Tampa, FL – June 2017 KirkpatrickPrice, a licensed CPA firm, PCI QSA firm, and HITRUST CSF Assessor, announced that it will host a new webinar series, HITRUST: A Business Associate’s Guide to Compliance.

KirkpatrickPrice’s mission is to educate, empower, and inspire clients to greater levels of assurance; that is the purpose of this webinar series. KirkpatrickPrice will teach attendees how to navigate through the HITRUST CSF, provide guidance, and eliminate some of the confusion surrounding HITRUST CSF certification. The series will cover topics such as the history of HITRUST, the basics of the framework, what it means to be HTIRUST CSF certified, the options for HITRUST CSF assessments and reports, how to prepare for the assessment, and strategies for maintaining compliance.

The sessions will take place on June 29, July 27, and August 24. If you’re interested in joining this series, registration is now available.

Jessie Skibbe, VP of Strategic Development and Chief Compliance Officer at KirkpatrickPrice, will be the speaker for HITRUST: A Business Associate’s Guide to Compliance. In Skibbe’s role at KirkpatrickPrice, she focuses on assisting clients meet regulatory compliance and information security objectives. Skibbe, a certified CSF Practitioner, holds CCCO, CISSP, CRCP, CISA, ACA International Scholar, and ACA Certified Instructor designations.

KirkpatrickPrice was recently designated HITRUST CSF Assessor by HITRUST. With this achievement, KirkpatrickPrice can now provide services using the HITRUST CSF, a comprehensive security framework that addresses a multitude of security, privacy, and regulatory challenges facing organizations in order to comply with healthcare (HIPAA, HITECH), third-party (PCI, COBIT), government (NIST, FTC), and other industry-specific regulations and standards.

HITRUST CSF adds to KirkpatrickPrice’s information security and compliance assurance services, which includes SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. KirkpatrickPrice is also licensed CPA and PCI QSA firm, registered with the PCAOB. The firm provides assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. KirkpatrickPrice has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Tampa, FL – June 2017 KirkpatrickPrice, a licensed CPA and PCI QSA firm providing information security and compliance services, today announced that it has been designated as a HITRUST CSF Assessor by HITRUST. With this achievement, KirkpatrickPrice is now approved to provide services using the HITRUST CSF, a comprehensive security framework that addresses a multitude of security, privacy, and regulatory challenges facing organizations in order to comply with healthcare (HIPAA, HITECH), third-party (PCI, COBIT), government (NIST, FTC), and other industry-specific regulations and standards.

CSF Assessors are critical to helping uphold information security and privacy standards for various industries. CSF Assessors are a core component of the HITRUST CSF program by providing trained resources to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF. HITRUST CSF Assessors such as KirkpatrickPrice serve as a key component of the program by providing assessment and remediation services to all industries that deal with PHI and/or PII.

Jessie Skibbe, VP of Strategic Development and Chief Compliance Officer at KirkpatrickPrice, led the firm through the HITRUST CSF Assessor process and will lead HITRUST CSF services at KirkpatrickPrice. In her role at KirkpatrickPrice, Skibbe is focused on assisting clients to meet regulatory compliance and information security objectives. Skibbe, a certified CSF Practitioner, also holds CCCO, CISSP, CRCP, CISA, ACA International Scholar, and ACA Certified Instructor designations.

“Given our mission to educate, empower, and inspire our clients to greater levels of assurance by partnering with them to achieve challenging compliance goals, we feel the structure and scalability of the HITRUST CSF directly aligns with our objectives,” said Skibbe. “As a licensed CPA firm, we’ve been working with the HITRUST CSF for some time now within our SOC 2 reports, so taking the next step and becoming a CSF Assessor Firm just made sense. We are pleased to include an additional level of service to meet our clients multi-audit needs.”

