Who is Connectria?

Founded in 1996, Connectria is a leading provider of cloud hosting and managed services. With customers in over 30 countries around the globe, Connectria ensures the ongoing availability, performance and security of customer applications in the cloud. Connectria’s comprehensive managed services and experience include the widest range of technologies in the industry and are available on a 24/7 basis no matter where customer applications and data reside. This includes Connectria’s data centers as well as remote management via customer data centers and third party clouds such as Amazon Web Services and Microsoft Azure.

How valuable is security to Connectria?

Security is a hallmark of Connectria and core to everything we do. Our customers’ businesses and livelihood depend upon Connectria safeguarding their applications and data. Security is a big part of what our customers are buying from us and why they regard us as the experts. Additionally, many of our customers are subject to regulatory compliance and rely upon Connectria to help them achieve and maintain compliance.

Connectria invests heavily in security and compliance and annually undergoes third-party audits to adhere to the highest levels of standards. This includes SSAE16 (SOC1, SOC2), HIPAA/HITECH, PCI DSS, Sarbanes Oxley (SOX), FISMA and EU-US PRIVACY SHIELD, with plans for HITRUST and FEDRAMP.

Connectria is committed to delivering the best security services in the industry through our world-class 24/7 Security Operations Center (called SOCTRIA) and dedicated compliance support team for our customers.

Why did Connectria pursue FISMA, PCI, and HIPAA compliance?   

The reputation of our customers is very important to Connectria. Security breaches are a constant threat faced by all companies. Data and processes are stored and managed more than ever by cloud service providers. Meeting FIMSA, PCI and HIPAA regulatory compliance standards provides our customers the confidence that it’s safe to do business with Connectria.

How do you feel about the auditing process?

No one enjoys or looks forward to a visit from their examiner. It can be a distraction from our normal business of supporting customers, however Connectria realizes these audits ultimately improve our services and business.  Rather than viewing our audits as a given point-in-time, Connectria views security and compliance as an ongoing effort. As such, any audit is merely a review and validation of a continual evolution and commitment which already exists within Connectria.

KirkpatrickPrice has made these events a more efficient with the tools and partnership mentality that they bring to the table. The online portal that allows us to combine all of the questions from all of the audit disciplines that we require has made this effort quicker, easier, and more engaging.  The KirkpatrickPrice team has become an extension of the Connectria team throughout each exam effort.  This harmonization is important for minimizing duplication of effort for any organization that must demonstrate compliance in multiple audit disciplines.

What is the most difficult part of the audit process?

What used to be difficult has become easier after incorporating the KirkpatrickPrice portal into our processes.  The coordination of evidence gathering, resource scheduling, and effort of work has slowly become a team effort.  Year over year, we continue to grow and improve our auditing processes. Connectria has been able to create repeatable automated processes for vulnerability management, evidence gathering, and monthly reporting after engaging with KirkpatrickPrice.

What have you learned from each of your audit processes?

We have learned that planning for the audit is just as critical as managing the risk. Planning requires a significant amount of judgment, and the decisions made in planning are critical to the effectiveness and efficiency of an audit. The principles involved in the identification of risk and determination of in scope services are the same for all of our audit disciplines. Therefore, planning performed on an integrated basis helps to achieve the objective of an integrated audit and eliminates redundancy.

Why should your customers care about your compliance?

Risk of non-compliance for customers is significant. Any breach in compliance may result in expensive fines and damage to a customer’s reputation. Our customers subject to compliance rely upon Connectria’s expertise to mitigate this risk. They are not experts themselves and would rather focus upon their core business.

An effective compliance program gives our customers the assurance and comfort they require. By undergoing annual audits, Connectria is able to present a reliable health picture of the organization to our customers. Compliance is a benefit of audits achieved through internal controls that prevent, detect and respond to security events. Strengthening the compliance and security program integrity of an organization through an audit reduces risk.

These audits allow Connectria to hold itself to the same standards and accountability as our customers.  As long as the services we provide our customers are compliant, then our customers know we are committed to protecting their data as if it were our own.

