Tampa, FL – April 25, 2017 – KirkpatrickPrice, a licensed CPA and PCI QSA firm, today announced it has published an exclusive video series, PCI Demystified. This video series provides viewers with a step-by-step journey through each of the 12 requirements of PCI DSS version 3.2. Requirement 1 has been published and is available now for online viewing.

PCI Demystified will walk viewers through the PCI DSS version 3.2, diving in to each requirement and sub requirement, giving viewers a full picture of what their organization needs to do to complete a PCI DSS audit and receive a Report on Compliance (PCI ROC). This video series is intended to provide free educational training on the latest version of the PCI DSS v3.2. Episodes will cover all six of the subject areas including the 12 main requirements. Subscribe to KirkpatrickPrice’s YouTube Channel or blog to stay up-to-date on PCI Demystified.

Jeff Wilder, Director of PCI Services at KirkpatrickPrice, will be the guide through this in-depth study of the PCI Data Security Standard. Jeff Wilder has over 15 years of experience in information security. Prior to joining KirkpatrickPrice, Jeff was a trainer for the PCI Security Standards Council where he was responsible for educating individuals working towards becoming PCI Qualified Security Assessors (QSA). In his role of Director of PCI Services, Jeff is responsible on all aspects of PCI services. His certifications include: PCI Qualified Security Assessor (QSA), ISC2 Certified Information Systems Security Professional (CISSP), ISC2 Information Systems Security Architecture Professional (ISSAP), ISC2 Information Systems Security Management Professional (ISSMP), ISACA Certified Information Systems Auditor (CISA).

The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant, service provider, or subservice provider, that uses, stores or transmits information from a payment card. The PCI DSS was jointly developed by the payment card brands to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Its purpose is to ensure that all of the data that lives within the Cardholder Data Environment (CDE) is protected and secured from theft or unauthorized use. The current version, PCI DSS 3.2, has approximately 394 controls, 6 control objectives, and 12 major subject areas.

KirkpatrickPrice is a licensed CPA firm and PCI QSA firm, providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance by performing assessments, audits, and tests that strengthen information security and compliance controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Independent Audit Verifies Marketing Vitals’ Internal Controls and Processes

Plano, TX – April 12, 2017 – KirkpatrickPrice announced today that Marketing Vitals, a cloud-based restaurant intelligence company, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that Marketing Vitals has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Marketing Vitals’ controls to meet the criteria for these principles.

“We are very proud to have received the SOC 2 Type attestation report,” said Rom Krupp, CEO of Marketing Vitals, a game-changing analytics software for restaurants of all shapes and sizes.

“This certification further enhances the integrity of the Marketing Vitals platform and the service we provide to our customers.” The award-winning technology enables restaurant owners, consultants, and the C-suite of national and international restaurant franchises to pinpoint what’s working in their organization and what isn’t.

“The SOC 2 audit is based on the Trust Services Principles and Criteria. Marketing Vitals has selected the security, availability, processing integrity, and confidentiality principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “Marketing Vitals delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Marketing Vitals’ controls.”

About Marketing Vitals

Marketing Vitals is an award-winning innovative company that offers a game changing analytics software for restaurants of all shapes and sizes. Their software enables restaurant owners, consultants, and the C-suite of national and international franchises to pinpoint what’s working in their organization and what isn’t. It provides analysis and enables optimal functioning of everything from employee performance to menu items to seasonal specials. Marketing Vitals has received four prestigious BIG awards from the Business Innovative Group and received the SOC 2 Type II Attestation Report which verifies their internal controls and processes through an independent audit based on AICPA’s Trust Services Principles. For more info, please visit: www.MarketingVitals.com

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

Understanding a Key Management Program

The purpose of this presentation is to give you a foundation of understanding encryption. This webinar will not delve into the math involved, but rather, you will learn about the different types of encryption, key management basics, algorithm uses, and encryption attacks.

First, let’s define and discuss symmetric versus asymmetric encryption. Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. Asymmetric algorithms use different keys for encryption and decryption, and is a form of encryption where keys come in pairs. Usually, but not necessarily, if key A encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it. By listening to the presentation, you will hear examples of how these different algorithms function.

We believe best practices for a key management program include:

  • Fully document your encryption key management program
  • Generate strong keys
  • Ensure secure key distribution
  • Keys must be protected in storage (KEK)
  • Do not encrypt new data with retired encryption keys
  • Replace keys when they are weakened or suspected of a compromise
  • Prevent unauthorized key substitution

Cryptoperiods are a major topic in key management. This webinar discusses risk factors that affect cryptoperiods, like the security life of the data and the strength of the cryptographic mechanisms. When we discuss cryptoperiods, we use the NIST Special Publication 800-57 definition:

  • Limits the amount of information protected by a given key that is available for cryptanalysis
  • Limits the amount of exposure if a single key is compromised
  • Limits the use of a particular algorithm to its estimated effective lifetime
  • Limits the time available for attempts to penetrate physical, procedural, and logical access mechanisms that protect a key from unauthorized disclosure
  • Limits the period within which information may be compromised by inadvertent disclosure of keying material to unauthorized entities
  • Limits the time available for computationally intensive cryptanalytic attacks (in applications where long-term key protection is not required)

The webinar discusses algorithms such as block cypher, stream cypher, Data Encryption Standard (DES), Triple DES, RSA, Blowfish, AES, and Two Fish. Listen to the full presentation to hear Jeff Wilder introduce topics such as disk encryption, encryption attacks, and the Q&A portion. For more information on encryption and key management, contact us today.

