Independent Audit Verifies PCI Compliance and Internal Controls and Processes

Petaluma, Calif. (July 17, 2017) — Optio Solutions, a national debt collection agency, has completed its annual PCI and SOC 1 Type II audit. These reports verify that Optio Solutions not only adheres to the Payment Card Industry Data Security Standard, but also has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of Optio Solutions’ controls that are relevant to the storing and transmitting of information from credit, debit or other payment cards. In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted Optio Solutions in becoming PCI compliant.

“Many of Optio Solutions’ clients rely on their systems to process or store sensitive data and protect information,” said Joseph Kirkpatrick, managing partner with KirkpatrickPrice. “As a result, Optio Solutions has implemented best practice controls required by their customers to address information security and compliance risks.”

The PCI Data Security Standard is a complex security standard that focuses on security management, policies and procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores, or transmits information from a payment card.

“The annual PCI DSS and SOC 1 Type II audit underlines our commitment to protecting clients’ brands with a high level of data security,” said Optio Solutions President and CEO Chris Schumacher.

KirkpatrickPrice also performed the audit and appropriate testing of Optio Solutions’ controls that may affect its clients’ financial statements. In accordance with SSAE 18 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes Optio Solutions’ controls as well as the detailed testing of its controls over a minimum six-month period.

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place.

About Optio Solutions, LLC

Optio Solutions, LLC is a national debt collection agency focused on protecting its clients’ brands and improving ROI via extensive financial services experience, advanced technology, certified data security, legal compliance and professionally designated staff. Optio is a member of ACA International and the California Association of Collectors.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more info, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

 

Why Do You Need a HITRUST CSF Certification?

Have you just received “the letter” from a top client indicating you must become HITRUST CSF Certified within “X” months? Did your boss just you for a project timeline on how long it would take to become HITRUST CSF Certified? Do you need to know how to become HITRUST CSF Certified in order to stay competitive in the healthcare market? Are you are looking for a way to demonstrate compliance with the HIPAA Security Rule? Are you a business associate in the healthcare industry that keeps hearing about HITRUST CSF, but you’re not sure what it is or what it means to be compliant? If any of these apply to you, then this is the webinar for you! Download the full webinar to hear Jessie Skibbe’s expertise on HITRUST CSF requirements.

Who is HITRUST?

HITRUST is a not-for-profit organization founded in 2007, “born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” HITRUST partners with public and private healthcare technology, privacy, and information security leaders. HITRUST develops, maintains, and provides broad access to its common risk and compliance management frameworks.

What is HITRUST CSF?

The HITRUST CSF is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. The framework was developed to provide a solution to increasing regulatory scrutiny, increasing risk and liability associated with data breaches, inconsistent implementation of minimum controls, and the rapidly changing business, technology, and regulatory environment. It is a healthcare industry standard that was built from what works within other standards and authoritative sources, like ISO 27001/27002, HIPAA, PCI DSS, NIST 800-53…just to name a few. It was also built on risk management principals. It aligns with existing, relative controls, and requirements. It’s scalable depending on organizational, system, and regulatory factors.

How do you get started?

  1. Familiarize yourself with the HITRUST CSF
  2. Select the assessment type and report option that is right for your organization
  3. Put together a project plan and assemble a team
  4. Contact HITRUST
  5. Engage with an approved HITRUST CSF Assessor who will fit your project plan

Have questions about HITRUST CSF requirements? Contact our team to have them answered. KirkpatrickPrice can assist you with SOC 2, SOC 2 +, SOC 2 + HITRUST CSF Certification, HITRUST CSF Certification, Assisted HITRUST CSF Self-Assessment, Policy and Procedure drafting, guided Risk Analysis, and general guidance/consulting.

In this webinar hosted by LockPath, Jeff Wilder discusses the importance of incident response and the steps your organization can take to create an Incident Response Plan. Wondering what incident response is? Incident response is a predetermined approach for identifying and addressing a security incident, which dictates the procedures following detection to minimize the impact. Incident response planning is vital to your organization. Incidents not handled properly have the potential to be catastrophic in damage and Incident Response Plans prevent business interruption, revenue loss, and loss of customer trust.

There are several aspects you need to consider when developing your Incident Response Plan. Policies and procedures are the starting point; these documents should dictate immediate steps following detection of an incident. Your organization also needs to put together an Incident Response Team, but your plan should be known and tested by all management and personnel. Incident Response Plans involve your organization’s legal team, human resources department, public relations team, customer service representatives, security team, IT department, and executive staff. Each of these team members have a role in responding to an incident.

The Six Steps of an Incident Response Plan:

  1. Preparation – How are we currently preparing for a security incident? What are we doing to prevent an incident? How are we limiting the impact of an incident? Have we tested our policies and procedures?
  2. Detection & Identification – How would we identify an incident? How do we report an incident? How do we detect malicious activity? Do we have a specific Incident Response Team?
  3. Containment – Has the appropriate personnel been notified? What evidence should be collected? Have we fully assessed the scope of the damage? How can we prevent further damage?
  4. Remediation – Do we have backups in place? Has a complete a forensic analysis to determine origin been performed? Have we cleaned the system? Can we make changes to prevent a repeat incident? How can we test the changes?
  5. Recovery – Have we securely restore the system? Do we have continuous monitoring to ensure problem is resolved? Have we replaced any lost files with backups?
  6. Lessons Learned – What happened? What gaps can we now identify? Have we regained our customers’ confidence? Have we reviewed policies and procedures to prevent future attacks?

