Independent Audit Verifies @RISK Technologies, Inc.’s Internal Controls and Processes

Dallas, TX  – July 26, 2017 – KirkpatrickPrice announced today that @RISK Technologies, Inc., a Cyber Network Consensus SaaS company, has received their SOC 2 Type I attestation report. The completion of this engagement provides evidence that @RISK Technologies has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of @RISK Technologies’ controls to meet the criteria for these principles.

“@RISK Technologies believes that true Cyber Situational Awareness and the road to Privacy by Design starts with measuring the Cyber Attack Surface,” said John Bliss, Chief Privacy Officer of @RISK Technologies. “We felt it was extremely important to demonstrate we could deliver our capability in a manner that is trusted and secure and this is why we pursued SOC 2 compliance.”

“The SOC 2 audit is based on the Trust Services Principles and Criteria. @RISK Technologies has selected the security, availability, processing integrity, and confidentiality principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “@Risk delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on @RISK Technologies’ controls.”

About @RISK Technologies, Inc.

@RISK Technologies is a Cyber Network Consensus software company that provides automated, world class Cyber and Privacy Governance and Enterprise Risk Management. The company is composed of digital minutemen and kinetic warriors who have designed, built, delivered, and managed complex networked ecosystems for the special operations, intelligence agencies and Department of Defense to evolve Cyber Defenses to meet today’s most critical Cyber Threat challenges. @RISK Technologies is now Gradient Cyber. To learn more, visit https://www.gradientcyber.com/.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

In this webinar, Jessie Skibbe discusses one of the most important steps in the certification journey: scoping. She will cover how to scope your environment for a HITRUST CSF assessment and how to define the risk factors related to your scope.

Scoping is the very first step in your certification journey. Before you even contact an assessor, you must determine what your scope is. The controls of the HITRUST CSF are designed to apply to all information systems irrelevant of classification or function; however, for the purposes of HITRUST CSF Validation/Certification, only those systems that store, process or transmit PHI or support the storing, processing, or transmission of PHI should be included. The scope of the assessment should cover the following:

  • Patient care systems, applications, and devices that store and process ePHI (e.g., pharmacy, infection control, cancer registry, MRI, CTI, Ultrasound), whether they are standalone systems or connected to the network
  • Business systems and applications that store, process, or transmit ePHI to support billing, customer service, and general administrative operations, (e.g., supply chain, state submissions, credentialing)
  • Infrastructure components, such as routers and firewalls, that are connected to or facilitate the transmission of ePHI to/from the types of systems described above

The HITRUST CSF is scalable. The organizational, system, regulatory, and information system risk factors will determine the total number of control requirements that will apply to your assessment scope. In this webinar, we give examples of questions you should be asking during the scope determination process:

  • How many records does your organization store?
  • Does the system store, process, or transmit sensitive information?
  • Is the system accessible by a third-party?
  • What is the number of interfaces to other systems?
  • How many transactions per day does the system process?
  • Is your organization subject to PCI compliance?
  • Is your organization subject to the State of Massachusetts Data Protection Act?
  • Is your organization subject to the State of Texas Medical Records Privacy Act?

More about HITRUST

HITRUST is a not-for-profit organization found in 2007, “born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” HITRUST partners with public and private healthcare technology, privacy, and information security leaders. HITRUST develops, maintains, and provides broad access to its common risk and compliance management frameworks. The HITRUST CSF is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The framework was developed to provide a solution to increasing regulatory scrutiny, increasing risk and liability associated with data breaches, inconsistent implementation of minimum controls, and the rapidly changing business, technology, and regulatory environment. It is a healthcare industry standard that was built from what works within other standards and authoritative sources, like ISO 27001/27002, HIPAA, PCI DSS, NIST 800-53…just to name a few. It was also built on risk management principles. It aligns with existing, relative controls and requirements.

Have questions about HITRUST CSF requirements? Contact our team today to have them answered. KirkpatrickPrice can assist you with SOC 2, SOC 2 +, SOC 2 + HITRUST CSF Certification, HITRUST CSF Certification, Assisted HITRUST CSF Self-Assessment, Policy and Procedure drafting, guided Risk Analysis, and general guidance/consulting.

Additional Resources

Contact us today to get started on your HITRUST journey.

