What are PCI Penetration Testing Requirements?

Nine new PCI DSS v3.2 requirements turned from best practices to requirements on February 1, 2018.

One requirement in particular, PCI Requirement 11.3.4.1, outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states:

“If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.”

Let’s discuss why this PCI penetration testing requirement might apply to you, what segmentation is, what the six-month rule means, and what you need in order to comply with this requirement.

Does PCI Requirement 11.3.4.1 Apply to You?

There are two conditions as to whether or not PCI Requirement 11.3.4.1 applies to your organization.

  1. Are you a service provider? PCI Requirement 11.3.4.1 is an additional requirement that only applies to service providers. This is any entity that stores, processes, or transmits cardholder data on behalf of a third-party, or otherwise has the ability to impact cardholder data security.
  2. Do you use segmentation for the purpose of PCI scope reduction?

If both of these apply to you, all segmentation controls that are in place for the purpose of PCI scope reduction must be tested every 6 months or after any changes to segmentation controls or methods.

What is Segmentation and How Does It Impact PCI Compliance?

Does PCI Requirement 11.3.4.1 Apply to You?

Think of your CDE as the center of a circle, with a protective, second circle surrounding it. This second circle is your supporting environment. This could include domain controllers, patch management systems, network and log monitoring systems and other similar devices that perform critical functions for systems located within the CDE.

These systems, which are connected to or impact the security of the CDE, are considered to be part of the overall PCI scope. Everything outside of the second circle should be segmented in order to reduce and tightly control the scope. This can reduce the cost and complexity involved with achieving and maintaining compliance with the PCI DSS.

What is PCI Requirement 11.3.4.1 Actually Requiring Regarding Penetration Testing?

PCI Requirement 11.3.4.1 requires that a penetration test, which validates the scope and effectiveness of segmentation controls, be performed every six months or after any changes to segmentation controls. The purpose of this additional penetration test is to ensure that segmentation controls continue to operate effectively throughout the year. The continual, complete isolation between CDE and non-CDE systems is key to your PCI compliance.

Our approach to compliance with PCI Requirement 11.3.4.1 involves more than simply validating segmentation controls through port scanning activities. The PCI DSS specifies that penetration testing must be performed, meaning that it is not sufficient to only perform something like nmap scans from non-CDE to CDE networks. Additional effort is required in order to meet this requirement for penetration testing, and our team of penetration testers is ready to help.

Our penetration testing requires some sort of discovery to verify that what we expected from the CDE is there. Using the background and understanding from the first penetration test, we must validate that the scope of your CDE hasn’t changed in the last six months. We must understand what was in the CDE six months ago and what’s in the CDE now. This establishes a baseline of healthy security of the CDE. If you don’t understand or know what’s on the inside of the CDE, how do you know that sensitive information can’t be seen from the outside?

Our PCI penetration testing efforts focus on wherever segmentation controls are lacking. Our testing includes confirmation of the effectiveness of applicable segmentation controls and performing many of the same internal penetration testing activities that are expected in order to comply with PCI Requirements 11.3.2 and 11.3.3. This comprehensive approach focuses on the entirety of the in-scope PCI environment and allows our penetration testers to effectively test the segmentation controls by leveraging information gathered during initial penetration testing to inform the approach used to attempt to circumvent the targeted segmentation controls.

Am I Overdue on PCI Requirement 11.3.4.1? How Soon Should I Expect to Perform Penetration Testing?

The PCI SSC has given some clarity on the six-month rule described in this requirement. If your organization is in panic mode thinking, “February 1 has hit and now we’re overdue on new PCI penetration testing requirements,” you’re probably not actually overdue.

The six-month rule went into effect the same day that the entire requirement went into effect. There’s no need to go back in time. If you had a penetration test performed in December 5, 2017, then your next penetration test should be scheduled for May 5, 2018.

The PCI DSS guidance explains, “For service providers, validation of PCI DSS scope should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives.”

How is your organization re-assessing its penetration testing needs?

If you have questions about how these PCI penetration testing changes will affect your compliance or need additional help with implementation, contact us today, download our on-demand webinar that reviews all nine new PCI DSS requirements, or check out our PCI Demystified series.

More PCI Compliance Resources

PCI Demystified Video Series 

Beginner’s Guide to PCI Compliance 

When Will You See the Benefit of an Audit? 

