Acknowledgement of Security Policy and Procedures

As part of your security awareness program, PCI Requirement 12.6.2 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures. There should be some type of evidence to show that your personnel have read and understood security policies and procedures; this could be in writing or electronic. The PCI DSS guidance explains, “Requiring an acknowledgement by personnel in writing or electronically helps ensure that they have read and understood the security policies/procedures, and that they have made and will continue to make a commitment to comply with these policies.”

To verify compliance with PCI Requirement 12.6.2, an assessor will examine your documentation or evidence of acknowledgement from personnel.

PCI Requirement 12.6.2 requires that after your staff has attended their annual security awareness training or their new employee orientation training, they have read and actually understood the policies. One of the things we do from an assessment perspective is that we ask for evidence of that. Signing off that they’ve read and they’ve understood the policies can either be electronic or in writing – it makes no difference. What we’re looking for is that staff truly understands what the policies are.

As part of your policy documentation program, one of the things that I recommend is writing the policies or developing the policies in such a state that the average layman user can truly understand them. If you lawyer-up your policies and you put all of this HR information in there, you’re kind of dumbing down the purpose of what they’re about. They’re really meant as an educational document that defines how you want your business run. Your staff needs to be aware of what that looks like.

Confusing Aspects of GDPR

Are you unsure how to properly collect data subjects’ consent? Have you seen organizations giving data subjects’ different options for giving their consent? In this webinar, Mark Hinely covers the confusing regarding consent, the regulatory developments since the GDPR enforcement date, and significant litigation to note.

How is Consent Being Collected?

Consent is considered the most confusing and misunderstood legal basis for processing personal data. This is probably because consent isn’t always required, it must be freely and affirmatively given, and is much different than the other five legal bases for processing. There are two areas seem to get a lot of attention in the GDPR realm: paid consent and privacy policies.

  • Privacy Polices: You probably noticed the subject line “We’ve Updated Our Privacy Policy” reappearing over and over in your inbox in relation to GDPR. Many organizations send these updates in an effort to become GDPR compliant, under the misconception that it obtains data subjects’ consent. However, notification of an updated privacy policy does not equal consent.
  • Paid Consent: The “pay for privacy” concept stems from organizations opting to use a tracking wall wherein they give their users different ways to have their personal data obtained or different ways to opt out of giving consent. Organizations such as the Washington Post give their users options for consent and how their personal data is collected. With a free consent-based option, data subjects can read a limited number of articles each month but must consent to the use of cookies and tracking by the Washington Post and third-parties. With a $60 subscription free option, data subjects have unlimited access to their website and apps on any device but must consent to the use of cookies and tracking by the Washington Post and third-parties. For $90, data subjects have unlimited access to the website and apps on any device and do not have to consent to the use of cookies or tracking. The “pay for privacy” concept seems problematic given that consent under GDPR must be freely given.

What are the Regulatory Developments Since GDPR Enforcement?

Since GDPR was officially enforced on May 25, 2018, there have been various regulatory developments, including:

  • European Data Protection Board (EDPB): The EDPB has replaced the Article 29 Working Party and will now be the source for GDPR guidance.
  • Data Protection Impact Assessments (DPIAs): Each EU member state has established or proposed DPIA requirements, which are a systematic way to identify and minimize risk.
  • Data Subjects Complaints and Breaches: Within the first week of GDPR enforcement, there was a significant increase in complaints and reported breaches compared to pre-GDPR activity.
  • Enforcement of Pre-GDPR Violations: Organizations such as the Gloucestershire Police, British and Foreign Bible Society, and Yahoo have all faced fines and penalties for pre-GDPR violations.

To learn more about consent, privacy policies, regulatory developments, and enforcement of GDPR, download the full webinar. For more information about GDPR compliance, contact us today!

A major area of risk that we’ve recognized is remote cloud audits. We hear many organizations indicate that because they are a cloud-based organization, they do not want or need onsite assessments, but we want to help them avoid this attitude. Let’s be clear: it’s completely inaccurate to say that everything is in the cloud. Why? Let’s find out.

Why You Need Onsite Assessments

Why You Need Onsite AssessmentsHuman error is often the weakest link in a security system, and the same is true for cloud environments. How did your data get into the cloud? Think of all the ways that an employee, user, or vendor interacts with your cloud – someone has to put data in the cloud, someone manages it, and someone accesses it. Each of these touchpoints is an opportunity for an insecure process, but remote cloud audits won’t be able to catch those vulnerabilities. An auditor needs to see how employees complete a secure process. They need to visit your office location and examine your heating and cooling systems, your power regulation, your physical security controls. They need to interview your employees who manage vendor compliance to verify that vendor processes are secure.

If you’ve partnered with KirkpatrickPrice on an audit before, you know that we try to eliminate as much intrusive and expensive onsite time as possible; with our Online Audit Manager, clients typically complete 80% of the audit before an onsite visit. Even with that goal in mind, we still believe that onsite assessments are necessary for a quality audit. Onsite assessments are for the review and testing of controls that cannot be tested remotely, and this purpose stands true for audits of cloud environments. Remote cloud audits will not be as thorough or accurate as ones that include onsite assessments.

It’s vital for auditors to examine your people, processes, and technologies, and it’s impossible for all of that to exist in the cloud. Onsite assessments help auditors understand the culture, physical security, and day-to-day processes of the organization being assessed.

What are the Requirements?