About Connectria Hosting

Since 1996, Connectria has provided award-winning cloud hosting, remote monitoring and cloud security for more than 1,000 customers in over 30 countries worldwide. At the core of Connectria is our No Jerks Allowed® company philosophy. As The Jerk Free Company®, we’ve established a unique culture where every employee goes “the extra mile” to take care of our customers. Being The Jerk Free Company® extends beyond our people too. We make it easy to do business with us through flexible terms, scalable solutions and straight-forward pricing to serve the technology needs of large and small organizations alike.

Independent Audit Verifies Teligistics’ Internal Controls and Processes

Conroe, TX – February 2017 – Teligistics, a telecommunications firm, today announced that it has completed its SSAE 16 (SOC 1) Type II Audit. This attestation verifies that Teligistics has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of Teligistics’ controls that may affect its clients’ financial statements. In accordance with SSAE 16 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes Teligistics’ description of controls as well as the detailed testing of its controls over a minimum six-month period.

“Teligistics is excited to be able to provide our Client’s with an extra level of confidence that we will do a great job for them with a refined and highly skilled process,” said Randy Councill, COO of Teligistics.

“Many of Teligistics’ clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, Teligistics has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Teligistics.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About Teligistics

Teligistics is a 20+ year-old company dedicated to helping our clients save money on their telecom spends. Whether its sourcing telecom services, managing billing and inventory, or wireless expense management – Teligistics has the tools to help enterprises bring hard dollars back to their bottom line. Backed by industry and procurement experts, Teligistics is your trusted partner for managing your telecom expenses. Visit www.teligistics.com

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

Wondering how to prepare for a SOC 2 Audit? Here are the 5 things you need to pass your SOC 2 Audit.

The pressure is on as more and more service providers and service organizations are being asked by clients for a SOC 2 audit report. Are you prepared to demonstrate your commitment to security and privacy to your clients and prospects? KirkpatrickPrice is here to help get you started.

Not all SOC 2 Audit training was created equal. Here are 5 things you need to pass your SOC 2 audit.

1. Annual Risk Assessment

Three questions you should ask yourself at least once a year are, have I identified potential threats to my organization? Have I analyzed the significance of the risks associated with each threat? What are my mitigation strategies for addressing these risks? In answering these questions, you will have performed a Risk Assessment, the foundation for any successful information security program. After all, how can you protect your organization from threats if you don’t know what those threats are?

Utilizing a Risk Assessment Guide can help get you started with the process if this is your first time.

2. Annual Policy and Procedure Review

Annual policy and procedure review is the best way to make sure that there are no gaps in your security posture in preparation for your SOC 2 audit. It also helps when determining that you’ve properly documented everything you say you’re doing and that it is being communicated to any, and all, relevant personnel.

As far as your auditor is concerned, if it isn’t documented, it’s not happening.

Annually reviewing your policies and procedures is a good way to continuously mature your environment while ensuring due diligence in preparation for your SOC 2 audit.

3. Fully Developed Security Awareness Employee Training Program

Did you know you’re only as strong as your weakest link? Annual security awareness training programs are important to make sure all personnel, from IT to operations, have knowledge of security awareness and are taking steps to protect your organizational assets from the breach. Security awareness training is an important aspect of SOC 2 compliance and a necessary component for any information security management program.

4. Vendor Management Procedures

Vendor management is a must when it comes to ensuring that your vendors are complying with information security best practices and standards. Vendors present risk to every organization, so in order to properly prepare for your SOC 2 compliance audit, you must regularly and thoroughly vet your vendors, and document the procedures for managing your vendors.

5. Incident Response and BCDRP

Lastly, any organization preparing for their SOC 2 audit must develop and test their Incident Response Plan and Business Continuity Disaster Recovery Plan.

Has it been mapped? Planned? Tested?

The purpose of incident response planning is to know how to react and the steps you must take in the event of a breach in order to minimize damage and risk to your organization and business operations. Once your organization has accomplished these things, you’re ready to begin your SOC 2 audit process.

Get Help Preparing for Your SOC 2 Audit

If you’ve successfully prepared these things, and you’re ready to engage a third-party auditing firm in your SOC 2 audit, Contact Us Today!

Preparing for HIPAA compliance can be an overwhelming undertaking if you’re uncertain where to begin. Starting with a formal risk analysis can help you determine how your current security posture stands up against HIPAA laws while creating a roadmap leading you towards compliance.