More Penetration Testing Resources 

Not All Penetration Tests Are Created Equal 

How Can Penetration Testing Protect Your Assets? 

Components of a Quality Penetration Test 

Auditor Insights: Vulnerability Assessments vs. Penetration Testing 

3 Hacks to Get the Most Out of Your Penetration Tests 

SOC 2 Compliance: Reporting Changes

You may have recently noticed some changes in SOC 2 reporting, like the inclusion of an internal control framework and a change from “Trust Services Principles” to “Trust Services Criteria.”

Why the changes?

The AICPA’s Assurance Services Executive Committee (ASEC) recently issued a SOC 2 reporting update that includes a new set of 2017 Trust Services Criteria, which will provide integration with the 2013 COSO framework and ways to better address cybersecurity risks.

Let’s take a closer look at these changes and how they can affect your organization.

SOC Trust Services Principles vs. SOC Trust Services Criteria

The most noticeable change from this SOC 2 reporting update is the name change, which revises “Trust Services Principles and Criteria” to “Trust Services Criteria.”

Security, availability, processing integrity, confidentiality, and privacy are still the five categories under this revised name, and they are integrated with the 2013 COSO framework. Because the 2013 COSO framework uses “principles” to refer to the factors of internal control, ASEC removed “principles” from the original name to avoid any misunderstandings.

Integration with the 2013 COSO Framework

What else has changed with SOC 2 reporting, other than a name change? SOC 2 reporting now has integration with the 2013 COSO framework. This framework is used to assess the design, implementation, and maintenance of internal controls and assess their effectiveness.

It makes sense for the Trust Services Criteria to have integration with the 2013 COSO framework because they are both assessing internal controls. The Trust Services Criteria assess internal controls over the security, availability, processing integrity, confidentiality, and privacy of a system. The 2013 COSO framework assesses internal controls relating to control environment, risk assessment, information and communications, monitoring activities, and existing control activities. Service organizations’ controls must meet the 17 internal control principles that align with COSO’s five components of internal control, along with some new, supplemental criteria.

The 17 internal control principles include:

SOC 2 Reporting Infographic: the new 2017 Trust Services Criteria

These internal control principles don’t map to the 2016 Trust Services Principles and Criteria, so this new integration with the 2013 COSO framework will likely require service organizations to restructure their internal controls in order to comply with the 2017 Trust Services Criteria.

Supplemental Criteria for Cybersecurity Risk

In addition to the 17 internal control principles from the 2013 COSO framework and the Trust Services Criteria, service organizations must meet new, supplemental criteria that address cybersecurity risk. These supplemental criteria include:

  • Logical and Physical Access Controls – How service organizations implement logical and physical access controls to prevent unauthorized access to protect information assets.
  • System Operations – How service organizations manage the operation of their systems to detect, monitor, and mitigate security incidents.
  • Change Management – How service organizations determine the need for changes to infrastructure, data, software, and/or procedures, securely make changes, and prevent unauthorized changes.
  • Risk Mitigation – How service organizations identify, select, and develop risk mitigation activities for risks arising from vendors, business partners, and other disruptions.

Points of Focus

Another new element to the 2017 Trust Services Criteria are points of focus.

While integrated into COSO, points of focus are new to SOC 2 reporting and the Trust Services Criteria. Points of focus are just that – details or characteristics to focus on and should be included in the design, implementation, and operation of an internal control. Points of focus will assess whether the 17 internal control principles from the 2013 COSO framework, Trust Services Criteria, and supplemental criteria are implemented and functioning. Points of focus are characteristics that auditors have always generally incorporated into their review, but with this SOC 2 reporting update, points of focus are now defined.

The supplemental criteria for risk mitigation (CC9.1) states, “The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.” What details or characteristics of this internal control should your organization focus on? The points of focus listed include:

  • Considers Mitigation of Risks of Business Disruption – Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity’s objectives during response, mitigation, and recovery efforts.
  • Considers the Use of Insurance to Mitigate Financial Impact Risks – The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.

It’s important to note that an assessment of points of focus is not required; not all points of focus are applicable to every service organization or situation. You can have effective internal controls without addressing every single point of focus.

How Do These SOC 2 Changes Affect Your Organization?

