Independent Audit Verifies Weltman, Weinberg & Reis Co., LPA’s Internal Controls and Processes and Information Security Control Structure

Cleveland, OH – March 21, 2017 – Weltman, Weinberg & Reis Co., LPA (WWR), a full-service creditors’ rights law firm now in its 87th year of client service, announced today that it has completed its SOC 1 Type II, SOC 2 Type II, and ISO 27001 audits. These audits verify that WWR has the proper internal controls, processes, and information security control structure in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of WWR’s controls. In accordance with SSAE 16 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes WWR’s description of controls, as well as the detailed testing of its controls over a minimum six-month period. These controls are important, as they may affect clients’ financial statements.

“Many of WWR’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, they have implemented ‘best practice’ controls required by their clients in order to address information security and compliance risks. Our third-party opinion validates these controls, and the tests we perform provide assurance regarding the managed solutions provided by WWR.”

The SOC 2 audit is based on the Trust Services Principles and Criteria. WWR has selected the security, availability, processing integrity, confidentiality, and privacy principles for the basis of their audit. The completion of this engagement provides evidence that WWR has a strong commitment to deliver high quality services to its clients, by demonstrating they have the necessary internal controls and processes in place.

“WWR delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on the Firm’s controls,” said Kirkpatrick.

KirkpatrickPrice also performed an independent review of WWR’s information security control structure and determined the organization’s compliance with ISO 27001. The review determined that WWR has implemented adequate administrative, physical, and technical controls to address their security risks.

“ISO 27001 provides excellent guidance for developing an Information Security Management System,” said Kirkpatrick. “WWR’s audit against the ISO 27002 guidelines on information security controls demonstrates that a widely respected and international standard has been utilized to select controls as part of their own information security management practices.”

“Risk management and quality control are paramount at WWR, and are the main drivers for every process within the firm,” said Duane A. Borgman, Business Information Officer at WWR. “The key elements of our operations, including compliance, technology, and data security, are thoroughly scrutinized and run through checkpoints, both internally and externally, on a consistent basis. Our goal is to always ensure we operate in a manner that protects the firm, our clients, and their consumers, from any undue risk.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of WWR’s controls to meet the criteria for these principles.

ISO 27001 is a specification for an ISMS (Information Security Management System) standard. An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization’s information risk management processes. ISO 27001 creates and implements the most effective and efficient Security Management System for the organization. An international standard, the ISO 27001 applies controls from the following areas: Security Policy, Organization and Information Security, Asset Management, Human Resources Security, Physical and Environmental Security, Communication and Operations Management, Access Control, Information Systems Acquisition, Information Security Incident Management, Business Continuity Management, and Compliance.

About Weltman, Weinberg & Reis Co., LPA

With more than 85 years of experience in the creditors’ rights industry, Weltman, Weinberg & Reis Co., LPA is a nationally-recognized, full-service collections firm with more than 75 attorneys and 650 total employees. They represent nearly every type of creditor, including some of the largest financial institutions in the U.S., in bankruptcy, consumer and commercial collections, litigation, and real estate default matters, with the strictest adherence to compliance and security standards and with a premium on reputation management. To learn more about their leadership in accounts receivable management, please visit www.weltman.com.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

 

When you look at the threat landscape today and the organizations that have experienced a data breach (Target, Home Depot, Arby’s), they all have a common denominator – they were all compliant. They had been checking the boxes like they were asked to do. So, when it seems that compliance isn’t enough, how can we ensure that we are secure? Organizations today should use these examples as motivation to focus on maintaining a secure environment. If you’re secure, compliance will always fall into place. However, just because you’re compliant, doesn’t necessarily mean you’re secure. Let’s start the conversation by discussing best practices for managing our firewalls and routers, and essentially our networking gear as a whole. When it comes to managing firewall and router security, we will be focusing on three main areas: physical devices, running operating systems, and secure traffic rules.