Why is HIPAA Risk Analysis Important?

Why is risk analysis important? First and foremost, a risk analysis is important because it is a requirement under the HIPAA Security Rule. The number one finding identified during the Phase 1 HIPAA audits was that organizations consistently struggled with the risk analysis. Completing a risk analysis provides benefits that go beyond compliance with a single requirement, it is the start of a compliance path. If you’ve never completed or are struggling with one, the first step in the formal risk analysis process is planning. It’s important to remember that incomplete planning means incomplete results.

A risk analysis is not the same as an overall HIPAA gap analysis. A risk analysis asks, how much exposure do we have to unauthorized access or disclosure of ePHI? While a gap analysis asks, how are we doing compared to what the regulations require? A risk analysis provides greater layers of information by showing how much exposure you have, identifying the controls you have in place, and determining how likely it is that a security incident will occur. All of this leading to any necessary corrective action.

Determining your Resources

Determining available resources for completing the risk analysis is the next step in the planning process. Who will lead the project? Do they have the proper experience to conduct the risk analysis? Do they have the support of the leadership team? Have they reviewed any past risk analyses? If they don’t have any previous experience they will need to be trained and given any necessary resources to become familiar with the process in order to perform a satisfactory risk analysis. If you do not have the internal resources available, there is also the option to seek an outside source to perform the risk analysis for you.

Determining Your Scope

The next step in planning the risk analysis is determining the scope. Jocelyn Samuels from the OCR said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise. An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” The risk analysis requirement only applies to ePHI, so that excludes any fax receipts or phone calls where PHI is discussed. The best way to determine what is considered in scope is to think in terms of ePHI processing. Where does ePHI enter and exit your organization? Creating an ePHI data workflow will help you outline the specific places in your organization that touches, receives, or accesses ePHI. Creating a visual representation of your workflow will be a huge resource for your risk analysis scoping process.

Information gathering can be useful during ePHI flow research. Analyzing any previous information security incidents, performing interviews with key staff, reviewing documentation, and looking at past and present ePHI projects, can help you validate the scope of your risk analysis.

Don’t forget that planning is important. When you’re ready to move forward to discuss threats and vulnerabilities, ensure that you’ve accurately captured the information you need to properly complete your risk analysis.  Bring in internal resources who aren’t directly involved in the project and get feedback on any missing elements and present them with the documented plan you have established. For more information on risk analysis, contact us today.

More Resources

Most Common HIPAA Gaps

5 Ways Business Associates and Covered Entities Can Prepare for HIPAA Compliance

HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

Orlando, FL – February 2017 – KirkpatrickPrice brings its health IT readiness and audit services to the exhibit floor for the 2017 HIMSS Conference & Exhibition at the Orange County Convention Center in Orlando, Fla. From Feb. 19–23, 2017, more than 40,000 healthcare industry professionals are expected at the conference, where they will gain expert insights during the exchange of innovative ideas and best practices in improving health through IT.

KirkpatrickPrice has been assisting clients in the healthcare space for over 12 years. As an exhibitor, KirkpatrickPrice’s Security Specialists will be educating attendees on how to remain up-to-date on industry trends and how to work towards HIPAA compliance through readiness and audit. KirkpatrickPrice assists covered entities and business associates with compliance concerns with risk analysis, penetration testing, SOC 2/HITRUST, and HIPAA audits.

“The protection of Personal Healthcare Information has taken centerstage recently because of the updates to the HHS HIPAA audit protocol and the enhanced enforcement activities. KirkpatrickPrice is pleased to participate in the HIMSS conference to bring our experience in Risk Analysis, Penetration Testing, Business Associate Management, and other healthcare-specific services to this year’s attendees,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice.

“We know the HIMSS Annual Conference is where the brightest minds in health and IT meet, and our exhibit floor offers the latest technologies and education sessions to help generate new ideas during the conference. In addition, the exhibition floor is open three days, at least eight hours each day, during HIMSS17, so that exhibitors have more time to meet with attendees. We are always honored to welcome all of our exhibitors to the conference, and appreciate their contributions to our collaborative efforts to transform health and healthcare with IT,” said Karen Malone, vice president, meeting services, HIMSS North America.