Congratulations! You’ve completed your initial comprehensive HIPAA risk analysis, no easy task. You’ve gone through the process and planned for and scoped your environment. You’ve identified your risks, threats, and vulnerabilities, and all of the associated requirements necessary to conduct and complete a HIPAA risk analysis. So, now what? Let’s focus on five important steps for using your HIPAA risk analysis; Internal Reporting, Management Responsibilities, Corrective Action, Monitoring, and Auditing.

5 Important Steps for Using your HIPAA Risk Analysis

Internal reporting, management responsibilities, and corrective action are directly related to a risk analysis process, while monitoring and auditing are required for any information security program and indirectly serve you risk analysis process. Let’s take a look at each of these important steps for completing your HIPAA risk analysis.

1. Internal Reporting

Once you’ve completed the process of identifying your threats and vulnerabilities, potential impact, likelihood of occurrence, controls in place, recommendations, and all of the elements necessary for conducting your risk analysis, we need to know what to do with all of that information, specifically the report format. Your report format should include a high-level summary of your Risk Analysis process. This summary should show internal and external stakeholders what you did and how you did it in a way that that can be independently verified. Your report should frame what could be a confusing and complex collection of information in a way that can be easily understood and recreated. This report of information is important to operational units who may be responsible for implementing the recommendations resulting from the risk analysis, and external auditors, both from your clients, a third-party you’ve hired, or the federal government. A high-level report can go a long way in an auditor’s understanding and perspective of whether your risk analysis met the standards required in the HIPAA Security Rule.

A second item that is useful to include in your internal reporting, however not required, is your organization’s top findings. This can give a visual representation of your risks, not including all threat-level detail, but communicating the likelihood and impact of a particular risk and giving a comparative depiction of how a particular risk compares to other risks.

Another item that should be including in your risk analysis report are your recommendations. At this point, we’re discussing enterprise and project-level recommendations, not threat or vulnerability-level recommendations. These recommendations should include next steps, such as management approval, corrective action, auditing, and monitoring, including a description of how those activities should go forward based on your risk analysis.

Additional documentation should include any appendices and reference materials. Any sort of supplemental information that will be useful to internal and external stakeholders in understanding your HIPAA risk analysis. Lastly, be sure to include your actual HIPAA risk analysis and documentation of your threats and vulnerabilities, asset list, threat list, and policy list.

2. Management Responsibilities

The guiding standard for responding to risk is “reasonableness”. Specifically, we are required to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” to comply with HIPAA laws. As you present your risk analysis and recommendations to management, it’s important to constantly think along the lines of what is reasonable and appropriate. There is always the potential for management to receive a risk analysis and be immediately overwhelmed with the number of things that are being recommended to be HIPAA compliant. Our goal isn’t perfection, it is determining how we can reasonably and appropriately mitigate risk. For example, a recommendation may be to utilize a proprietary software solution to mitigate a particular threat or vulnerability. This software solution costs three times your annual revenue, only reduces risk by 3%, and takes three years to develop and implement. In this instance, this is not a reasonable or appropriate recommendation. Another recommendation may be to implement a quarterly logical access review for an organization comprised of less than 100 employees. This process would take less than 15 hours each year to complete, would reduce risk by 50%, and can be immediately implemented. In this instance, this is an appropriate and reasonable method for reducing risk.

When evaluating and responding to risk, management has four ways of doing so. First, they can accept risk. If a cost-benefit analysis determines that the cost to mitigate a risk is unreasonable and inappropriate, the best response (and a compliant) is to accept and continually monitor the risk. Another way management can respond to a risk is to transfer the risk, for example to a business associate. A risk with a low probability of occurring that may have a large financial, regulatory, or reputational impact on the organization, may be best met by transferring the risk to a third party. A third way that management can respond to risk is to mitigate the risk. This is the best response for activities with a high likelihood of occurrence, but a low impact. Mitigation is going to be the bulk of the recommendations for your risk analysis follow-up. This requires changing or increasing controls. The final way to respond to risk is to avoid the risk altogether. This is most appropriate for activities that have a high likelihood of loss and a high likelihood of occurrence. An example of an activity that can be avoided is the risk of a stolen or lost laptop containing ePHI. This risk can be avoided by deciding that laptops will no longer be used to access ePHI or those devices are no longer able to leave the building. Find an alternative way to provide these services without exposing yourself to a particular risk. At the end of this process, management will go through the documentation review and approval. Management’s approval needs to be thoroughly documented.