Since the 2017 Trust Services Criteria was released in April 2017, SOC 2 reports have been required to state which set of criteria was used – 2016 Trust Services Principles and Criteria or 2017 Trust Services Criteria. Beginning December 15, 2018, SOC 2 reports must use the 2017 Trust Services Criteria. If your organization pursues SOC 2 Type II attestation, you should begin determining what your next SOC 2 audit period will be and how the integration with the 2013 COSO framework, supplemental criteria, and points of focus will affect your audit.

The AICPA has published a mapping of the 2016 Trust Services Principles and Criteria to the 2017 Trust Services Criteria to help you further understand this SOC 2 reporting update. For more information on Trust Services Criteria or SOC 2 services, contact us today.

More SOC 2 Resources 

SOC 2 Academy 

Understanding Your SOC 2 Report 

SOC 2 Compliance Handbook: The 5 Trust Services Criteria 

Why Choose the Privacy Principle?

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Criteria you want to include in your SOC 2 audit report. Typically, service organizations that are concerned about the Privacy Principle are collecting, using, retaining, disclosing, and/or disposing of personal information to deliver their services.

A classic example is a doctor’s office. What’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, list of medications that you’re on. So, what if the office shares that personal information with some type of a marketing company to help market services or prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with.

Including the Privacy Principle in your SOC 2 audit report ensures that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon. The Privacy Principle also demonstrates that you’re handling client data in accordance with criteria issued by the AICPA, including:

  1. Management: Service organizations must define, document, and implement privacy policies and procedures, which govern how personal information is used.
  2. Notice: Service organizations must provide notice to consumers about its privacy policies and procedures, fully informing them of how personal information is used.
  3. Choice and Consent: Individuals must have the ability to choose how personal information is used and give consent for the use their personal information.
  4. Collection: Service organizations only collect personal information for the purposes described in the notice; services organizations will not use it for any another reason.
  5. Use, Retention, and Disposal: Service organizations will have privacy policies and procedures that define how personal information is used, retained, and disposed of.
  6. Access: Service organizations provide individuals with the ability to access their information for review and updating.
  7. Disclosure to Third Parties: Service organizations will only disclose personal information to third parties identified in the notice.
  8. Security: Service organizations protect personal information through physical and logical access controls.
  9. Quality: Service organizations need to have quality management procedures in order to not only protect personal information, but make to sure it’s complete and accurate in the way it’s used.
  10. Monitoring and Enforcement: Service organizations must monitor their compliance with privacy practices.

If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Criteria you should include, contact us today.

When you include the Privacy Principle in your SOC 2 audit report, it’s important to understand the purpose of the Privacy Principle and the generally-accepted Privacy principles issued by the AICPA. Typically, organizations that are concerned about the Privacy Principle are collecting information directly from consumers. They are using that information in some way in the course of providing their service and you have to determine if this applies to you.

The classic example is when you walk into a doctor’s office, what happens? They ask you to sign an acknowledgement that you have been given a Privacy Notice. That’s very obvious why that applies in that situation. You’re about to see a medical provider, you’re about to provide personal information about your medical conditions, you’re going to give them your data of birth, insurance information, the medications that you’re on, and they may use that information to share with some type of a marketing company to help market services or prescriptions to you. They might share that information with a research organization who’s conducting research about treatments and experiences with your medical providers. They might share that information with other physicians who are providing services to you. They might be sharing that information with insurance companies. That Privacy Notice is supposed to disclose that and let you know what you have the option to opt out and fully inform you as a consumer.

If you, in your business, are implementing the Privacy Principle, you have to have a method for managing your privacy policies and procedures that you will put into place to govern how personal information is used. You will provide notice to consumers about how you’re going to use their information so that they’re fully informed, you’re going to give them the ability to have some choice in the matter, and you’re going to ask them to give you consent to use their information in the way that you are intending to use it. You’re only going to collect information that is for the purpose of delivering your service, you’re not going to use it for another reason that you have not notified them about. You’re going to have privacy policies and procedures about how personal information is used, how you retain it, and how you dispose of it. Do you keep that information perpetually? Do you keep it for 20 years, 10 years, 7 years? You have to have those things defined in your policies about how you will keep and then eventually dispose of that information. You have to provide consumers with the ability to access their information; they have a right to know what you have and how you’re using it. You have to have privacy policies and procedures that govern how you disclose information to third parties who might be service providers to you and help you in the delivery of your services. You have to have security procedures in place in order to protect that information while you have it within your custody. You will have to have some quality management procedures in order to not only protect the information, but make sure it’s complete and accurate in the way that you’re using it and you don’t make mistakes in sharing information that you shouldn’t or misrepresent the consumers information in some way. Finally, you have to have your own monitoring practice in order to monitor that you are in compliance with your policies and procedures and you are monitoring how personal information is used on a daily basis.

