Chicago, IL – Yello, a talent acquisition software company, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that Yello has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of Yello’s controls to meet the standards for these criteria.

“We are thrilled to have earned our SOC 2 attestation,” said Jason Weingarten, CEO & Co-Founder of Yello. “This certification reinforces Yello’s promise to protect and secure customers’ confidential information. I am really proud of the team at Yello that worked so diligently to successfully attain this certification.  We look forward to upholding the data security and compliance standards that have driven our business for years.”

“The SOC 2 audit is based on the Trust Services Criteria. Yello has selected the security category for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Yello delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Yello’s controls.”

About Yello

Yello’s talent acquisition platform allows the world’s leading brands to deliver personalized candidate experiences to every job seeker, resulting in quality hires and faster fills. The centralized platform is easy to use, enabling recruiters to collaborate with one another to attract and engage top talent. Key hiring statistics provide meaningful insights that lead to more accurate, data-driven decisions while staying on budget. For more information about Yello, visit https://www.yello.co.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, connect with KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.

Do you want to demonstrate your commitment to security to global business partners? An ISO 27001 report provides organizations with an evolving ISMS that can adapt to new challenges and validates your commitment to security. It can also help you prioritize your information security budget and resources based on risk, because ISO 27001 is customized for your environment and your specific risks. Undergoing an ISO 27001 audit is also a way to be proactive in your information security and compliance efforts, which could be just what you need to stay ahead in your industry. So, what does the ISO 27001 certification process look like and who can perform an ISO 27001 audit? What’s the difference between ISO 27001 certification and an ISO 27001 audit?

The ISO 27001 Certification Process

In order for your organization to become ISO 27001 certified, there are a few steps you’ll have to take. To get the ISO 27001 certification process started, we suggest undergoing a gap analysis to identify any potential vulnerabilities. From there, you’ll remediate the findings and then begin the audit, which is comprised of two stages.

Stage 1 Audit

During your Stage 1 audit, or the “Documentation Review” audit, an external auditor will review your organization’s prepared ISMS documentation to ensure that is compliant with the ISO 27001 requirements.

Stage 2 Audit

Once you’ve completed the Stage 1 audit, your external auditor will evaluate the fairness and suitability of your information security management, controls, and practices. If your external auditor deems your organization’s ISMS compliant with the ISO 27001 requirements, they will recommend you for certification. ISO 27001 certification is a separate process involved a certifying body.

Value of an ISO 27001 Audit Without Certification

Did you know that many organizations opt to undergo the ISO 27001 audit and not pursue certification? It’s true. You might now be wondering, “Why would you pursue an audit and not want to get the certification?” The bottom line is because certification is not required. Instead, if you decide to pursue an ISO 27001 audit without certification, you will still receive an ISO 27001 report to offer clients and stakeholders who need assurance of your ISMS’ effectiveness, and you only need to work with one firm for your ISO 27001 needs.

Who Can Perform ISO 27001 Audits?

While both internal and external auditors can use the ISO 27001 framework to perform the Stage 1 audit and assess an organization’s ability to meet their information security requirements, using an external auditor is always wise. Here’s why.

When you pursue an ISO 27001 certification, best practice is to hire one firm to perform the audit and a separate firm for the certification process. This process may seem tedious, but it instills independence so that conflict of interest is never a concern.

KirkpatrickPrice only offers ISO 27001 audits and consulting. Our firm is not a certifying body, so any quotes on our ISO 27001 services will never include certification. If you are considering working with a firm that offers both auditing and certification services or has a partnership with another organization in order to offer both, this is a red flag. It indicates a lack of integrity and a conflict of interest, which could have negative implications on your audit and certification.

Have questions getting started on your ISO 27001 audit journey? Contact us today, and we’ll get you started.

More ISO 27001 Resources

ISO 27001 FAQs: Information Security Management for Your Organization

Choosing Between SOC 2 and ISO 27001 Audits

Was the Gap Worth It?

Independent Audit Verifies Hurricane Labs’ Internal Controls and Processes

Independence, OH – Hurricane Labs, a managed services provider, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that Hurricane Labs has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of Hurricane Labs’ controls to meet the standards for these criteria.

“We view this compliance certification as a testament to our ongoing commitment to our clients’ security,” said Bill Mathews, owner and CTO, Hurricane Labs. “As a security company, Hurricane Labs is proud to lead by example in maintaining the best security practices, both in client environments as well as our own. Our clients can feel confident that we’re continuing to go above and beyond in the services we deliver to make sure their data stays secure.”

“The SOC 2 audit is based on the Trust Services Criteria. Hurricane Labs has selected the security, availability, confidentiality criteria for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Hurricane Labs delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Hurricane Labs’ controls.”

About Hurricane Labs
Established in 2003, Hurricane Labs is a Managed Services Provider based out of Cleveland, Ohio. Our team is 100% focused on Splunk and security to provide expert assistance in comprehensive platform management, custom development enhancements, and enterprise security support. We aim to increase the value of Splunk for all use cases and to ensure our customers succeed no matter what. Learn more at www.hurricanelabs.com and follow us on Twitter @hurricanelabs

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, connect with KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.

The PCI DSS was developed by payment card brands to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. A PCI audit must be conducted by a QSA. As for the PCI audit itself, the number of requirements organizations have to comply with varies. In some cases, entities must meet all 12 PCI requirements, but the scope may determine that others only need to meet PCI Requirements 9 and 12. Why is that? It has to do with the physical security of cardholder data.

Who Must Be PCI Compliant?

According to the PCI SSC, “Any merchant that wants to process, store, or transmit credit card data is required to be PCI compliant.” However, for some organizations that only impact the physical security of cardholder data, like data centers or records management providers, only have to demonstrate compliance with PCI Requirements 9 and 12.

