In order to understand the purpose of a Service Organization Control (SOC) 2 Report, it’s important to understand the background and history of how the SOC 2 came in to existence as a way for service organizations to manage the risks associated with outsourcing services.

The original standard was known as SAS 70 and was a way service organizations could demonstrate the effectiveness of internal controls at their organization. The SAS 70 audit was performed by a CPA and the result was a report on the effectiveness of internal control over financial reporting. Although not the intended purpose, organizations began using the SAS 70 report to prove that a vendor was secure and safe to work with. When the SSAE 16 or SOC 1 report replaced SAS 70, the SOC 2 was introduced as a report that addresses security.

The SOC 2 was welcomed with open arms and intended to give a wide range of organizations with a need for information security assurance services related to internal controls that affect the security, availability, processing integrity, confidentiality, and/or privacy of a system. The SOC 2 is based on these predefined criteria known as the Trust Services Principles. The AICPA has defined these principles to ensure the following:

  • Security – The system is protected against unauthorized access.
  • Availability – The system is available for operation and use as committed or agreed
  • Processing integrity – System processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality – Information designated as confidential is protected as committed or agreed.
  • Privacy – Personal information is collected, used, retained, disclosed and destroyed in accordance with the privacy notice commitments.

Understanding the purpose behind the SOC 2 can help bring added benefits to your organization. A SOC 2 report can give you a competitive advantage by helping you to prioritize your risks in order to ensure that you’re delivering high quality services to your clients. KirkpatrickPrice encourages companies who are interested in demonstrating their commitment to privacy and security to consider engaging a third-party auditor to perform a SOC 2 audit.

Joseph Kirkpatrick on The History of SOC 2 Reports

In order to understand the SOC 2 audit report, I think it’s important to understand the background and the history of Service Organization Control Reports.

The original audit was referred to as a SAS 70 and it addressed internal controls which can definitely include security, but over the years’ people started treating the SAS 70 as a report in order to prove that a vendor was secure, when that was not the original intention of that service organization control report. And so when the SAS 70 was replaced with the SSAE 16 standard, the AICPA renamed that the SOC 1 and they introduced the SOC 2 audit report in 2009 by issuing the Trust Services Principles that address security, availability, confidentiality, process integrity and privacy.

So finally we had a standard, we had some principles to rest upon that allowed us to address security and that’s what the SOC 2 report is all about. You are able to choose which principles to include into that report and security is always the core principle that has to be included in a non-privacy principle SOC 2 audit report.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

What is PCI and DSS Compliance?

This is a question KirkpatrickPrice, as a PCI QSA, is frequently asked. Let’s start with what it stands for.

PCI stands for the Payment Card Industry. When we talk about compliance, we’re talking about the PCI DSS, or Payment Card Industry Data Security Standard. The PCI DSS originated from efforts by major credit card brands (Visa, MasterCard, American Express, Discover, and JCB) to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

PCI DSS 3.2, the current version of the standard, has approximately 394 controls. These controls are categorized under six control objectives and 12 major subject areas which address subjects such as firewall configuration, encryption, anti-virus, and information security policies. The standard’s purpose is to ensure that all of the data that lives within the Cardholder Data Environment, or CDE, is protected and secured from theft or unauthorized use. These 12 requirements are defined as follows:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS. If you have any questions about the process or are looking for a PCI Qualified Security Assessor (QSA) to assist with your PCI compliance audit, contact us today

Randy Bartels of KirkpatrickPrice on PCI Compliance

PCI Compliance – what is it? We get this question a lot. PCI stands for the Payment Card Industry and they have a number of different standards. One of those standards is the Data Security Standard or the DSS. Nine times out of ten, when we’re talking to somebody about PCI compliance we’re talking to them about the Data Security Standard.

The Data Security Standard was born out of an initial effort by Visa and MasterCard, and was then joined by American Express, Discover and JCB. This is a set of nearly 300 requirements that reads kind of like a best practice document. So, these requirements are broken out into twelve domains, and those domains cover everything from firewall and having a secure network, to systems hardening and managing system configurations, to encryption in transit or in storage, antivirus, and all the way through to the very last domain covering information security policy and having an information security program.

Man working on computer

What is Penetration Testing?

Penetration testing is a form of permission-based ethical hacking in which a certified penetration tester attempts to gain access to an organization’s system, network, or web application(s). The purpose of penetration testing is to find vulnerabilities that could potentially be exploited by a malicious hacker as part of a routine security check. This form of security testing allows organizations to find the vulnerabilities in their security infrastructure before someone else does. If you’re new to penetration testing, you’ll need to determine which type of penetration testing is best for your organization.

Types of Penetration Testing

There are a few different types of penetration testing. The type of testing you choose will depend upon what threats you’re trying to eliminate and what level of security testing you wish to have performed.

