About USF Fast 56 Award

Tampa, FL – KirkpatrickPrice’s Founder and President, Joseph Kirkpatrick, was awarded the University of South Florida’s prestigious Fast 56 Award. The award recognizes and celebrates the world’s fastest growing USF Bull-owned or Bull-led businesses and is bestowed upon alumni who meet the following criteria:

  • The business must have been in operation for a minimum of 36 months.
  • The business must have verifiable revenues of at least $100,000 in each of the first two reporting periods and $250,000 for the most recent 12-month period.
  • The business must be owned or operated by a former USF student who is either the owner, a chief executive officer, or a managing partner.

The Fast 56 Award not only celebrates the success of USF alumni, but also provides an opportunity for alumni to pass lessons they have learned to new Bull entrepreneurs.

In 2006, Joseph recognized a need in the information security industry. Using his entrepreneurial spirit, he created a firm specializing in thorough and efficient multi-audit delivery, which was founded on innovation and integrity. Over the course of 12 years, KirkpatrickPrice has grown exponentially and continues to build positive relationships with clients while delivering quality audits. Receiving the USF Fast 56 Award underscores Joseph’s dedication to leading his employees to uphold the company’s central mission to educate, empower, and inspire clients to greater levels of assurance by partnering with them to achieve challenging compliance goals. By utilizing the knowledge gained from his time at USF in conjunction with his 25 years of experience in the information technology industry, Joseph continues to develop KirkpatrickPrice’s trailblazing initiatives in information security audit delivery and ethical hacking.

On February 1, 2018, nine new PCI DSS requirements went into effect. Four months later, the PCI Security Standards Council (SSC) published a minor revision to the PCI DSS.

PCI DSS v3.2.1 replaces v3.2 and addresses effective dates and Secure Socket Layer (SSL)/early Transport Layer Security (TLS) migration deadlines that have passed. Though PCI DSS v3.2.1 does not introduce any new requirements, let’s discuss the minor revisions made, when they go into effect, and what you need to do to ensure compliance with this new version of the PCI DSS.

When Does PCI DSS v3.2.1 Go Into Effect?

PCI DSS v3.2 will remain valid through December 31, 2018 and will be retired on January 1, 2019. Prior to the effective date, entities can validate to either standard; however, as of January 1, 2019, all entities must validate to at least PCI DSS v3.2.1.

According to Troy Leach, the PCI SSC Chief Technology Officer, there is a six-month transition period beginning July 1, 2018 for entities transitioning between PCI DSS v3.2 and v3.2.1.

What Changes Are Addressed In PCI DSS v3.2.1?

In the summary of changes provided by the PCI SSC, PCI DSS v3.2.1 seeks to clarify the intent of the requirements and make the document more user-friendly. The clarifications in the new version of PCI DSS include updates to:

  • PCI Requirements 2.2.3, 2.3, and 4.1: PCI DSS v3.2.1 no longer includes the note and testing procedure regarding the use of Appendix A2 to report SSL/early TLS migration effort because the migration deadline has already passed.
  • PCI Requirements 3.5.1, 6.4.6, 8.3.1, 10.8, 10.8.1, 11.3.4.1, 12.4.1, 12.11, and 12.11.1: Because these requirements went from being best practices to requirements on February 1, 2018, PCI DSS v3.2.1 no longer needs a note addressing the effective date of these requirements as it has already passed.
  • PCI Requirement 3.6.2: PCI DSS v3.2.1 addresses an error in the guidance, changing a reference from PCI Requirement 3.5.1 to 3.5.2.
  • Appendix A2: The new version of PCI DSS notes that the SSL/early TLS migration date has already passed. PCI DSS v3.2.1 also updates Requirements A2.1 – A2.3 “to focus only on the allowance for POS POIs that are not susceptible to known exploits and their service provider termination points to continue using SSL/early TLS.”
  • Appendix B: Appendix B in PCI DSS v3.2.1 has been updated to clarify the intent of the requirement, and also updates MFA rules. The summary states, “Removed MFA from the compensating control example, as MFA is now required for all non-console administrative access. Added use of one-time passwords as an alternative potential control for this scenario.”

Learn more about every single PCI DSS requirement with our PCI demystified webinar series.

How Can I Ensure That I Am Compliant With PCI DSS v3.2.1?

To ensure compliance with the new version of PCI DSS, you should be working during the six-month transition period to:

  • Update your reporting templates and forms
  • Complete your migration from SSL/early TLS prior to June 30, 2018
  • Finish validations for 2018 using the standard that best addresses your organization’s reporting needs
  • Enforce v3.2.1 by January 1, 2019

If you have questions about how these updates to the PCI DSS will impact your compliance or need additional help with implementation, contact us today.

More PCI Compliance Resources

PCI Demystified Series

What You Need to Know About PCI Requirement 11.3.4.1

PCI DSS: Important Updates Due February 2018

What is SOC for Cybersecurity?

Because most organizations conduct some portion of their business in cyberspace, they open themselves up to a new level of risk. Who they are, what they do, and what information they possess can make businesses targets for malicious attackers. Reputational damage, disruption of business operations, fines, litigation, and loss of business can all be consequences of a cybersecurity attack. It’s more important than ever to demonstrate the extent and effectiveness of your organization’s cybersecurity risk management program. Understanding this, the AICPA created SOC for Cybersecurity, a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls. Take a look at some of the most frequently asked questions about SOC for Cybersecurity.