3. Corrective Action

A HIPAA risk analysis is a great tool that can serve as a compliance roadmap. It can show you where you have the most exposure, what steps provide the greatest reduction of risk, and can assist in helping with budget requirements. The risk analysis should include control recommendations that are specific and were identified and documented during the analysis phase, and include best practices for categorizing your control recommendations from a cost perspective, benefit perspective, and the time it would take to implement. This step in using your HIPAA risk analysis will be very specific to your unique organization and can be based on a number of factors such as the size of your organization, the services provided, and the amount of ePHI that you have access to. Your corrective actions and control recommendations should prioritize the next steps that should be taken in further maturing your organization’s security posture.

4. Monitoring

Once you’ve completed the corrective action stage, you’ve completed all the steps related to your risk analysis. Using your risk analysis and all the resources that you have created during the process can help you to develop a risk-based security management system. If you’ve already identified your areas of greatest risk, sometimes it makes sense to increase your monitoring activities in order to appropriately address those areas of great risk. Ways you can do this include increasing frequency and the intensity of evaluation. There are certain types of controls you can use to monitor your risks. These include diagnostic controls, boundary controls, and belief systems. A diagnostic control is a reporting tool used to communicate that certain activities are happening when they’re supposed to happen and in the way they were designed to occur. Boundary controls are solutions that constrain certain activities. Not just by alerting you of an activity, but by impacting and influencing activities. These can include role-based access, multi-factor authentication, password management, and encryption sanctions. Lastly, belief systems are a part of the culture of compliance concept. This includes employee security training, an important aspect to ensuring that your responsibilities under HIPAA laws are appropriately taken care of.

5. Auditing

The final step in using your HIPAA risk analysis is your auditing process. There is often confusion between monitoring and auditing. Monitoring is a review of the information provided by an operational unit, whereas, auditing is an independent assessment of activities performed by someone outside the operation. When auditing your risk analysis, you should be testing your risk analysis controls for their existence and their effectiveness. Assess that your controls are in place and that they are appropriate and operating effectively. This independent audit, in turn, can benefit by laying the groundwork for future risk analyses.

Using your HIPAA risk analysis helps you to determine what you are going to do with the risk you have identified. It verifies that management has reviewed and agreed with the risk analysis process, and it also suggests how we can use this information to improve, whether that is through monitoring and auditing. If you need help with your HIPAA risk analysis process or understanding how to use the information established from your HIPAA risk analysis, contact us today.

More Resources

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

Most Common HIPAA Gaps

Penetration Testing in Support of HIPAA Compliance

Independent Audit Verifies Moonlight BPO’s Internal Controls and Processes, HIPAA Security Rule Compliance, and PCI Compliance

Bend, OR – April 2017 – Moonlight BPO, a business process outsourcing company, today announced that it has completed its SOC 1 Type II, SOC 2 Type II, HIPAA, and PCI audits. These attestations verify that Moonlight BPO has the proper internal controls and processes in place to deliver high quality services and a compliant information security control structure.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of Moonlight BPO’s controls that may affect its clients’ financial statements. In accordance with SSAE 16 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes Moonlight BPO’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Moonlight BPO’s controls to meet the criteria for these principles.

The Health Insurance Portability and Accountability (HIPAA) Security Rule is a national standard set for the protection of consumers’ Electronic Protected Health Information (ePHI). The ePHI that an organization manages must be protected from anticipate breaches by mandating a Risk Assessment and implementing appropriate Physical, Administrative, and Technical Safeguards. HIPAA laws are regulated by the Office of Civil Rights (OCR) and are meant to protect unauthorized use and disclosure of ePHI. “We determined from our review that Moonlight BPO has good technical controls in place in accordance with industry-accepted standards, and appropriate physical and environmental controls and is in compliance with all HIPAA Security Rule standards,” said Joseph Kirkpatrick, Managing Partner at KirkpatrickPrice.  KirkpatrickPrice’s independent audit determined that all access controls to ePHI stored on Moonlight BPO systems is in compliance with HIPAA requirements.

The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card.

“Moonlight BPO has always tried to look ahead of our competition and do things differently.  We stay ahead of the game with cutting edge software and equipment.  For more than 10 years Moonlight BPO has invested heavily to remain in compliance with these key security standards long before many of our competitors, ensuring the security of our customer’s data.” – Brenda Grigsby, Owner Moonlight BPO

“Many of Moonlight BPO’s clients rely on them to protect consumer information,” said Kirkpatrick. “As a result, Moonlight BPO has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Moonlight BPO.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About Moonlight BPO

Moonlight BPO is a high security outsource vendor for printing, mailing and document management.  We have been serving our customers’ needs since 1985. We have over 100 customers from the municipal/government, medical, financial, gaming/hospitality and other private/non-profit industries.  Our headquarters are located in Bend Oregon with all work performed in house. www.moonlightbpo.com

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.