Need some evidence to convince you of the need for onsite assessments? From the SOC 2 perspective, the system being audited is composed of people, processes, applications, infrastructure, and data. One could argue that the applications and maybe most of the infrastructure is in the cloud, but the data has to come from somewhere. Even processes need people to complete them. How do you onboard your customers? It usually involves someone at the office doing something with the application that’s in the cloud.

PCI takes a very similar approach, where the scope includes people, processes, and technology that transmit, process, or store cardholder data, or are connected to or could impact the security of the cardholder data environment. Again, how do the people in your physical office location support the applications, infrastructure, and data that are in the cloud?

It’s understandable that a company would want to focus all of its attention on the technology in the cloud, but it’s an incomplete analysis to conclude that because you are a cloud-based organization, no onsite assessments are required. If your auditor isn’t even coming to meet you in person, you’re not getting a quality audit. If they’re not coming onsite to examine your people, processes, and technology, your audit is even more flawed. If you want a thorough audit of your cloud environment, let KirkpatrickPrice help. Contact us today.

More Cloud Security Resources

Who’s Responsible for Cloud Security?

12 Risk You Need to Know to Secure Your Cloud Environment

Cloud Security: The Good, The Bad, and The Ugly

Petaluma, CA — Optio Solutions, a national debt collection agency, has received its annual attestation for payment card information security (PCI DSS 3.2) and controls affecting clients’ financial statements (SOC 1 Type II) as well as a third attestation for non-financial reporting controls  (SOC 2 Type II). KirkpatrickPrice, a licensed CPA and Qualified Security Assessor, conducted all three audits.

“Many Optio clients rely on their systems to process or store sensitive data and protect information,” said Joseph Kirkpatrick, president of KirkpatrickPrice. “As a result, Optio Solutions has implemented best practice controls to address information security and compliance risks. Our third-party opinion validates these controls while the tests we perform provide assurance regarding Optio services.”

The PCI Data Security Standards (see PCI DSS 3.2) establish technical and operational requirements for merchants and service providers using, storing or transmitting payment card data. Focus areas include security management, policies and procedures, network architecture, software design, and other critical protective procedures.

“These certifications confirm our commitment to protecting clients and consumers with best-in-class data security and internal controls,” said President and CEO Chris Schumacher of Optio Solutions.

System and Organization Controls (SOC) reports are performed by CPAs to determine a service organization’s system-level controls or entity-level controls of other organizations. The guidelines were established by the American Institute of Certified Public Accountants (AICPA).

SOC 1 Type II reports are compliant with the Statements on Standards for Attestation Engagement (SSAE 18) and assess the controls at service organizations that are relevant to user entities’ internal control over financial reporting throughout a specific period. The audit conducted by KirkpatrickPrice included a thorough testing of Optio controls over a minimum six-month period.

SOC 2 Type II reports focus on the effectiveness of a service organization’s non-financial reporting controls relating to security, availability, processing integrity, confidentiality, and privacy of a system.

About Optio Solutions, LLC

Optio Solutions, LLC is a national debt collection agency focused on protecting its clients’ brands and improving ROI via extensive financial services experience, advanced technology, certified data security, legal compliance and professionally designated staff. Optio is a member of ACA International and the California Association of Collectors.

First-Time HITRUST CSF Assessment

Have you been thinking about engaging in a HITRUST CSF assessment? Have you been approached about getting HITRUST CSF certified? Are you wondering what the timeframe for a HITRUST CSF assessment looks like? Do you want to learn about the responsibilities and expectations that you, your assessor, and HITRUST will face during an assessment? In this webinar, Jessie Skibbe, Chief Compliance Officer with KirkpatrickPrice, and Shannon Lane, Information Security Specialist with KirkpatrickPrice, will answer these questions and more to give you the steps needed to start your HITRUST CSF compliance journey.

How Can I Prepare for a HITRUST CSF Assessment?

For organizations that are just beginning their HITRUST CSF assessment journey, we suggest following these three steps:

  1. Identify Your Level of Readiness: What frameworks do you already follow – ISO 27001/27002, NIST 800-53, PCI DSS, SOC 1, or SOC 2? Do you have policies and procedures documented and in place? Are you starting with a HITRUST self-assessment? Is this your first compliance effort?
  2. Establish and Narrow Your Scope: Do you have a data inventory? Do you understand what data you have and how it moves? Do you have your data mapped? Do you have good data retention procedures? Do you understand where all of your data resides? How is it maintained? What compliance standards do you want to incorporate into our HITRUST CSF assessment?
  3. Determine the Assessment and Report Type Needed: What are your clients requiring of you? Are they asking you to have HITRUST CSF certification, a validated assessment, or self-assessment?

What is the Timeline for a HITRUST CSF Assessment?

The timeline for a first-time HITRUST CSF assessment varies depending on the level of maturity of your information security program. For organizations that have an immature information security program, we believe that the remediation period will and should take 180 days. For organizations with a more mature information security program, or organizations that have NIST, ISO, or PCI DSS controls in place, we believe that remediation periods could take about 60 days. Nevertheless, remediation periods ultimately depend on the time it takes to fix the issues identified during the gap period and self-assessment. If an organization rushes through a remediation period, they can still obtain a validated assessment, but the chances of becoming HITRUST CSF certified significantly decreases.

Download the full webinar to learn more about what you can expect from a first-time HITRUST CSF assessment. For more information about HITRUST CSF assessments and how KirkpatrickPrice can assist you in meeting your compliance goals, contact us today.