What is PCI Requirement 9?

PCI Requirement 9 states entities must restrict physical access to cardholder data. Complying with PCI Requirement 9 is critical to the physical security of your organization’s sensitive cardholder data. What would the consequences be if your organization had no physical access controls? No locks on the doors, no badge or identification system, no security guards, no receptionist? Without physical access controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility and to steal, disable, disrupt, or destroy your critical systems and cardholder data.

What is PCI Requirement 12?

PCI Requirement 12 says that entities must maintain a policy that addresses information security for all personnel. Essentially, this requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees.

Proper Scope Your PCI Audit

PCI defines scoping the identification of people, processes, and technologies that interact with or could otherwise impact the security of cardholder data. Knowing how to scope a PCI assessment is crucial to your organization’s compliance. Defining a correct scope is the first and most important step. Scoping is so vital that assessors should not even begin the assessment until they have fully determined the scope. So, how does your organization determine if an asset is in scope? Any people, process, or technology that stores, processes, or transmits cardholder data is considered to be within your cardholder data environment and in scope for your PCI assessment. If your people, processes, or technology has the ability to impact the security of account data and sensitive authentication data, then your organization needs to have the appropriate controls applied in the appropriate places.

Determining which requirements you need to include in your PCI audit can be confusing, but at KirkpatrickPrice, our Information Security Auditors thoroughly scope the project, allowing for the tedious process to become streamlined.

When you engage in a PCI audit with us, we’ll ask questions like…

  • Will more than one business entity be involved in the audit?
  • Which of your business services are included in the audit?
  • How many business applications are used to fulfill these services?
  • How many technology platforms support the business?
  • What third-party service providers have access to your confidential information?

Who Should Comply with PCI Requirements 9 and 12?

Companies who only handle credit card information in a physical way means that they only need to be evaluated on that level, which would be physical security (PCI Requirement 9) and information security policies (PCI Requirement 12). In situations like this, all other requirements would be outsourced.

Whether you’re expected to comply with all 12 requirements or you’re only pursuing a PCI Requirements 9 and 12 audit because you’re focused on physical security, KirkpatrickPrice is here to make the PCI audit journey easier. Let’s find some time to talk today to see how we can partner together to get your compliance goals achieved.

More PCI DSS Resources

Most Common PCI Gaps

4 Reasons to Start a PCI Audit Right Now

How Do I Find a QSA For My PCI Audit?

Does your business collect, use, store, process, or transmit payment cardholder information?

If so, it’s likely that you’ve heard of the Payment Card Industry Data Security Standard, or PCI DSS. If you haven’t, the PCI DSS is a standard created by major credit card companies, such as Visa, Mastercard, Discovery, American Express, and JCB to establish specific requirements that merchants and service providers must adhere to in order to protect payment cardholder data.

This is a robust standard and ensuring PCI compliance is no small task, especially because the framework applies to companies that vary vastly in size and processing capabilities.

This is why, when first establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand the in’s and out’s of the framework, including what constitutes a merchant, what are the four PCI compliance levels, and how these four PCI DSS levels impact compliance requirements.

Let’s take a look.

What is a Merchant as Defined by PCI DSS?

The Payment Card Industry Security Standard Council (PCI SSC) defines a merchant as:

“A merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.”

Does your business fall under this definition? If so, PCI compliance is required and you must determine your PCI compliance level.

The 4 PCI Compliance Levels

Because not every businesses processes the same amount of card payments per year and each has a different level of risk for data breaches and security incidents, the PCI SSC created four PCI compliance levels that are determined by the merchant type.

  • PCI Merchant Level 1: Merchants with over 6 million transactions a year, across all channels, or any merchant that has had a data breach
  • PCI Merchant Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
  • PCI Merchant Level 3: Merchants with between 20,000 and 1 million online transactions annually
  • PCI Merchant Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year

How do the 4 Levels Impact PCI DSS Compliance?

Depending on which of the four levels of PCI compliance your organization falls under, your compliance journey can vary. Take the following scenarios, for example.

  • If your organization is considered a PCI Merchant Level 1, you’ll be required to undergo annual, third-party audits to verify compliance and go through an annual network scan by an approved scanning vendor (ASV). PCI Merchant Level 1 organizations must receive an annual Attestation of Compliance (AoC) as well as a Report on Compliance (RoC).
  • If your organization is considered to be a PCI Merchant Level 2, 3, or 4, you’ll need to conduct the PCI DSS Self-Assessment Questionnaire (SAQ), as well as go through quarterly network scans with an ASV.
  • If your organization is deemed a PCI Merchant Level 3 but falls victim to a data breach that impacts cardholder information, Visa can opt to penalize you by making you also responsible for meeting the requirements of another level, such as PCI Merchant Level 1.

Meeting PCI Compliance

No matter which of the 4 levels of PCI compliance your business falls into or what type of merchant you are, maintaining PCI compliance needs to be a top priority.

This is why KirkpatrickPrice developed a streamlined audit process that partners you with senior-level, expert Information Security Auditors who are QSAs that can guide you during your PCI compliance journey. Whether you are completing the full audit, have questions about figuring out how to fill out your SAQ, or if you’re looking for an expert penetration tester to perform your required quarterly scanning, we can help.

Let’s talk today about your PCI compliance goals and how we can partner together to achieve them.

More PCI  Compliance Resources

PCI Demystified Video Series

Beginner’s Guide to PCI Compliance

Overdue on New PCI Penetration Testing Requirements? What You Need to Know About PCI Requirement 11.3.4.1