There’s a lot of things to think about with the 10 principles within the SOC 2 Privacy Principle, and please contact us if we can help you understand this any further.

HITRUST CSF Assessor Demonstrates Its Expertise in High-Quality HITRUST CSF Engagements

Tampa, FL – KirkpatrickPrice, a licensed CPA firm, announced today that Jessie Skibbe and Shannon Lane have been appointed to the 2018 HITRUST CSF Assessor Council. The HITRUST CSF Assessor Council has grown to 20 appointees, representing a broad range of experience in information security and privacy. The council provides a forum to ensure that HITRUST CSF Assessors can directly submit input to HITRUST thereby influencing the HITRUST CSF Assurance program to continually ensure and evolve its integrity, effectiveness, and efficiency.

Jessie Skibbe has over 20 years of information technology, information security, and regulatory compliance experience spanning through manufacturing, financial services, and healthcare industries. A former developer, network administrator, ISO, & CCO, she now serves as Vice President of Strategic Development and Chief Compliance Officer for KirkpatrickPrice. Skibbe holds CISSP, CISA, CRCP, CCFSP, CCCO certifications, as well as ACA Scholar designation and an ACA certified instructor.

Shannon Lane has over 20 years of experience in information services, including healthcare IT, e-commerce data extrapolation, network administration, database administration, and external audit work. Lane now serves as an Information Security Auditor at KirkpatrickPrice, and holds CISSP, CISA, QSA, MSDBA, and CCSFP certifications.

KirkpatrickPrice is dedicated to educating clients on navigating the HITRUST CSF framework, finding the best certification option, and delivering high-quality engagements. Skibbe had led KirkpatrickPrice through the HITRUST CSF Assessor process and now leads HITRUST CSF services at the firm. Skibbe stated, “It’s an honor to be appointed to the HITRUST CSF Assessor Council. Our hope is to bring our firm’s experiences to the table and assist HITRUST in a process that will allow for better communication with assessor firms, greater consistency in the assessment process, as well as much needed education to the industry.”

About HITRUST

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security, and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience. HITRUST actively participates in many efforts in government advocacy, community building, and cybersecurity education. For more information, visit www.hitrustalliance.net.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Enforcement of the HIPAA Privacy Rule

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy Rule. Enforcement trends are the most direct way that the OCR can tell us what or where they’re looking at. In the most recent enforcement results, the OCR reports that it has received over 171,161 complaints since the HIPAA Privacy Rule took effect in 2003. These complaints have been against all types of covered entities, such as national pharmacies, medical centers, health plans, hospital chains, outpatient facilities, and private practices. 98% of these cases have been resolved through enforcement actions including investigations, fines, and corrective actions that require systemic changes in privacy practices and technical assistance.

From the OCR’s enforcement trends, we can see that the most frequently investigated compliance issues in relation to the HIPAA Privacy Rule are impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of patient access to PHI, and use or disclosure of more than minimum necessary PHI. We can also see that the most common types of covered entities required to take corrective action are hospitals, private practices, outpatient facilities, pharmacies, and health plans. Let’s take a look at the most frequently investigated HIPAA Privacy Rule compliance issues to see what lessons your organization can learn from enforcement trends.

Impermissible Uses and Disclosures of PHI

To provide the best care possible, health care professionals need information. Treatment, research, quality, payment – it all requires information about patients. But, how do you determine when information sharing is permissible under the HIPAA Privacy Rule and when it is not? In general, HIPAA supports the sharing of PHI when it falls under treatment, health care operations, and payments. For example, a covered entity could disclose PHI to another covered entity or business associate in order to treat or coordinate care for patients, enable case management, for quality assessment or improvement purposes, and for population health purposes. Even with this general definition, there can still be misunderstanding over impermissible uses and disclosures of PHI. The U.S. Department of Health & Human Services’ guidance states, “Confusion about the rules has been cited by many as a potential obstacle to interoperability of digital health information.”

