Independent Audit Verifies YellowPepper’s Internal Controls and Processes

Miami, FL – KirkpatrickPrice announced today that YellowPepper, the leading mobile payment provider in Latin America, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that YellowPepper has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of YellowPepper’s controls to meet the criteria for these principles.

“Security is at the core of everything we do at YellowPepper and its imperative for us to provide our clients with solutions that adheres to the highest standards,” said Alexander Sjögren, YellowPepper’s CTO. “This SOC 2 report confirms our commitment to the most rigorous security, integrity and availability standards and procedures in the industry.”

“The SOC 2 audit is based on the Trust Services Principles and Criteria. YellowPepper has selected the security, availability, and confidentiality principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “YellowPepper delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on YellowPepper’s controls.”

About YellowPepper

Founded in 2004, YellowPepper is the mobile payments pioneer in Latin America with proprietary technology and partnerships with leading financial institutions and fintechs.  YellowPepper provides a payment platform that gives consumers, merchants, issuers and processors the means to revolutionize the purchasing experience. Operating in 9 Latin American countries the Miami-based company currently enables over 6.5 million monthly active users that execute 480 million transactions yearly, while connecting them with more than 400,000 merchants. For more information, please visit www.yellowpepper.com.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Employee Training and Cyber Crime

Human error is one of the greatest threats to organizational security – after all, you’re only as strong as your weakest link, and people are your first line of defense. The best way to ensure that your entire workforce is prepared to thwart malicious cyberattacks is to implement annual employee cyber security awareness training. The cyber-crime landscape is constantly changing, so business owners and stakeholders must take stock in staying on top of the evolving threats.

Top 5 Cyber Security Awareness Tips for Employees

No matter what industry you’re in, cyber security awareness should be a core business practice. Here are the top five cyber security awareness tips for employees:

1. Create a culture of cyber security

When business leaders and stakeholders have cyber security on their minds, it helps to create a culture of cyber security that permeates all the way through the employee level. “Do as I say, not as I do,” has never been a saying that actually holds much merit. Employees learn cyber security habits best through the example of their leaders. This tone from the top helps a culture of cyber security to remain on the forefront of the minds of those within the organization, enhancing security and lowering the risk of human error.

2. Talk frequently about cyber security

When employees understand the potential impact that a cyber-attack could have on their organization, it can help encourage better cyber security awareness practices. A good way to ensure this happens is by implementing an annual cyber security awareness training program. This program should be mandatory and cover all aspects of cyber security awareness for the workforce, managers, and IT professionals. This program should also be a part of new employee onboarding. Another way to achieve this is by incorporating cyber security awareness into everyday business practices.

3. Strong password management

Best practices say that strong passwords and passphrases contain at least seven characters, containing both numeric and alphabetic characters. Using unique characters and a combination of upper and lowercase letters can enhance password security. Avoid using common phrases, words, or things such as birth dates. It is also important to not reuse a password, and to require that passwords be changed every 90 days.

4. Teach employees to recognize phishing attempts

Phishing attacks are one of the most common ways cyber criminals target organizations. Educating your workforce to recognize phishing attempts through cyber security awareness training, can help you to avoid a damaging malicious attack. A phishing attempt that cyber criminals often try is creating emails that look like a legitimate communication. They often come camouflaged as something an employee might be expecting, like a password reset email, a notice from HR, or a shipping confirmation. Despite cybercriminals strong effort to disguise these emails, there are still several ways to identify phishing attempts.

  • Name check – Clicking on a link in an email from someone you don’t know is always dangerous. It’s important to realize that companies would never ask for sensitive information, such as usernames or passwords, over insecure end-user messaging. Cyber criminals will go as far as using an email address that is very similar to a company’s official address, so closely checking who an email is from, is a critical practice.
  • Spelling and grammar – Checking the body of an email for unusual spelling or characters can be a good indicator of a phishing attempt, particularly, if the sender of the email is requesting sensitive information. Misspellings and grammar issues should be a red flag when seemingly coming from a credible source.
  • Intimidation tactics – Messages that start with “Urgent action required” or “Your account has been compromised” that require you to click on a link and enter sensitive information should be avoided. These intimidation tactics are an attempt to get you to give up your credentials.
  • Links – Clicking on links in emails from unknown sources should always be a no-no. Even though the hyperlink in an email may appear to look legitimate, it’s important to hover over the hyperlink (without clicking) to see the real URL.

5. Reporting cyber security incidents

In the event that a security incident does happen at your organization, it’s critical that employees know how to report these incidents. Knowing how to escalate a cyber security incident in a timely manner could make all the difference in minimizing the damage. Incident response training should be another integral part of your employee onboarding, and should be revisited company-wide on an annual basis. A good incident response plan includes the following:

  • Preparation
  • Detection and Identification
  • Containment
  • Remediation
  • Recovery
  • Lessons Learned

For help with building your cyber security awareness program at your organization, contact us today for more solutions.

More Resources

5 Best Practices to Integrate Cybersecurity With Your Business Strategy

How Can Employees in the Hospitality Industry Look Out for Social Engineering Attempts?

What is the Difference Between Phishing and Spear-Phishing?