Learning to swim ahead of the latest threats in information security is important for avoiding a devastating run-in with a malicious attacker. So, we’ve compiled some exclusive advice from our expert security professionals that dispels common misconceptions about information security by outlining some of the deadliest information security mistakes your organization must avoid. Protect your sensitive assets and prevent a data breach from happening at your organization by avoiding these five mistakes:

1. Thinking Compliant Means Secure

Looking at recent data breaches, there’s one thing that most of the compromised companies had in common – they were compliant with one regulation or another. A common misconception is thinking that because we’re compliant, we’re automatically secure. Focusing on security at your organization is the best approach to ensure a proper defense against a malicious attack. Once you’re secure, compliance will fall into place.

2. Insufficient Network Segmentation

A common issue we see when reviewing an organization’s security posture is a lack of network segmentation. Flat networks fail to use the network architecture as part of a risk reduction strategy, inadvertently widening your scope and leaving you more susceptible to an attack. Properly segmenting your network limits access to any sensitive sub-networks and internal networks by least privilege.

3. Thinking of Information Security Audit as a Cost Center

No one likes hearing the word “audit”, especially from a top client. However, one of the biggest mistakes that organizations make is viewing a third-party information security audit as a cost center. Thinking of an audit as an investment can help your organization avoid costly fines associated with data breaches and/or non-compliance and give you a competitive advantage by already having your security controls validated. Information security should be seen as a holistic approach and not a one-time achievement.

4. Insufficient Defense in Depth

System hardening is a dangerous thing to overlook. When securing your network, it’s important to implement several types of controls to create a layered defense, or defense in depth. That way, if one mechanism fails, there will be another one in place to defend against a malicious attack. Some examples of controls that can be used in combination to harden your systems and networks include a strong perimeter firewall, IDS to monitor network traffic for a potential attack, anti-virus software, and physical access controls.

5. Weak Patch Management

We’ve seen this numerous times this year – organizations failing to update critical patches are slammed with some form of malware. Patch management is a requirement under most regulations and important as attackers will target known vulnerabilities.

Don’t let your organization be an easy target for an attack and be sure you’re avoiding these 5 deadly information security mistakes. For help assessing your organization’s current security posture, contact us today!

More Resources

10 Ways to Conduct Patch Management

Hardening and System Patching

Creating Effective Network Diagrams and Data Flow Diagrams

Halfway through the year 2017, we find ourselves reading a similar headline in the news every day, “XYZ Company Has Announced 100 Million Customer Records Exposed in Data Breach.” As we skim the articles, we breathe a brief sigh of relief that it isn’t our company in the headline, knowing that we could be next. According to a 2017 Ponemon Institute Report, the average total cost of a data breach in 2017 is $3.62 million. Let’s look at some of the top data breaches in 2017, the type of attack, and the kind of data that was affected to learn some lessons that could help prevent a costly data breach from occurring at your organization.

Arby’s

This past February, Arby’s announced that they had experienced a data breach that affected one third of its locations nationwide. It was discovered that a malicious software had been installed on its payment card systems, resulting in a large breach of credit card information. It’s important to remember that when training your employees to properly handle payment card information to include how to notice and report suspected tampering of payment card terminals.

WannaCrypt

In May 2017, any organization affected by the infamous WannaCrypt ransomware definitely wanted to cry. Noted as the largest worldwide cyber attack to date, cyber criminals held data for ransom on more than 300,000 computers, claiming over 200,000 victims. This unprecedented data breach stemmed from an uninstalled “critical” Microsoft patch that was released three months prior. Updating security patches and keeping operating systems up to date is crucial, as attackers will target known vulnerabilities.

Princeton Community Hospital

After being hit with the latest ransomware known as Petya, this West Virginia hospital was forced to rebuild their entire network, replacing nearly 1,200 hard drives in the process. Petya, uniquely designed not to make money, froze the hospital’s electronic medical records, making it impossible for patients to be treated. They were unable to pay a ransom and lost access to computers and all data. While we learned from WannaCrypt that keeping patches up to date is critical, it’s equally as important to ensure proper backups. In the event of an attack such as Petya, there is no way to retrieve any data other than restoring from a backup. Regularly performing backups for critical data, files, and systems can help make the recovery and restoration process quicker and easier.