Managing the Security of Physical Devices

Managing the security of a device goes much further than the device itself. Here are several elements of physical device management:

  • Establish a formal change control program. We, as an organization, need to be aware of any changes made to a system, whether it’s making a change to the Access Control List (ACL), installing a new operating system, or installing a new device. This program needs to be defined and documented in the policies and procedures.
  • Assign responsibility for the management of devices. Is someone with a trained eye and the proper credentials reviewing your firewall and router configurations? Are you monitoring whether your operating system is current and not susceptible to known vulnerabilities?
  • Define acceptable use policies and procedures for your assets. Are the rules you’ve established appropriate and required for your business? Are they secure? Those managing your assets should have training in that particular area and it must be necessary for them to perform their business function.
  • Define acceptable technologies and acceptable locations to place them in. We wouldn’t want to put a wireless device or wireless access point in the core of our environment and it not be protected. Established policies that define where it is appropriate to put a firewall or router is critical for managing the security of physical devices.
  • Perform periodic review of the configurations. As the industry changes, so does the risk posture. We need to constantly evaluate these network devices including the firewall, router, switches, and wireless access points (WAP) as the risks change on a daily basis.
  • Ensure that devices are physically secured from unauthorized access. It’s important to ensure that we’re physically securing these devices from any and all unauthorized access. If a hacker can get physical access to a device, it’s game over. At that point, they will have the ability to reset usernames and passwords, and gain physical and logical access to your assets.
  • Secure the cables that connect in to and out of devices. Securing the cables that connect devices to and from the network is important to prevent unauthorized access such as port sniffing or a similar malicious attack. Be sure your controls that you have in place take into account securing these cables.
  • Limit the ability to directly console the devices. With a network device, there are multiple ways to gain access. We need to make sure that anyone who needs access to certain assets to perform their job has access, but everyone else should be denied access. Access controls are essential for limiting people outside, or within, the organization from accessing your assets that has no business doing so.
  • Minimize out-of-bound access points. Minimize any unnecessary exposure to assets by limiting out-of-bound access points. Logging and monitoring traffic can help you know exactly who is accessing your network and what they’re doing.

Managing Operating System Security

When it comes to managing your firewall and router, it’s critical that you are properly managing your operating system. Here are several musts when it comes to managing operating system security.

  • Limit logical access. When looking at the operating system, we must limit logical access by including a policy of least privilege.
  • Maintain a detailed set of hardening standards. This is a critical practice. Organizations must maintain a set of hardening standards, regardless of the organization’s size. It may be helpful to understand that the industry has already vetted the types of hardening controls that you should apply to your organization, so you don’t have to start from scratch. Ask yourself, “are my firewalls and routers up to standard?” A review of your firewall and router configurations should include reviewing standards such as NIST, SANS, NSA, etc.
  • Configure logging. From an audit perspective, we see this missing a lot in different environments. Your organization should be able to identify when any administrative changes have been made in order to determine if something is a security incident, or appropriate use.
  • Change the defaults. Always change vendor defaults. This means passwords and SNPA community strings should be set to complex values. Passwords should be at least 13 characters in length, both alpha and numeric, including both upper and lowercase. Password recovery should be disabled and the maximum log in attempts should be no more than three.
  • Ensure strong encryption. There are numerous encryption protocols that are no longer considered secure. If you don’t know what your supporting, chances are you are supporting an insecure version. Disable web based management if you aren’t using it, and if you are, validate that the certificate is strong and accepted (TLS v1.2). Disable telnet or clear text protocols and use SSH v3 where possible. It’s also best practice to establish a VPN.
  • Keep it updated. Update and patch your router and firewall with your operating system on a regular basis. You don’t always need to update your router and firewall just because there is a new operating system available, however, if the OS you’re running is found to have vulnerabilities, you should. Also, be sure to include all networking devices into your patching schedule.
  • Establish remote access console timeout. 15 minutes or less is a best practice when it comes to locking your workstation. This helps to prevent someone from performing malicious behavior on your machine when you are away from your desk.
  • Configure NTP. As part of your logging infrastructure, you should have your devices set up and configured to support NTP.
  • Establish log-on banner. As auditors, we rarely see this as a requirement, however this is a strong suggestion to be considered. There have been legal cases in the US in the past where a hacker gained access to a router and was found “not guilty” because the organization that was hacked did not have a banner visible that said, “If you are not authorized to access this site, you are trespassing and should disconnect immediately”.
  • Disable unused interfaces. Any unused interfaces should be disabled or removed. This minimizes your vulnerabilities and scope, and can keep someone from using that additional interface for a malicious attack.
  • Ensure that downloaded images are authentic. When you go to upload a new operating system, validate that the OS you’ve downloaded is authentic and hasn’t been compromised.
  • Restrict ICMP from untrusted interfaces. Restrict inbound and outbound ICMP from untrusted interfaces to minimize the ability for attack.
  • Enable anti-spoofing rules. Be sure to have anti-spoofing rules that prevents hackers from spoofing their source address to look like it’s coming from your internal address and allowing your firewall and router to pass that address.