About LockPath

LockPath is a leader in integrated risk management solutions. Their suite of applications empower companies to manage risk, demonstrate compliance, monitor information security, and achieve audit-ready status. Companies ranging from 10-person offices to Fortune 10 enterprises in over 15 industries address the Gartner IRM use cases with LockPath solutions. In 2017, they are expanding their application portfolio to provide more efficient and effective programs. Learn more at lockpath.com.

When Disaster Strikes, Will You be Prepared?

To ensure that operations remain up and running during hurricane, tornado, or rainy seasons, businesses must have a Disaster Recovery Plan that has been developed, tested, and is in place and known to all relevant parties. Hurricanes like Matthew and Sandy have devastated businesses over the last couple of years, and without a well-developed Disaster Recovery Plan, many businesses were left inoperable, damaging their revenue and reputation.

What is a Disaster Recovery Plan?

So, what is a Disaster Recovery Plan (DRP)? Disaster Recovery Plans define an organization’s processes for protecting and recovering its business in the event of a disaster, such as a hurricane, flood, tornado, power outage, etc. These documented sets of policies and procedures can be the lifeline of an organization following a disaster, and determine loss of operations, reputation, and revenue. How will your organization stay running in the event of a disaster? Where will employees continue to carry out their work duties? How will incident response be communicated throughout your organization? These are the types of questions you should ask yourself when preparing for a potential disaster.

3 Steps for an Effective Disaster Recovery Plan

When it comes time to develop your Disaster Recovery Plan, there are three main steps to be considered, including:

  • Business Impact Analysis: The first thing your organization should do when preparing your DRP is to conduct a Business Impact Analysis. This process will allow you to review existing business continuity capabilities by evaluating the risk to business process failures, identify critical and necessary business functions and their resource dependencies, estimate any financial and operational impacts of disruption and the required recovery timeframe for critical business functions, and to assess the effectiveness of any existing risk reduction measures.
  • Strategy Selection: Once you’ve identified and prioritized critical functions for business continuity, the next step in the process is to determine which recovery strategy to move forward with. Identify a range of specific recovery strategies that address interruptions of business processes, identify the computing resources that are required to recover the various distributed processing environments, and document alternative recovery strategies.
  • Disaster Recovery Plan Documentation: It’s time to create your physical plan for responding to a potential disaster. This plan should include the following:
  1. Emergency notification and disaster declaration procedures
  2. Recovery team procedures
  3. Facility and business restoration procedures
  4. DRP testing and maintenance cycles
  5. Appendices for master contact lists, equipment inventories, connectivity schematics, etc.

Once you’ve developed, tested, and disseminated your Disaster Recovery Plan, you can rest assured that you’ll be prepared if disaster strikes. For additional help on disaster recovery planning or for help with determining the effectiveness of your current Disaster Recovery Plan, contact us today.

More Disaster Recovery Resources

Business Continuity and Disaster Recovery Planning Checklist

Cloud Security: Business Continuity and Disaster Recovery Planning Checklist

What is Threat and Vulnerability?

Independent Audit Verifies Terrier Claims Services’ Internal Controls and Processes

Pleasantville, NY  – April 2017 – KirkpatrickPrice announced today that Terrier Claims Services, a full service insurance investigations firm, has received their SOC 2 Type I attestation report. The completion of this engagement provides evidence that Terrier Claims Services has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Terrier Claims Services’ controls to meet the criteria for these principles.

“Terrier Claims Services continues to be the best solution for claims investigation services. Now, with KirkPatrickPrice as our auditor and the SOC2 certification, our clients can rest assured that their data is retained in a secure environment.  Terrier Claims Services is the only SOC2 certified regional investigation company in the Northeast,” said Dan Sullivan, President of Terrier Claims Services.

“The SOC 2 audit is based on the Trust Services Principles and Criteria. Terrier Claims Services has selected the security principle for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “Terrier Claims Services delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Terrier Claims Services’ controls.”

About Terrier Claims Services

Founded in 1996 by brothers, Dan and Edward Sullivan, TCS is a full-service claims investigation firm dedicated exclusively to insurance defense, third party administrators, defense attorneys and government agencies.

The company’s mission is a simple one. Deliver a consistent, high-quality service at a fair price while maintaining the highest ethical standards.

Terrier Claims Service was established to create a new model of effectiveness, efficiency and excellence in an industry where adequate performance is not enough. We separate ourselves from other firms by combining cutting-edge computer tracking and processing technology with aggressive instinct to produce the ultimate end-product – results. Terrier Claims is excited at the prospect of demonstrating our abilities and exceeding the highest expectations.

Our investigations are customized to suit specific needs and are aggressively pursued to an economical and efficient disposition. Our extensive experience insures creative solutions to even the most challenging investigations and claims. Experts in Construction, Mass Transit, Worker’s Compensation, Liability, Medical Malpractice and Property claims investigation, our team is prepared to assist from incident to resolution with investigation, emergency response investigation, desktop background investigations, surveillance, trial preparation and property adjusting. Our services are available 24 hours a day, seven days a week. www.terrierclaims.com

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more info, visit www.kirkpatrickprice.com.