What is Penetration Testing?

Penetration testing is a critical line of defense when protecting your organization’s sensitive assets from malicious outsiders. Penetration testing is the process of performing authorized security testing of an environment to identify and exploit weaknesses associated with the targeted systems, networks, and applications before those weaknesses can be exploited by a real attacker. When performed in support of HIPAA compliance, the goal is to identify issues that could result in access to Electronic Protected Health Information (ePHI). The most common penetration testing types include:

  • Internal and External Infrastructure testing focuses on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.
  • Web Application testing involves attempting to identify and exploit common web vulnerabilities as well as business logic flaws that could allow an attacker to gain access to sensitive data.
  • Wireless Assessments assess the configuration and protections associated with wireless deployments, which can highlight issues that could allow unauthorized use of this connection. Wireless Assessments can also be performed to identify unauthorized access in your environment by performing rogue access point (AP) identification.
  • Social Engineering focuses on the human element that affects the security of your environment. Through email, phone, and SMS-based social engineering, it is possible to identify areas where employees are likely to fall victim to attackers attempting to convince them to provide information or take other actions that could lead to the compromise of systems and sensitive data. Performing this type of assessment can help your organization to highlight areas that should be strengthened through future security awareness training.

Listen to the full webinar to learn KirkpatrickPrice’s penetration testing methodology, penetration testing approaches, and how penetration testing fits into HIPAA laws.

More Penetration Testing for HIPAA Compliance Resources

HHS.gov HIPAA Security Rule for Professionals

164.308(a)(8) Standard: Evaluation

NIST SP800-66 – (HIPAA Implementation Guidance)

National Institute of Standards and Technology (NIST) SP800-115

Open Source Security Testing Methodology Manual (OSSTMM)

Open Web Application Security Project (OWASP)

Penetration Testing Execution Standard (PTES)

Penetration Testing Framework

In this session of Duo’s webinar series, A Comprehensive Security Roadmap for MSPs, Joseph Kirkpatrick presents best practices for defining and reducing the scope of an information security assessment.

Scoping involves the identification of people, processes, and technologies that interact with, or could otherwise impact, the security of the information to be protected. Scoping is the first step for any assessment and also one of the most important elements of an information security assessment because ignoring any of the relevant people, processes, or technologies could severely impact the quality and reliability of the entire assessment.

When considering people that could be in scope, you must ask: Who connects to the environment? Executives, IT, 3rd parties, programmers? These people must abide by policies and adhere to requirements. When determining processes that could impact the security of protected information, you must ask: Is there a process that involves someone doing a daily backup for you? A cloud provider or company coming onsite to pick up backup media? A remote data center with remote hands service to perform a process for you? Finally, what technologies are in scope? You must identify all systems in scope, like web, database servers, firewalls, switches, authentication services, log servers, etc.

Managed Service Providers are often hesitant to consider themselves as in-scope. To be considered out of scope, a system component must not have access to any system within the network containing sensitive data. Questions we commonly ask MSPs are:

  • Could the MSP impact the security of the systems that do access sensitive information?
  • Does the MSP install new patches and review logs produced by the system?
  • Does the MSP’s access to the systems require administrative-level privileges?
  • Even if there are firewalls between one system and the next, what ports are available for the MSP to connect to in order to manage the network?
  • Even if the MSP connects over a VPN and all traffic is encrypted, doesn’t the MSP become part of the client’s network?
  • If a user is now connected to the network and is considered in scope, what else is in scope?

The key to accurately defining the scope of an information security assessment is to be thorough in assessing the people, processes, and technologies that interact with, or could impact the security of, the information to be protected. Listen to the full webinar to hear case studies and more details from Joseph Kirkpatrick.

About Duo Security

Duo Security is a cloud-based Trusted Access provider protecting thousands of the world’s largest and fastest-growing organizations, including Dresser-Rand Group, Etsy, Facebook, K-Swiss, Paramount Pictures, Random House, SuddenLink, Toyota, Yelp, Zillow, and more. Duo Security’s innovative and easy-to-use technology can be quickly deployed to protect users, data, and applications from breaches, credential theft, and account takeover. The Ann Arbor, Michigan-based company also has offices in San Mateo, California; Austin, Texas; and London. Duo Security is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures, and True Ventures. Try it for free at www.duo.com.

What are the New PCI Requirements?

Nine new PCI DSS requirements will became required as of February 1, 2018. While there are only nine new items, they could have a significant impact on your environment. If you have not already started to work on these items, you are likely already behind. In this webinar, Jeff Wilder will discuss how to prepare for and implement these requirements.

The new PCI DSS requirements for everyone include:

  • 6.4.6 – Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
  • 8.3.1 – Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

The new PCI DSS requirements for service providers include:

  • 3.5.1 – Maintain a documented description of the cryptographic architecture.
  • 10.8 – Implement a process for the timely detection and reporting of failures of critical security control systems.
  • 10.8.1 – Respond to failures of any critical security controls in a timely manner.
  • 11.3.4.1 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
  • 12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
  • 12.11.1 – Maintain documentation of quarterly review process.

Listen to the full webinar to learn how your organization can prepare for these changes. For additional information on PCI compliance, contact us today!