Regular penetration tests are a critical line of defense when protecting your organization’s sensitive assets from malicious outsiders. Just like any test, you need to be prepared. Your organization should take steps to ensure that you pass your penetration test and will be prepared to fend off attackers. Not only are regular penetration tests required by most audit frameworks and provide real-world insight into how hackers can exploit vulnerabilities, they also provide a prioritized approach to managing high-risk findings. Here are a few tips to ensure a successful penetration test at your organization.

  • Define Business Objectives

Understanding what your critical assets are and where they live is important for protecting those assets. By defining these goals prior to undergoing a penetration test, you can learn where the business risk is the greatest and make remediations to improve security at your organization based on the findings. This “test” is a good assessment of whether or not your security controls and processes are in place and fulfilling its intent. Setting the scope prior to the engagement will help you to specify how far you want the test to go.

 

  • Perform Vulnerability Scans

Best practices say that performing quarterly vulnerability scans can help keep vulnerability remediation manageable. By performing these scans every three months throughout the year, you’ll know if you’ve missed any patches or known vulnerabilities in preparation for your penetration test.

 

  • Define Hardening Standards

Developing a checklist that outlines guidelines for hardening your network and systems is an important step in preparing your organization for a penetration test and protecting your network against a malicious attack. Hardening standards secure a system by reducing its surface of vulnerability.

 

  • Dedicate your Penetration Test Team

Be sure your dedicated IT penetration testing team is prepared with backups ready to restore systems or recover data. These individuals also need to prepare to work with your penetration tester to accomplish your goals; finding any exploitable vulnerabilities. They also need to be ready to promptly address any findings respectively.

 

  • Find an Experienced Penetration Tester

If you are looking for a thorough and quality penetration test, you’ll want to find a qualified penetration tester with expertise that you can trust. After all, engaging in a penetration test can be quite the investment. Don’t be afraid to ask questions during the vendor-vetting process to learn necessary background information about the partners you are considering.

You’ve partnered with a third party, you’ve properly scoped your environment, you’ve conducted a HIPAA Risk Analysis, you’ve remedied any non-compliant findings, you’ve worked with your auditor, you’ve completed your HIPAA audit, and now you’re finally receiving your HIPAA compliance report. Congratulations! So, what’s actually included in a HIPAA compliance report? Here are the 4 main components of a HIPAA compliance report:

 

 

The 4 Main Components to a HIPAA Compliance Report:

  1. Scope of Engagement

This section will report on the auditor’s review of controls over access to electronically protected health information (ePHI), which ensure that access to ePHI meets HIPAA requirements. The Scope of Engagement also includes the auditor’s determination of the level of compliance with the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards.  These safeguards are an important part of preventing and mitigating a breach. This section also includes a report of the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk analysis and training requirements.

  1. Executive Summary

The second component of a HIPAA compliance report provides the purpose of the engagement and a description of the independent review of the information security control structure. The Executive Summary also includes a statement on the information security control structure’s compliance with the HIPAA Security Rule.

  1. Assessment Method

The Assessment Method describes the three main phases of the assessment: Planning, Control Identification, and Control Testing. The first phase consists of the assessor firm and client working to define the scope of the environment, identify areas of concern, and produce a work plan. During the second phase, the assessor interviews staff and examines relevant documentation. This phase results in the identification of key controls and testing methods to be used during the assessment. The third phase, Control Testing, occurs when the assessor conducts a review based on the key controls. The controls are then matched with the requirements of the HIPAA Security Rule and tested. The assessor must determine that the controls not only met the intent and rigor of the control objective, but were also implemented and operating.

  1. Assessment of Security Safeguards

This section outlines a few items: standards/implementation specifications and compliance descriptions. This means that it gives a brief summary of each standard, how each standard is implemented, and a description of how the standard is compliant.

Your organization can use your HIPAA compliance report to provide stakeholders or outside parties with an independent third-party verification that all access controls to ePHI stored on your systems are in compliance with HIPAA requirements.

A HIPAA Report contains four main components. The first component is Scope of Engagement. The Scope of Engagement reports on the auditor’s review of controls over access to electronically protected health information. It also reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s administrative, physical, or technical safeguards. Lastly, it reports on the auditor’s evaluation of the level of compliance with the HIPAA Security Rule’s risk assessment and training requirements. Next, we have Executive Summary. The Executive Summary provides a description of an independent review of the information security control structure and its compliance with the HIPAA Security Rule. Next, we have Assessment Method. The Assessment Method provides a description on the three phases of the assessment: planning, control identification, and control testing. Lastly, we have Assessment of Security Safeguards. This section provides a description on standards, implementation specifications, compliance descriptions.

