Harvest Strategy Group, Inc. recently completed its 5th annual SSAE 18 SOC I Type II audit in order to reinforce its industry leadership position in regulatory compliance through an extensive evaluation and audit of the internal controls and processes of its vendors and recovery partners.

Headquartered in Denver, Colorado, Harvest Strategy Group, Inc. provides comprehensive accounts receivables management services to a variety of creditors, including banks, auto finance lenders, credit unions, debt purchasers, and medical debt managers, by managing debt recovery on behalf of their clients. Harvest began their first SOC 1 Type II audit in June, 2012.

Why Pursue an SSAE 18 (SOC 1) Type II Audit?

David Ravin, Harvest’s CEO, recognized the opportunity in the accounts receivable management space to not only adapt to the regulatory environment, but to also create an enhanced framework in which creditors could have unquestionable confidence. “Our early commitment to obtaining the SSAE 18 Type II certification was key in positioning ourselves as a means to not only support our clients in terms of our services, but to provide the strictest controls in the market.  We recognized our highest duty is to uphold the integrity of our clients’ brands, and the certification is a critical piece of that commitment.”

Since Harvest’s inception in 1999, they have been able to stay ahead of the curve in the evolving world of regulations by offering services to their clients that are built around CFPB compliance standards as well as other federal and state regulations.  It’s not uncommon for many companies to lack the resources and bandwidth necessary to build the infrastructure needed to become and remain compliant. Since Harvest has built their business model around defect-free compliance, and have continued to pursue third-party validation, their clients can fully rely on them to provide industry leading compliance and oversight, relieving the resources, stress and cost of insourcing.

“Harvest Strategy Group’s Management approached their SOC 1 engagement as an exercise to have the effectiveness of their existing controls stress-tested and evaluated, as well as identify areas for improvement in their practices to control risks. This positions Harvest with a significant competitive advantage in soliciting new, and maintaining current, clients,” said Britt Wilson, CISA for KirkpatrickPrice, who performed the SOC 1 Type II audit engagement for Harvest.

What is an SSAE 18 (SOC 1) Type II Audit?

A SOC 1 Type II audit is an engagement that evaluates, tests, and reports on the effectiveness of internal controls at a service organization. KirkpatrickPrice performed Harvest’s SOC 1 Type II audit and appropriate testing of their controls that may have an impact on their clients’ financial statements, regulatory risk and reputation. In agreement with SSAE 18 (Statement on Standards for Attestation Engagements), Harvest’s SOC 1 Type II audit report includes a description of their controls as well as detailed testing of their controls over a 12-month period.

KirkpatrickPrice performed a thorough audit of Harvest’s policies and procedures against their documented policies and procedures in order to attest to the fact that their Compliance Management System and the services they provide to their clients are high quality, secure, and efficient.

“Harvest Strategy Group has obtained SOC 1 Type II reports for several years and have translated these engagements into opportunities to have a certified independent third party ensure their control of risks,” commented Britt Wilson, CISA, on Harvest’s recent compliance attestation.

How has a SOC 1 Type II Compliance Audit Benefited Harvest?

Pursuing and completing their fifth SOC 1 Type II audit has set Harvest Strategy Group apart from their competition as they have matured their environment through constant review of their documentation and process management. Choosing to be proactive with compliance, rather than reactive, has given Harvest the competitive advantage they need to be an industry leader in accounts receivables management. Harvest Strategy Group is always looking for opportunities for continuous improvement by constantly evaluating and updating their Compliance Management System as their business continues to grow.

Learn more about recognized industry leader Harvest Strategy Group, here. If you’re interested in learning more about how you can benefit from completing an audit, contact KirkpatrickPrice.

More SOC 1 Resources

Most Common SOC 1 Gaps

What is a SOC 1 Report?

The Difference Between a SOC 1 Type I and a SOC 1 Type II

Information security has become a topic that is at the forefront of every business owner’s mind. With the influx of information stored in a data center, it’s becoming increasingly important that data centers take the right steps towards ensuring that they have the proper controls in place to provide secure and efficient services to their clients. Let’s explore the challenges of data center security and look at ways we can overcome these challenges.

What are the biggest risks to data center security?

Something that we commonly see when auditing our data center clients are personnel without relevant job responsibilities who have access to secure areas such as the data center computer room.  Limiting physical access to systems with sensitive information should be restricted to only those individuals whose job function requires them to have access.

Physical security is another major risk to data centers. We often see data centers with a lack of vigilance that rely too heavily on monitoring instead of implementing physical patrols. This can eliminate tailgating risks and ensure that unauthorized access to secure and restricted areas doesn’t happen.

Lastly, one of the greatest risks to data centers is cyber threats. With new and emerging threats bringing new forms of malware, social engineering, brute force attacks, and other forms of unauthorized access, organizations must be on their toes when it comes to cybersecurity.

How can data centers protect their assets and information?

From a logical access perspective, data centers should have a robust information security program in place. Utilizing an industry framework such as the CIS Critical Security Controls can be a great start towards protecting information, security, and building management systems at a data center.

