies that build and provide code to their customers, who use the code on their website, and then Magecart hackers break in and alter the code so that it impacts every website that the code runs on. It’s reported that Magecart has compromised over 800 e-commerce sites worldwide. As the year goes on, we expect MageCart’s campaign to be recognized as one of the most damaging data breaches of 2018.

What can we learn from this? The importance of vendor compliance management cannot be overstated. In this breach, TicketMaster’s customer support chatbot vendor was the key MageCart needed to compromise their website. You’re putting a great deal of control and responsibility into vendor’s hands; in TicketMaster’s case, they put part of the security of their website in Inbenta’s hands.

Panera Bread Data Breach 2019

The Panera Bread data breach that came out this year is a bit puzzling, but that’s what makes it so interesting. In August 2017, a security researcher reported a vulnerability to Panera Bread, but the claim was dismissed. Apparently, Panera Bread didn’t even take the claim seriously enough to look into because eight months later, the bakery-cafe announced a data breach of their website that exposed thousands of customer records. This was only after KrebsOnSecurity broke the story, talked to Panera, and got them to take their website offline and fix the vulnerability. Trust us, there was a lot of back-and-forth between Krebs and Panera Bread before the issues were resolved.

What can we learn from this? It’s clear that security alerts and monitoring procedures were not appropriately implemented in this situation. Monitoring is a critical aspect of any information security program.

Timehop Data Breach 2019

Timehop, a social media memory-sharing app, discovered a data breach where up to 21 million users were affected. The network intrusion occurred because an access credential to their cloud computing environment was compromised from a lack of multi-factor authentication. Within 2 hours of discovering the network intrusion, Timehop responded to the event.

What can we learn from this? Timehop’s incident response approach has been extremely transparent and accessible, one of the most thorough that we’ve seen after data breaches of 2018. In their security incident report, the company goes above and beyond the norm by apologizing, providing a technical report, outlining the number of GDPR records breached, answering FAQs, defining the terms used, and providing next steps for users.

As the year goes on, stay alert to learn about more data breaches of 2018, what caused them, how to respond, and how to learn from others’ mistakes. Have questions about incident response, breach prevention, or compliance requirements? Contact us today.

The Information Commissioner’s Office (ICO) enforces the GDPR as of May 25, 2018.

There’s no doubt that GDPR has brought its fair share of challenges into the world of data privacy. GDPR was specifically designed to impact businesses across the globe, not just European Union Member States. Its ultimate goal, though, is to reduce regulatory differences in order to make data protection laws more consistent and make businesses more transparent.

Part of the innovativeness of GDPR is, in order to work as it’s intended to, the law needs a collaboration of all participants. This includes data subjects, controllers and processors, data protection officers, supervisory authorities, the European Data Protection Board, and the European Commission. With so many players in the game and such a broad territorial reach, how do you know how they function together and who’s enforcing GDPR? Let’s start at the top.

GDPR Enforcement by the European Commission

The European Commission proposes and implements laws that align with the objectives of EU treaties, meaning that it created the rules for the protection of personal data for the EU.

If you want to look at where GDPR began, you must go back to 1995, when the Directive 95/46/EC was given to regulate the processing of personal data in a fair and lawful manner; “fair” meaning you must tell data subjects what you’re doing with their personal data and “lawful” meaning you must comply with data subjects’ rights. But then technology and the way we share and collect data changed.

The 1995 directive, like many other laws and regulations, needed updating. In 2012, the European Commission proposed data protection reform to replace Directive 95/46/EC and about three years later, in December of 2015, the European Commission agreed on a final draft of the GDPR, paving the way for adoption by the European Parliament. On May 25, 2018, GDPR officially took effect and became an enforceable law.

When the European Commission needs advice or has questions about the protection of personal data, it goes to the European Data Protection Board for answers and recommendations.

European Data Protection Board

When GDPR went into effect, a major regulatory development was the establishment of the European Data Protection Board (EDPB). The EDPB has replaced the Article 29 Working Party (WP29) as the regulatory body and legal personality of GDPR but has similar membership. In fact, the EDPB has adopted much guidance from the WP29, such as topics like data protection officers, transparency, consent, and portability.

Moving forward, the EDPB will now be the source for GDPR guidance. The EDPB will have a more comprehensive purpose than the WP29, and it will be more likely to obtain feedback from the public during the course of developing guidance.

Article 70 defines the tasks of the EDPB, which include issuing guidelines and recommendations, advising and communicating with the European Commission, and ensuring consistency of the application of GDPR.

EU Member States

It’s up to each of the EU Member States to develop their own guidance around GDPR and supervise the application of the law within their territory. Because the GDPR’s scope is spread between 28 EU Member States, it gives Member States some opportunity to make adjustments for how it applies in their country. For example, the UK’s Data Protection Act 2018 recently received the Royal Assent, which works with GDPR to form new data protection principles. This act modernizes data protection laws and the Information Commissioner’s Office recommends that the Data Protection Act 2018 and GDPR be read side-by-side.