“We are pleased to have KirkpatrickPrice as a CSF Assessor to help organizations with the process of adopting and utilizing the HITRUST CSF’s requirements and give their customers confidence in the protection of their information,” said Ken Vander Wal, Chief Compliance Officer, HITRUST. “The company’s long-standing expertise and leadership in IT privacy and security solutions make it a perfect addition to our program.”

HITRUST CSF adds to KirkpatrickPrice’s information security and compliance assurance services, which includes SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. KirkpatrickPrice is also a licensed CPA and PCI QSA firm, registered with the PCAOB. The firm provides assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. KirkpatrickPrice has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and compliance controls. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

The HIPAA Security Rule requires that business associates and covered entities have physical safeguards and controls in place to protect electronic Protected Health Information (ePHI). These safeguards provide a set of rules and guidelines that focus solely on the physical access to ePHI.

Stephanie Rodrigue discusses the HIPAA Physical Safeguards

What are Physical Safeguards?

According to the Security Rule, physical safeguards are, “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Each organization’s physical safeguards may be different, and should be derived based on the results of the HIPAA risk analysis.

There are four standards included in the physical safeguards. These include:

Facility Access Controls

These policies and procedures should limit physical access to all ePHI to that which is only necessary and authorized. Some common controls include things like locked doors, signs labeling restricted areas, surveillance cameras, onsite security guards, and alarms. Personnel controls could include ID badges and visitor badges.

Workstation Use

Workstation use covers appropriate use of workstations, such as desktops or laptops. These policies and procedures should specify the proper functions that should be performed on workstations, how they should be performed, and physical workstation security.

Workstation Security

Workstation security is necessary to restrict access to unauthorized users.

Device and Media Controls

Device and media controls are policies and procedures that govern how hardware and electronic media that contains ePHI enters or exits the facility. These controls must include disposal, media reuse, accountability, and data backup and storage.

How to Satisfy the HIPAA Physical Safeguard Requirements?

In order for organizations to satisfy this requirement, they must demonstrate that they have the appropriate physical safeguards in place and that they are operating effectively. For more help with determining whether your organization has the proper controls in place, contact us today.

The Security Rule requires that you have physical controls in place to protect PHI. This is going to look different for every organization, so it’s important that you go back to your risk analysis to understand which physical controls are appropriate for your organization.

When we talk about physical controls, some of it’s really simple, like having a lock on your server room door or having security cameras or a security guard onsite. We’re talking about prevention of the physical removal of PHI from your facility. In order to be compliant in this area, you’re going to have to be able to provide evidence that your controls are in place and operating effectively.

History of the SOC 2 Trust Services Principles

The Service Organization Control 2 (SOC 2) Report focuses on non-financial controls at an organization as they relate to security, availability, processing integrity, confidentiality, and privacy. These are also known as the Trust Services Principles. In 2014, the SOC 2 Trust Services Principles were updated, and one of the major changes was to the SOC 2 security principle. This change to the Common Criteria helped to eliminate the overlap between the Trust Services Principles (TSPs). Before this update, a lot of SOC 2 reports had the same controls repeated over and over in order to address the overlapping requirements between the Trust Services Principles. Since the update in 2014, they have developed what are known as the Common Criteria that apply to all SOC 2 audit reports.

What is the SOC 2 Security Principle?

The SOC 2 Security Principle is a must, and should be included in any non-privacy principle SOC 2 engagement. The Security Principle now consists of Common Criteria to all TSPs within the audit report, and includes the following seven categories:

  • Organization and Management: How is your company structured? How do you oversee the services your organization performs?
  • Communication: How do you communicate to your internal and external users about how your system works? How do you communicate policies, procedures, and expectations to authorized users and other parties?
  • Risk Assessment and Risk Management: How are you implementing controls to manage known risks? How do you select the controls that are put in place to meet the criteria? A risk assessment must be performed in order to determine what controls are necessary to address the risks that your organization is dealing with.
  • Monitoring: Monitoring is a follow up to risk management. Once you’ve put a control in place, how are you monitoring it to know that it is operating effectively and appropriately addressing the risk? Do any changes or remediations need to be made?
  • Physical and Logical Access: How do you control access to sensitive data and systems within your organization? You should be implementing physical controls, such as a door leading to an area that contains sensitive information that is controlled by a card reader or a lock and key. You should also be implementing logical controls such as implementing passwords or requirements for identifying a user before they are authorized to access a system.
  • System Operations: This criteria deals with how your organization manages day-to-day processes and procedures. This includes what you do on a daily, weekly, and monthly basis to execute your services.
  • Change Management: Lastly, when you have to make changes to your system or services, how are these changes being documented? How are you testing those changes and addressing any new risks that may be associated with these changes? How are they approved prior to making the change in your environment?

These common criteria should be reviewed by all organizations before being audited against the SOC 2 security principle and must be in place for your auditor to review. For more information on preparing for your SOC 2 audit or help with meeting these common criteria, contact us today.

In 2014, the SOC 2 Trust Services Principles were updated and one of the major modifications is the Security Principle, which is really referred to now as having the common criteria for all of the Trust Services Principles within the SOC 2 Audit Report. What that means is that everything was condensed, all of the redundancies were taken out of the process, so that we could focus on this common criteria that applies to any of the Principles, so that a Service Organization would not have to repeat themselves over and over again throughout the report. The Security Principle is a “must” to have in your SOC 2 Audit Report because of that common criteria. It has to be included in a non-Privacy Principle SOC 2 audit engagement.

There are 7 categories within the Security Principle. There is Organization and Management – how is your company structured? How do you oversee the services that you perform? Communication – how do you communicate to internal and external users about how your system works? How do you communicate about policies and procedures and expectations? Risk Assessment and Management of Risk through the implementation of controls – how does your organization select the controls that you put in place to meet the criteria? It has to be done through some type of Risk Assessment in order to determine what kind of controls are necessary to address the risk that you are dealing with. The thing that follows up to that is the Monitoring of Controls – once you put a control in place, how do you monitor it to make sure that it’s effective and that you don’t need any changes or remediation if the control becomes ineffective? That’s done through Monitoring. There’s also Logical Access and Physical Access to sensitive information and systems – how do you control access like entering from a door into a sensitive area that may be controlled by some type of a card reader or lock and key?  And also Logical Access – are there passwords? Are there requirements for identifying the user before they access the system? And then also, we’ve got System Operations, which has to do with your day-to-day processing – what are your procedures? What do you do on a daily, weekly, and monthly schedule in the execution of your services? And lastly, we’ll be looking at Change Management, which is when you have to make changes to your system or your service that you’re providing, how do you document those changes? How do you test them? How do you evaluate the risk? How do you prove them in order to make sure that those changes are well-documented and approved prior to making the change in the environment?

So these are some areas to think about as you prepare to be audited against the Security Principle, because that criteria will be very important to have in place for your auditor to review.

Independent Audit Verifies Gulf Management Systems’ PCI Compliance

Clearwater, FL – May 2017 – Gulf Management Systems, an electronic payment solutions firm, today announced that it has completed its PCI audit and received their Report on Compliance (RoC).  These reports verify that Gulf Management Systems adheres to the Payment Card Industry Security Data Standard and has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of Gulf Management Systems’ controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards.  In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted Gulf Management Systems in becoming PCI compliant.

The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card.

Gulf Management Systems offers versatile and secure credit card and ACH payment processing for all business types throughout the Tampa Bay area.

“Many of Gulf Management Systems’ clients rely on their systems to process or store sensitive data and protect information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, Gulf Management Systems has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the accounts receivables management services provided by Gulf Management Systems.”

About Gulf Management Systems

Gulf Management Systems has provided local businesses and non-profits in Pinellas County competitively priced payment processing solutions since 1992.  They have always believed in a personalized customer experience and making their clients their top priority.  Their Donor BOO$T program has served the community for many years, offering non-profits donation collection tools and exposure.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.