It should always start with a Risk Assessment. Performing regular risk assessments on information security systems can help you determine the need for redundancy, additional hardening, failover, or business continuity procedures. Risk Assessments can help you prioritize your assets, analyze the risks to the assets, and implement controls to address those risks, improving overall data center security.

What role does penetration testing play in securing a data center?

Penetration testing is a critical element of data center security. Testing the organization’s facilities, networks, systems, and applications should be a regular part of your information security program. Testing should include network and application layer testing of security and monitoring systems (door access control systems, video surveillance systems, etc.). Additionally, physical controls should also be tested. These tests should include perimeter and internal physical access controls, social engineering assessments of onsite personnel.

How can data centers meet client and industry demands without sacrificing security?

One of the main reasons companies choose to house their systems in a third-party data center is the physical security features that the center offers. Data centers are typically located in hardened buildings and in areas where risk from natural disasters is minimized. 24-Hour onsite security and monitoring are also important features that companies want in their data centers. A lot of our customers also appreciate the customer/visitor/vendor access controls in place, which often time require the data center customer to provide advanced notice when they intend to bring a visitor to the data center for a tour.

What are the best ways to safeguard a data center against a breach?

Protecting your data center against a breach doesn’t have to be a daunting task. Here are four great ways you can safeguard your data center against a breach:

  • Perform a formal and ongoing risk assessment – The risk assessment process should always be continual. It allows you to identify and mitigate against potential threats.
  • Maintain well document policies and procedures – If it’s not written down, it’s likely you’re not really doing it. That’s why it’s important to ensure that your policies and procedures are well documented. Do you have the appropriate policies and procedures in place to ensure security controls?
  • Implement logical and physical security controls – It’s always a good idea to consistently track and monitor the effective implementation of your logical and physical security controls.
  • Provide ongoing training – Personnel should be continually training on all logical and physical security responsibilities. Remember, you’re only as strong as your weakest link.

For more information on how you can overcome security challenges at your data center, contact us today.  This article was based on a conversation with Steve McEnroe, CISA, QSA, GWAPT.

More Resources

Data Center Physical Security Recommendations with Auditor Insights

Testing Physical Security Measures Through Penetration Testing

 

Which Trust Services Criteria Do I Need to Include in my SOC 2 Audit?

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Principles (recently updated to Trust Services Criteria) you want to include in your SOC 2 audit report. SOC 2 reports can address one or more of the following categories:

  1. Security
  2. Confidentiality
  3. Availability
  4. Processing integrity
  5. Privacy

Becoming familiar with these five principles should be the first step in determining the scope of your SOC 2 audit and deciding which of these principles apply to the services your organization provides.

Selecting SOC 2 Principles with Joseph Kirkpatrick

The 5 SOC 2 Trust Services Principles:

Security

In a non-privacy SOC 2 engagement, the security category must be included. Security is the common criteria that applies to all engagements, and is what the other Trust Services Criteria are based off of. The security category addresses whether the system is protected (both physically and logically) against unauthorized access.

Confidentiality

If the services your organization offers deal with sensitive data, such as Personally Identifiable Information (PII) or Protected Health Information (PHI), the confidentiality category should be present in your SOC 2 audit report. The confidentiality principle addresses the agreements that you have with clients in regard to how you use their information, who has access to it, and how you protect it. Are you following your contractual obligations by properly protecting client information?

Availability

Are you ensuring that the system you provide your clients is available for operation and used as agreed? Availability addresses whether the services you provide are operating with the type of availability that your clients would expect. The availability category typically applies to companies providing colocation, data center, or hosting services to their clients.

Processing Integrity

If the services you provide are financial services or e-commerce services and are concerned with transactional integrity, processing integrity is a category that should be included in your SOC 2 report. Are the services you provide to your clients provided in a complete, accurate, authorized, and timely manner? Are you ensuring that these things are happening?

Privacy

Lastly, we have the privacy principle. The privacy category really stands on its own, as it specifically addresses how you collect and use consumers’ personal information. It ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed, and with criteria defined in generally accepted privacy principles issued by the AICPA.

Should You Include All 5 Trust Services Criteria in Your SOC 2 Audit?

You aren’t necessarily required to address all five of the Trust Services Criteria in your SOC 2 audit report; however, you should select the categories that are relevant to the services you are providing to your customers. If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Principles you should include, contact us today.

More SOC 2 Resources

SOC 2 Academy 

Understanding Your SOC 2 Report 

SOC 2 Compliance Handbook: The 5 Trust Services Criteria 

One of the first things that you have to do in order to prepare for a SOC 2 audit engagement is select which principles from the trust services principles will be included in your SOC 2 audit report. The principles again are: Security, Availability, Confidentiality, Processing Integrity and Privacy.

Security must be included in any non-privacy principle SOC 2 audit engagement. We refer to the security principle as the common criteria that applies to any SOC 2 engagement and applies across the board to all the principles involved except for privacy.

So you must include that one, but from there you will look at confidentiality. Do you have agreements with your clients about how you will use the information, who has access to it and how you will protect that, and are you abiding by those contracts that you’ve entered in to?