As of May 25, 2018, each of the 28 EU Member State has designated a supervisory authority to be responsible for monitoring the application of GDPR within its territory.

Supervisory Authorities

Articles 51-59 require that each EU Member State designate an independent, public authority to be responsible for monitoring the application of GDPR and addressing non-compliance, known as a supervisory authority or data protection authority (DPA). Supervisory authorities’ main purpose is to protect personal data. Supervisory authorities, although there are 28 of them, play a central role in consistent application of GDPR.

As part of Article 31, controllers, processors, and their representatives must cooperate and support supervisory authorities in the performance of tasks. Supervisory authorities are generally tasked, within their territory, to do the following:

  • Monitor and enforce GDPR
  • Promote public awareness on data subjects’ rights and risks
  • Promote awareness to controllers and processors of their obligations
  • Handle and investigate complaints
  • Cooperate with other supervisory authorities
  • Document infringements and the corrective actions given
  • Investigate the application of GDPR in the form of data protection audits and reviews
  • Exercise corrective and advisory powers

In general, the main contact point for questions or topics on personal data protection is the supervisory authority in the EU Member State where the controller or processor is based. For example, a controller or processer based in France would report to the National Commission of Computing and Freedoms in France. However, if there is cross-border processing, the supervisory authority of the main establishment acts as a lead supervisory authority.

Because GDPR is a law and not an information security or privacy framework, we’ve heard the question of “who’s enforcing GDPR?” a lot. Data subjects, controllers and processors, supervisory authorities, the European Data Protection Board, and the European Commission must work together to implement and enforce GDPR, to make data protection law more consistent, and encourage businesses to be more transparent.

Do you know who the supervisory authority in your Member State is? Do you have a DPO? Have more questions about controllers and processors? Contact us today to find the answers you need.

More GDPR Resources

10 Key GDPR Terms You Need to Know

Are You Controller or Processor?

Whose Data is Covered by GDPR?

Which GDPR Requirements Do You Need to Meet?

One of the most frequent questions that our Information Security Specialists are asked when engaging in a HITRUST CSF assessment with a client for the first time is, “What is the purpose of narrowing the scope of the engagement?” This is a great question and the answer is simple: everything that you do in a HITRUST CSF assessment is about your scope. The larger your scope is, the more complex your audit will be.

When you’re in the beginning stages of a HITRUST CSF assessment, narrowing your scope makes obtaining HITRUST CSF certification more feasible. Think of it this way: if you’re a hospital and you’re wanting to obtain HITRUST CSF certification, you wouldn’t attempt to certify get the entire hospital. That could entail millions of records, processes, technologies, and personnel. Because hospitals are collections of systems and each system is its own complex, detailed entity, it would be extremely difficult, time consuming, and costly to certify an entire hospital. On the other hand, if you were to narrow your scope to focus solely on your billings department or your ICU department, you would make HITRUST CSF certification more attainable.

How Do You Begin Narrowing Your Scope?

Narrowing your scope isn’t as challenging as one might think. Like any large project, it’s best to start small and take it piece by piece. To do so, you’ll need to define system and control boundaries to determine exactly what you want to get HITRUST CSF certified. Having these boundaries in place allows for a better understanding of what your needs and goals are for obtaining HITRUST CSF certification. When setting system boundaries, you would ask yourself questions, such as:

  • What systems actually perform the process that you want to certify? What people are involved? How do they interact with your records?
  • Where do you store your data? How do you collect it, process it, or remove it?
  • What devices, protocols, or systems move that data between the components of your system or interactions with your clients? How do people give you the data to process? How do you transfer data to users?

Going a step further, after defining your system boundaries, you need to set control boundaries. You can do this by asking:

  • How do you maintain your systems?
  • What systems could impact the security of your processes?
  • Are you using patch management?

What Documentation is Needed?

Understanding how you use data is fundamental to understanding your scope, so the following documentation is absolutely necessary when narrowing your scope:

  1. Data flow diagram: This is essential for understanding how data flow through your network.
  2. Network diagram: This is essential for understanding how your environment fits together.
  3. System inventory: This is essential for understanding what systems are involved within your scope boundaries.
  4. System management procedures: This is essential for understanding how you’re managing your systems.

Once your boundaries are set and have defined exactly what you want to certify, you can begin to establish the demographics of your scope.