In April 2017, the AICPA announced a new cybersecurity risk management reporting framework, paired with a market-driven, voluntary SOC for Cybersecurity examination. Because this framework and examination are so new, many still have questions about what it is and if their organization could benefit from it.

What is the Purpose of a SOC for Cybersecurity Report?

A SOC for Cybersecurity report is a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls, which can help stakeholders make informed decisions and can address vendor or supply chain risk management practices.

Who Needs a SOC for Cybersecurity Report?

Any organization who wishes to provide their board of directors, analysts, investors, business partners, industry regulators, or users with perspective and confidence in their cybersecurity risk management program.

How is a SOC for Cybersecurity Report Different than a SOC 1 and SOC 2 Report?

A SOC 1 engagement is an audit of the internal controls at a service organization that may be relevant to their client’s internal control over financial reporting. SOC 2 reports help service organizations cultivate confidence in their service delivery processes and controls, based on the Trust Services Criteria. A SOC for Cybersecurity report, though, fosters confidence in an organization’s cybersecurity risk management program.

Get the answers to all SOC for Cybersecurity FAQs.

Connect with a KirkpatrickPrice expert today!

GDPR Requirements for Data Controllers and Processors

The first step towards GDPR compliance is determining your organization’s data role – are you a data controller or a data processor? Determining your role under GDPR can be challenging because of textual and practical ambiguity, but identifying your role is the starting point for determining which GDPR requirements your organization must follow.

What are the responsibilities of data controllers? A data controller determines the purpose and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization takes on the responsibilities of a data controller.

The Information Commissioner’s Office (ICO) guidance related to determining purposes of processing personal data says that if you are the decision-maker on any of the following items, then you are subject to the responsibilities of data controllers:

  • Who decides to collect the personal data in the first place and the legal basis for doing so?
  • Who decides which items of personal data to collect?
  • Who decides what methods to use to collect personal data?
  • Who decides the purpose(s) that the data are to be used for?
  • Who decides which individuals to collect data about?
  • Who decides whether to disclose the data, and if so, who to?
  • Who decides whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
  • Who decides how long to retain the data or whether to make non-routine amendments to the data?

According to the guidance on principles regarding the means of processing personal data, data controllers may determine:

  • What IT systems or other methods to use to collect personal data
  • How to store personal data
  • The detail of security surrounding the personal data
  • The means used to transfer personal data from one organization to another
  • The means used to retrieve personal data about certain individuals
  • The method for ensuring a retention schedule is adhered to
  • The means used to delete or dispose of personal data

What are the responsibilities of data processors? The law defines a data processor as the natural or legal person that processes personal data on behalf of a data controller. Processing is essentially anything done to personal data, including storing, archiving, or reviewing. Data processors cannot process data without the authority of the data controller and must provide sufficient compliance guarantees to data controllers.

Once you understand what your organization’s role is under GDPR, the next step is understanding which GDPR requirements apply to you. GDPR requirements depend on roles; requirements are different for controllers versus processors versus a controller-processor. In this white paper, you’ll learn which requirements apply to data controllers, which apply to data processors, and which apply to both. Let’s find out which GDPR requirements apply to your organization.

Herbert McMorris, KirkpatrickPrice Information Security Specialist, will discuss penetration testing and business impact analyses at ISACA’s EuroCACS Conference, taking place May 28-30, 2018 in Edinburgh, Scotland.

IT audit, risk, cybersecurity, and governance professionals from across the continent will gather at the Edinburgh International Conference Center to examine the transformational role they play in their organizations. Attendees will learn solutions and strategies, including how assurance, risk, governance, and security professionals can advance their careers and impact their enterprises.

This year’s event offers more than 70 sessions in tracks covering:

  • Audit and Assurance
  • GRC/COBIT
  • GDPR, Data Analytics, and Information Management
  • Security and Cybersecurity

In Session 311, “Auditor’s Guide to a Penetration Test,” Herbert will define the different types of penetration tests, discuss why penetration testing is needed, help listeners understand a penetration test report, and discuss how resolution and mitigation should be verified.

In Session 322, “BIA: The Root of Security and Recovery Plans,” Herbert will explain the purpose of a Business Impact Analysis, how the BIA applies to risk and recovery programs, the critical outputs from the analysis, and how outputs apply to risk, security, and recovery.

Herbert McMorris has over 36 years of experience working in IT and holds CISSP, CISA, CGEIT, CISM, CRISC, and QSA certifications. In his current position as an Information Security Specialist at KirkpatrickPrice, Herbert specializes in assisting clients in meeting challenging information security and compliance goals.

Additional details, registration, and venue information can be found here.

About ISACA

Nearing its 50th year, ISACA® (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Technology powers today’s world and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its half-million engaged professionals in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 215 chapters and offices in both the United States and China.

Twitter: www.twitter.com/ISACANews

LinkedIn: www.linkedin.com/company/isaca

Facebook: www.facebook.com/ISACAHQ

Instagram: www.instagram.com/isacanews/

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 700 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.