Processing integrity has to do with providing your services in a complete manner, in an accurate manner, in a timely manner and are you doing those things?

Availability has to do with, is your system available to your clients as agreed? The services that you provide – are you maintaining the type of availability that your clients would expect for your services to be available to them?

Then finally, Privacy really kind of stands on its own. It’s a very unique principle, it’s very different from the other four. And we usually issue that as its own type of report because it addresses how you collect and use personal information of consumers, and do they have rights to opt out of how their information is used. Do they have the ability to file a complaint and get a response from you on how information is being utilized?

So think about those five principles and what would be included in your SOC 2 audit engagement.

Becoming PCI Compliant for the first time can be an overwhelming undertaking if you are unsure of where to start. With approximately 394 controls, this comprehensive data security standard can be a large undertaking that is best tackled with expert assistance.

The first step towards achieving PCI compliance is to have a Gap Analysis performed by a PCI expert. Working with a PCI expert will help you to understand all of your business processes and understand how PCI compliance impacts your unique business organization. Your PCI expert will work through each of the requirements with you, how they relate to your business, and allow you to see how your current security posture will stand up to a PCI audit. The Gap Analysis process will uncover any missing pieces you may have in your security, and leave you with a list of recommendations that you can spend time remediating to ensure that you have everything in place you need to pass your PCI audit.

Once you’ve completed the remediation process, it’s time to reconnect with your auditor to being the PCI audit process. Your PCI auditor will work with you through each of the PCI audit requirements, gather all of the necessary evidence and collect all documentation to complete the PCI assessment process for you. Compliance with the PCI DSS means compliance with all of the requirements, which are divided into the following 12 requirements:

The 12 PCI Requirements

  • Requirement 1: Install and Maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

Once the audit process is completed, you will receive your PCI Report on Compliance, or ROC, that demonstrates to your clients your compliance with the data security standard. If you’re ready to start the journey towards PCI Compliance, don’t hesitate to contact a PCI Qualified Security Assessor (QSA), like KirkpatrickPrice, to help you through the process, and eliminate the stress of a PCI audit and be confident you will receive your PCI Report on Compliance.

We get a lot of questions about how do we become PCI compliant? So that process will begin with a Gap Analysis, and that Gap Analysis is going to be one of our PCI Experts spending some time with your organization, coming to an understanding of what it is you do to make money and how PCI compliance impacts your business, talking through your business processes, gaining a firm understanding of your technology platform, and how that supports your business. Then, working through each requirement, all of the nearly 300 requirements, helping you to understand what those requirements actually mean in your business.

The conclusion of the Gap Analysis process, you’ll end up with a list of things that you will need to work on to make sure that you have everything in place to pass the audit. Then you’ll step away and you’ll work on those remediations. When that is done, we’ll come back with our auditor and work through the audit process to gather all of the evidence, collect all of the documentation and complete the assessment process for you. When that is all done, then you will have your Roc (Report on Compliance), your attestation of compliance and you’ll be able to demonstrate to anyone who’s asking (whether it’s a card brand or your largest customer, or anybody really who is asking for your PCI compliance status) you’ll be able to provide them with that documentation.

If you’re being asked about SOC 2 compliance for the first time, you may be wondering why. It’s becoming increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the companies they are working with are appropriately protecting their sensitive information.

Perhaps you’re a vendor of a larger organization who is being audited by a publicly traded company, or maybe you want to demonstrate that security is a critical part of your organization. These clients will require you to demonstrate SOC 2 compliance to address any information security risk concerns. The SOC 2 report addresses principles (known as the Trust Services Principles) such as security, availability, processing integrity, confidentiality, and privacy.

Demonstrating that you’re SOC 2 compliant means demonstrating that the policies, procedures, and controls you have in place properly address the Trust Services Principles you have selected for your SOC 2 audit report. These principles are addressed by answering the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

If you’re being asked to demonstrate SOC 2 compliance, or if you’re simply wanting to get ahead in your industry, engaging a third-party auditing firm to perform a SOC 2 audit is the right next step. SOC 2 compliance shows that you have matured the practices at your organization and are committed to gaining client trust. Are you confident your internal controls are protecting systems that process sensitive information? Are you ready to decide whether a SOC 2 report is what your organization needs? Contact us today using the form below and speak with a SOC 2 expert and find out how you can begin your SOC 2 audit.

If you have been asked for a SOC 2 Audit Report, this might be the first time that you’ve had that request and you might be wondering what a SOC 2 Audit Report is. It seems to be very popular right now for organizations to ask their vendors about whether or not they are SOC 2 compliant. SOC 2 addresses principles such as, security, availability, confidentially and processing integrity.

And so as a vendor to a larger organization that’s perhaps being auditing by a publicly traded company, they may ask you for a SOC 2 Audit Report because it’s specifically designed for Service Organizations. And it’s addressing matters of information security that are so important today as people are concerned about their third parties and whether or not they’re handling their information in a secure and effective manner. So look into a SOC 2 Audit Report, determine if it’s right for you, and contact us today to see if we can help in any way.