Determining Scoping Demographics

Aside from setting boundaries, you need to determine your scoping demographics. These demographics determine your custom set of requirement statements that you must comply with to attain HITRUST CSF certification. This is where narrowing your scope might get tricky because the more demographics that you include, the more requirement statements you’ll have to comply with to achieve HITRUST CSF certification. The following factors should be accounted for when narrowing your scope:

  1. Organization and Entity Type: The first scoping demographic to decide on is your organization and entity type, which identifies your organization’s risk and complexity. The entity type will be either a business associate or covered entity. There are more options for organization types, such as service providers, payers, hospital facilities, pharmacies, etc.
  2. Organizational Factors: These factors drive the majority of the requirement statements. Organizational factors represent the number of records that could be lost due to a catastrophic breach. You’ll be asked to identify how many records you have, ranging from less than 10 million to over 60 million.
  3. Geographic Factors: These factors are based on where your organization collects, processes, maintains uses, shared, or disposes of information. The amount of risk that an organization whose operations are centralized in one state as opposed to multiple states would greatly vary, so the amount of controls included in the scope would change. There are also even more risk factors associated with moving data off shore.
  4. Systems Factors: Determining how your systems process, store, and transmit data is essential when limiting your scope. You’ll need to  answer a series of questions to identify the accessibility of your system, if your system transmits or receives data from third parties, and if mobile devices are used in your environment. You’ll also need to determine how many systems you connect to on a permanent basis, how many system users there are, and the number of transactions per day.
  5. Regulatory Factors: Determining your compliance needs greatly impacts the number of requirement statements applicable to your organization. Including an additional framework such as state-specific requirements, FISMA, or GDPR in your HITRUST CSF assessment could completely change your scope.

By following each of these steps, not only will HITRUST CSF certification be more attainable for your organization, but you’ll see a greater return on investment. Don’t waste your time and money by having too broad of a scope when you engage in a HITRUST CSF assessment. When you work closely with one of our Information Security Specialists, we’ll work hard to assist you in narrowing your scope to set your organization up for success.

Ready to get started on your HITRUST CSF assessment journey? Let us help! Contact us today to get started.

What is the Most Important Thing I Need to Know about HITRUST Scoping?

Are you in the process of preparing for a HITRUST CSF assessment? Do you need more information about how to properly scope your engagement? In this webinar, Shannon Lane, an Information Security Specialist at KirkpatrickPrice, will cover all things related to HITRUST CSF scoping, such as how HITRUST expects you to scope your engagement, what boundaries you should set, and how to determine your scoping demographics.

As you begin preparing for your HITRUST CSF assessment, scoping should be at the forefront of every conversation. Why? Because everything that you do in a HITRUST CSF engagement is about your scope. Considering this, it’s imperative that you work with your assessor to narrow your scope as much as possible to ensure that your assessment most acutely aligns with the parts of your organization that you want to get HITRUST certified.

For example, let’s say that you are a hospital looking to become HITRUST CSF certified. Typically, HITRUST is not going to certify an entire organization – they wouldn’t want to certify all of the departments that make up a hospital. Instead, they are looking to certify different components of an organization, like your billing department, human resources, inpatient and outpatient services, psychology department, ER, or ICU.

How Do I Narrow My Scope?

To begin narrowing your scope, you’ll need to define system boundaries around what you want to get certified. Building off the previous example, if you’re looking to certify your billings department, you would need to consider the following:

  1. How are things processed? What systems are used for billing purposes?
  2. How is billing data stored? Where is it kept?
  3. How is billing data transmitted? What devices move the data between system components into or out of the outside world?

After you’ve determined your system processes, you’ll need to define your system by creating or locating your data flow diagram, network diagram, system inventory, and system management procedures. Doing this allows you to establish boundaries and move onto determining your scoping demographics.

What are Scoping Demographics?

Scoping demographics allow you to lessen the number of requirement statements you must comply with to become HITRUST CSF certified. The following are scoping demographics you’ll need to consider:

  1. Organizational Factors: These are the core of the assessment. What is your organization type? What number of records could you lose if a catastrophic breach occurs?
  2. Geographic Factors: These are based on where the collection, processing, maintenance, use sharing, dissemination, or disposition of information occurs. How do you operate? Where does collection processing occur? Are you located in multiple states?
  3. System Factors: These are scoping questions that demonstrate the importance of limiting a scope. How many systems do you connect to on a permanent basis? How many people use your system? How many transactions do you have on your database per day?
  4. Regulatory Factors: These are optional, but you should consider what your clients’ needs are and what your business needs are. Are you looking to show your level of assurance with other frameworks, such as SOC 2, PCI, GDPR, or FISMA?

Ultimately, the narrower your scope is for your HITRUST CSF assessment, the better. The ramifications of having too broad of a scope could be costly. Keep in mind that when you’re able to narrow your scope for the audit, you could receive a larger return on investment. For more information on scoping a HITRUST CSF assessment, watch the full webinar now. To learn more about how you can begin the HITRUST CSF certification process, contact us today to speak to an expert.