Independent Audit Verifies FileSolve’s Internal Controls and Processes

Charlotte, NC – July 2017 – FileSolve, an enterprise content management (ECM) and business process outsourcing provider, today announced that it has completed its SSAE 18 (SOC 1) Type II audit and its SOC 2 Type II audit. The audits and testing were performed by KirkpatrickPrice, a licensed CPA and PCI QSA firm. The completion of these engagements provide evidence that FileSolve has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 (Statements on Standards for Attestation Engagements) auditing standards, which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. KirkpatrickPrice performed the audit and appropriate testing of FileSolve’s controls that may affect its clients’ financial statements. In accordance with SSAE 18, the SOC 1 Type II audit report includes FileSolve’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

SOC 2 engagements are based on the AICPA’s Trust Services Principles; FileSolve selected the security, availability, and confidentiality principles for the basis of their audit. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of FileSolve’s controls to meet the criteria for these principles.

“Many of our clients rely on us to protect their information,” stated Denny Hammack, CEO of FileSolve. “The audits provide verification to our clients that we not only have the necessary internal controls and processes in place, but that we are committed to continuous improvement.”

Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice added, “FileSolve has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by FileSolve.”

About FileSolve

FileSolve, a division of Patterson Pope, is committed to delivering enterprise content management and business process outsourcing solutions that allow clients to gain better control of their organizations. Through the years, FileSolve has earned a solid reputation throughout the Southeast, as a committed partner in client relationships by providing expertise – from continuous consultation to implementation and training– that deliver process improvement and bottom-line results. For more information, visit www.filesolve.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Verifies Neubus’s Internal Controls and Processes

Austin, TX  – July 2017 – KirkpatrickPrice announced today that Neubus, a document management agency, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that Neubus has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Neubus’s controls to meet the criteria for these principles.

“Many government agencies rely on Neubus to manage their critical documents efficiently and securely,” said I-Hsing Tsao, Neubus co-founder and CTO.  “The successful completion of SOC 2 Type II audit is a testament to Neubus’ controls, integrity, processes, and systems to keep our customers’ data safe.”

“The SOC 2 audit is based on the Trust Services Principles and Criteria. Neubus has selected the security, availability, processing integrity, and confidentiality principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “Neubus delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Neubus’s controls.”

About Neubus

Neubus Inc. was founded by executives Chris Albury and I-Hsing Tsao to help government agencies increase efficiency, reduce costs, and provide better services by converting their documents to electronic images and data. Historically, most national-level imaging and document management providers were “jacks of all trades,” leaving large gaps in the expertise, products, and services available to government agencies. At Neubus, they focused on becoming the best at helping under-served government agencies move from paper-based to paperless processes. They have extensive experience helping agencies capture, store, manage, and share information previously stored on paper and microform.  Their technology platform is based on open systems, and their customized solutions cater to the specific needs of hundreds of state and local government agencies. For more information, visit www.neubus.com.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Verifies JW Software’s Internal Controls and Processes

St. Louis, MO – July 2017 – JW Software, a claims management software provider, today announced that it has completed its SSAE 18 (SOC 1) Type II Audit. This attestation verifies that JW Software has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of JW Software’s controls that may affect its clients’ financial statements. In accordance with SSAE 18 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes JW Software’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

The Security of JW Software Clients is Paramount

“Many of JW Software’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, JW Software has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by JW Software.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About JW Software

JW Software, Inc. is a software firm focused on the development and support of product-based Insurance Technology Solutions with a specific emphasis on software systems that support end-to-end Policy & Claims Administration.

JW Software, Inc. provides FileHandler, a .NET, multi-line, browser-based Claims Administration System designed to manage claims for TPAs, Carriers, Self-Insured Entities, Municipalities, Risk Pools, etc. FileHandler is backed by a company with over 25 years of experience in the RMIS marketplace and the system has been strategically designed to enhance our client’s current processes and improve productivity through its diverse functionality and dynamic reporting tools. For more information, visit www.jwsoftware.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.