WWE

Another common cause of a data breach in 2017 is incorrectly configured third-party hosting providers. In July three million WWE fans had personally identifiable information such as addresses, birthdays, ethnicity, earnings, educational background, and children’s age ranges exposed. It was discovered that the Amazon Web Services S3 server was storing all the database data in plaintext, without password or username protection. When assessing your information security program, don’t forget to regularly examine and verify any third-party vendor security and compliance.

Verizon

The most recent data breach to plague 2017 affected approximately six million customers. Verizon announced that names, addresses, phone numbers, and account PINs were left exposed in a database hosted on a third-party cloud server. As cloud security flaws continue to be a common reason for a data breach, it’s important to understand your risks, and do your due diligence to ensure the policies and procedures for securing your data are appropriate and effective for preventing a data breach.

Don’t let your organization be next! Stay up to date and proactive when it comes to the latest threats to your organization’s security. For help conducting a Risk Assessment or assessing your current security posture against the threat landscape, contact us today!

More Resources

10 Ways to Conduct Patch Management

 Finding and Mitigating Your Vulnerabilities Through OWASP 

Think Like a Hacker: Common Vulnerabilities Found in Networks

Man working on computer

Is your organization swimming in information security concerns? Recent and startling new malicious attacks are causing organizations to re-think everything we know about our security posture – from breach prevention to response. Organizations are beginning to shift their focus on security when they have realized that sometimes, compliance isn’t enough. With this “shark in water” reality, here are 5 things your organization should be doing to avoid a data breach.

Perform an Annual Risk Assessment

The number one thing all organizations should be doing is performing an annual risk assessment. Without this critical component of an information security program, organizations are left in the dark about where their assets reside, and what the risks to those assets are. How can you protect your critical and sensitive assets from a malicious data breach if you don’t know what you’re protecting them from? A risk assessment will help you identify all assets and prioritize risks based on an individual threat level. A formal, risk-based approach is key to any organization’s security posture, and should be the basis of your risk management program.

Create a Culture of Security

Calling all management, board of directors, and stakeholders! Information security auditors can’t stress enough how important it is to create a culture of security within your organization. The best way to accomplish this is by having a solid tone from the top. What does this mean? Upper-level management must understand the importance of information security and let this understanding permeate throughout the organization, all the way down to the operations level and beyond. An important way to ensure that all employees are aware of their security obligations is to develop and maintain a policy that addresses information security for all personnel, and conduct annual security awareness training programs.

Update Software and Install Patches

When WannaCry, the infamous ransomware attack, hit earlier this year, organizations were left scratching their heads in disbelief that it all could have been avoided if they hadn’t ignored a Microsoft software update. Why leave a known vulnerability open to attackers? Software updates are critical for preventing a data breach and safeguarding your sensitive data.

Closely Manage your Vendors

Most businesses today outsource critical business functions to third-party service providers. However, it’s important to note that it’s best practice (and often required by regulation) to perform due diligence by fully vetting your vendors to ensure they, too, are implementing appropriate and effective controls to protect your assets, and will not negatively affect the security of your organization. Even after you are contractually working with a third party, organizations should issue temporary passwords to any vendor connecting to your network, monitor and log all user activity, and immediately disable temporary vendor accounts after use. Doing so can help you detect any malicious activity promptly, and respond accordingly.

Know your Incident Response Plan

While organizations spend so much time focusing on how to keep malicious attackers at bay, sometimes they can overlook what they should do in the event of a breach actually occurring. Incident response plans are not only important when it comes to dealing with a flood or power outage. Don’t be caught with your sails down if your organization is compromised and ensure you have a fully developed incident response plan that has been both documented and tested. Organizations should have a designated team who is available 24/7 to handle any type of security incident. These teams must be fully aware of their responsibilities in the event of a data breach and undergo regular training. Here are the six steps of an incident response plan:

  1. Preparation
  2. Detection & Identification
  3. Containment
  4. Remediation
  5. Recovery
  6. Lessons Learned

In today’s cyber threat landscape, we’re swimming with sharks. So, remember, when compliance isn’t enough, focus on hardening your systems and fully developing your information security program. It’s never too late to re-think your organization’s security posture. If you’d like help with your security program or would like to see where your security posture currently stands, contact us today.

More Resources

SOC 2 Academy: Testing Your Incident Response Plan

Risk Assessment Checklist – 5 Steps You Need to Know

10 Ways to Conduct Patch Management