Impermissible uses and disclosures of PHI is an enforcement trend because there’s so many situations where this could apply – employers, family members, other patients, law enforcement, media, etc. To help you understand impermissible uses and disclosures of PHI, let’s consider how the HIPAA Privacy Rule would function within a doctor’s office. The HHS describes this scenario: in a public waiting room, a member of a medical practice discussed HIV testing procedures with a patient. By discussing this in a public area and using a device that displayed PHI, the staff member disclosed PHI to the other individuals in the waiting room. Among other corrective actions, the OCR required this medical practice to revise and implement its policies and procedures regarding safeguards the communication of PHI. How do your organization’s policies and procedures cover impermissible uses and disclosures of PHI? Enforcement trends highlight that it’s vital to include details like these so that you can comply with the HIPAA Privacy Rule in any type of situation.

Lack of Safeguards of PHI

The HIPAA Privacy Rule requires that covered entities apply administrative, technical, and physical safeguards to protect PHI. These safeguards could be things like access controls, physical security measures, or secure disposal policies. Training your employees and implementing these safeguards is vital in protecting your organization from a lack of safeguards of PHI.

To demonstrate the danger of lack of safeguards of PHI, let’s look at this example: an employee of a pharmacy placed a customer’s insurance card in another customer’s prescription bag. Would you think that an insurance card is considered PHI? The pharmacy didn’t, but the OCR explained to the pharmacy that insurance cards do meet the definition of PHI. The pharmacy was required to amend its policies and procedures regarding PHI and re-train staff. From this enforcement trend, we can learn that organizations should evaluate the effectiveness of their safeguards by asking what risks for disclosure exist for each process and determining whether there are sufficient controls in place to prevent those risks from being exploited.

Lack of Patient Access to PHI

The HIPAA Privacy Rule exists so that patients know they have rights, what those rights are, and how those rights are respected; providing patients with easy access to their own PHI is a part of those rights. What if you couldn’t monitor a chronic condition because you didn’t have access to your medical records? What if you couldn’t identify all of your allergies because a covered entity refused to give you access to your medical records? A lack of patient access to PHI can make individuals feel out of control, or that they cannot make the most-informed medical decisions possible. Guidance regarding patient access to PHI states, “With limited exceptions, the HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.”

To help you understand a lack of patient access to PHI, consider this scenario at a private practice. A complainant claimed that a private practice denied her access to her PHI because of an outstanding balance, which was confirmed during the OCR’s investigation. Corrective actions for this private practice included technical assistance to explain that, in general, a covered entity cannot deny a patient access to their PHI because of an outstanding balance. The covered entity was also required to provide the complainant with a copy of her medical record. Do your policies and procedures create obstacles to patient access to PHI? If so, you must determine whether they have a legal basis for maintaining those obstacles.

Use or Disclosure of More Than Minimum Necessary PHI

In many frameworks, it’s required that organizations make an effort to use, disclose, and request only the minimum amount of sensitive information needed for an intended purpose or to carry out a function; this is also the case for the HIPAA Privacy Rule. 45 CFR 164.502(b), 164.514(d) states, “PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI.”

The more people who have access to PHI, the more risk there is. At a dentist office, the OCR investigated claims that some medical records were marketing with an “AIDS” label on the outside cover, and records were handled in a way so that other patients and staff without need to know could read the sticker. To resolve this issue, the dentist office was required to immediately remove the “AIDS” labels and amend its policies and procedures to outline that labels such as these should be on the inside cover of medical records. From this enforcement trend, the lesson is to determine if instances of disclosing PHI are necessary to treat, operate, or obtain payment.

If your organization follows the HIPAA Privacy Rule, you must pay attention to enforcement trends. These trends can help you focus on and re-evaluate controls that the OCR may audit. From recent enforcement trends, your organization can evaluate:

  • How do your policies and procedures cover impermissible uses and disclosures of PHI, lack of safeguards of PHI, lack of patient access to PHI, and use or disclosure of more than minimum necessary PHI?
  • How do you evaluate the effectiveness of your safeguards?
  • Do your policies and procedures create obstacles to patient access to PHI?
  • How do you determine if instances of disclosing PHI are necessary to treat, operate, or obtain payment?

Contact us to learn more about enforcement trends and how a HIPAA Privacy Rule Assessment can help ensure your compliance.