Maintaining Secure Traffic Rules

Lastly, let’s talk about maintaining secure traffic rules in and out of your environment.

  • Maintain a list of approved ports and services. Management should always oversee the traffic that is allowed in and out of your environment.
  • Limit inbound traffic (from the Internet to the DMZ). This is a standard best practice, and the best way to monitor who is able to access your environment. Open ports that aren’t used only become a liability.
  • Limit outbound traffic to only that which is needed. In the event that a hacker successfully entered your environment, setting up policies that limit outbound traffic can help to prevent the data that a hacker can take from your environment.
  • “Any” based rules should not be used. Rules should be as prescriptive as necessary to securely shape the traffic.
  • Systems that interact with sensitive information should have rules explicitly defined to limit the exposure. Any system storing sensitive data should have very strict rules established that limit all access to protect this data as securely as possible.

Creating a security-minded culture at your organization should supersede any boxes you are checking for the sake of compliance. Beginning with managing firewall and router security is a good starting point. For additional information on best practices for managing firewall and router security at your organization, visit the Center for Internet Security (CIS) or contact us today.

More Resources

Think Like a Hacker: Common Vulnerabilities Found in Network

The Dangers of End-of-Support Operating Systems

Stay Secure With These Intrusion Detection and Protection Techniques

Independent Audit Verifies RACK59’s Internal Controls and Processes

Oklahoma City, OK  – March 2017 – KirkpatrickPrice announced today that RACK59, a secure data center and colocation facility, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that RACK59 has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of RACK59’s controls to meet the criteria for these principles.

“As the demand for additional security safeguards continues to rise, we constantly evaluate the security needs of our customers and are committed to meeting those threats head on,” said Dusty Burchfield, Partner of RACK59.

“The SOC 2 audit is based on the Trust Services Principles and Criteria. RACK59 has selected the security, availability principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “RACK59 delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on RACK59’s controls.”

About RACK59

RACK59 is a colocation data center in Oklahoma City, Oklahoma that provides secure, competitively priced data center solutions for medium to enterprise businesses. All customers, whether they use one rack or an entire private data center, benefit from RACK59’s premier facility, power, connectivity and unmatched service. We maintain this high standard through our unsurpassed, hardened facility and customer focused business model. www.rack59.com

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

Independent Audit Verifies SureHosting Internet Solutions, Inc.’s PCI Compliance

Independence, MO – January 2017 – SureHosting Internet Solutions, Inc., a network management and monitoring company, today announced that it has completed its PCI audit and received their Report on Compliance (RoC).  These reports verify that SureHosting Internet Solutions, Inc. adheres to the Payment Card Industry Security Data Standard and has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of SureHosting Internet Solutions, Inc.’s controls that are relevant to the storing and transmitting of information from credit, debit, or other payment cards.  In accordance with the PCI Security Standards Council, KirkpatrickPrice’s Qualified Security Assessors assisted SureHosting Internet Solutions, Inc. in becoming PCI compliant.

The PCI Data Security Standard is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures.  These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card.

“SureHosting believes that when their clients feel that their systems and information are secure then the client is able to go out and change the world,” said Tanya Brown, Director of Compliance.  “To be able to provide that comfort and assurance is what SureHosting is all about.”

“Many of SureHosting Internet Solutions, Inc.’s clients rely on their systems to process or store sensitive data and protect information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, SureHosting Internet Solutions, Inc. has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the accounts receivables management services provided by SureHosting Internet Solutions, Inc.”

About SureHosting Internet Solutions, Inc.

As a proved leader since 2003, SureHosting Internet Solutions (Hereafter, SureHosting) is prepared to offer technology assistance on any size scale. Located in Independence, Missouri, they provide highly-efficient data transfer rates and stable connectivity, secure data storage and backup, scalable high-availability serves, remote monitoring and maintenance, and architectural professional services to clients all over the world.

SureHosting believes their customer’s technology environment is as complex, constantly changing, and in need of direct care as the planet’s ecosystems. To best serve their customers, they implemented the Network Ecosystems, a structured breakdown of the services designed to help customers with what they need, nothing more, nothing less.

Services

  1. Stream: Swift Data Flow and Bandwidth – SureHosting’s objective is to provide customers not only stable connectivity, but also highly efficient data transfer rates. The Stream product is a blended bandwidth system using top tier Internet Service Providers. Smart switches help clients filter out the latency of individual ISPs and allow for a swift-flowing data stream.
  2. Core: Network Data Security – For SureHosting, the concept of Core is the data center services that enables storage of sensitive information, backup creation for client’s information, storage solutions, and flexible high-availability servers and virtual machines for client use.
  3. Light: Full Service Monitoring – Light monitoring provides remote monitoring and maintenance, resolving network and infrastructure problems. The 24//7/365 USA-local monitoring ensures high availability for client’s systems providing operational support.
  4. Branch: Onsite Professional Services – SureHosting employs highly skilled and specialized individuals with great experience in their field allowing for offer onsite and remote desktop support services. These specialists will assist clients in locating the correct technology needed and pruning what is not. SureHosting’s professionals are highly skilled in assisting customers whether it is a full professional support, consulting for: special projects, ongoing maintenance and backups, and technical expertise when needed.
  5. Root: Compliance – At the base of every great company is a strong compliance program. SureHosting offers a PCI DSS 3.2 Compliant system. SureHosting’s dedication and commitment to compliance removes those obstacles from the client’s path to growth. SureHosting acknowledges that there is a difference between saying you comply and actually proving that you do, their SSAE Type 1 SOC 10 SureHosting Internet Solutions, Inc. SOC 2 Service Organization Control Report November 27, 2016

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

Independent Audit Verifies eCIFM Solutions’ Internal Controls and Processes

San Ramon, CA – February 2017 – eCIFM Solutions, an Integrated Workplace Management Systems provider, today announced that it has completed its SSAE 16 (SOC 1) Type II Audit. This attestation verifies that eCIFM Solutions has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of eCIFM Solutions’ controls that may affect its clients’ financial statements. In accordance with SSAE 16 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes eCIFM Solutions’ description of controls as well as the detailed testing of its controls over a minimum six-month period.

“Many of eCIFM Solutions’ clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, eCIFM Solutions has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by eCIFM Solutions.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About eCIFM Solutions

eCIFM Solutions Inc. is a world class service provider of Integrated Workplace Management Solutions (IWMS) to a wide range of corporations, educational institutions, and Federal, State, and Local government agencies. We specialize in successfully implementing the IBM TRIRIGA® IWMS suite of software solutions for our clients based on a thorough analysis of our clients’ needs, industries, and best practices. www.ecifm.com

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.