Web Application Penetration Testing: Web application pen tests evaluate the security of websites, web application, thick clients, etc. The process involves an active analysis, by a GIAC Certified Web Application Penetration Tester (GWAPT), of the application for any weaknesses, technical flaws, or vulnerabilities.

External Network Penetration Testing: An External Network Penetration test helps determine the security of external systems such as routers, firewalls, public-facing servers, etc. from a remote hacker. An external network pen test is performed by a GIAC Certified Penetration Tester (GPEN) who attempts to gain access to sensitive data by exploiting known vulnerabilities, clients, and people via social engineering.

Internal Network Penetration Testing: Internal Network Penetration testing is a simulation of an insider attack who has authorized access or is working from inside the firewall. The target of the attack would be the same as an external test, but an internal would emulate a terminated or disgruntled employee working within the internal network. The purpose of this type of pen test is to find what vulnerabilities exist for systems that are accessible to authorized internal network connections.

Vulnerability Scanning: Vulnerability scanning is a technique used to identify security weaknesses and vulnerabilities in a computer system. By using a commonly available tool to evaluate system configurations against a database of over 80,000 known vulnerabilities, this type of scanning can help identify areas that need remediation.

Social Engineering: The weakest point in an organization’s security posture is its people. Social engineering is a form of attack that depends heavily on human interaction and the manipulation of people to acquire confidential information such as usernames and passwords and other confidential information.

Undergoing regular penetration testing is key to your overall security posture.

It’s an important practice that gives organizations visibility into real-world threats to your security. As part of a routine security check, penetration tests allow you to find the gaps in your security before a hacker does by exploiting vulnerabilities and providing steps for remediation.

The pros of having regular penetration tests performed far outweigh the cons.

Here are the main 5 benefits of penetration testing regularly:

Benefit #1: Identify and Prioritize Risks

Performing regular penetration tests allows your organization to evaluate web application, internal, and external network security. It also helps you to understand what security controls are necessary to have the level of security your organization needs to protect its people and assets. Prioritizing these risks gives organizations an advantage to anticipate risks and prevent potential malicious attacks from happening.

Benefit #2: Prevent Hackers from Infiltrating Systems

Penetration tests are much like practicing for a real-life hack by a real-life hacker. Performing regular penetration tests allows you to be proactive in your real-world approach of evaluating your IT infrastructure security. The process uncovers holes in your security, giving you a chance to properly remediate any shortcomings before an actual attack occurs.

Benefit #3: Mature your Environment

Continuing to mature the security posture within your organization’s environment is a great way to maintain a competitive advantage against other organizations in your industry. It not only demonstrates to your clients that information security and compliance are paramount for your organization, but also that you’re continuously dedicated to striving towards holistic and optimum security.

Benefit #4: Avoid Costly Data Breaches and Loss of Business Operability

Recovering from the aftermath of a data breach is no doubt expensive.

Legal fees, IT remediation, customer protection programs, loss in sales, and discouraged customers can costs organizations upwards of millions of dollars. According to the Ponemon Institute, the cost of a data breach in 2016 in the US is $158 per record containing sensitive information. Regularly scheduled penetration tests is a proactive way to stay on top of your security and can help prevent the financial loss of a breach while protecting your brand and reputation.

Benefit #5: Comply with Industry Standards and Regulations

Penetration tests help address the compliance and security obligations that are mandated by industry standards and regulations such as PCI, HIPAA, FISMA, and ISO 27001. Having these tests performed regularly helps to demonstrate due diligence and your dedication to information security, all the while helping you to avoid the heavy fines that can be associated with non-compliance.

If you’re not already undergoing regular penetration test, why not?

The first step is easy: find a certified penetration testing professional and, together, decide which type of pen test is right for your organization.

KirkpatrickPrice’s certified Penetration Testers can help walk you through the process, answer any questions you may have, and provide a detailed remediation plan following testing. For more information on the importance of regular penetration testing and how to get started, contact us today.

We even offer continuous penetration testing to ensure your organization is up-to-date on best practices.

More Penetration Testing Resources

Testing Physical Security Measures Through Penetration Testing

What Should You Really Be Penetration Testing

Validating Fixes 30 Days After Your Pen Test – Our Retesting Policy

Have you received a questionnaire from the OCR regarding Phase 2 of the HIPAA audit program? Are you uncertain about how to prepare for the possibility that you will be selected for an audit? The Office for Civil Rights (OCR) has begun sending out address verification letters and collecting information on potential covered entities and business associates who may be selected for a Phase 2 HIPAA Audit. The pressure is finally on, and in the world of regulatory compliance in healthcare, it’s better to be prepared than surprised.

KirkpatrickPrice has some helpful tips for covered entities and business associates on areas of focus for each of the Privacy, Security, and Breach Notification Rules. Here are 5 ways you can prepare for a potential Phase 2 HIPAA Audit:

1. Review Notice of Privacy Practices

Covered entities should evaluate their compliance with all of the required elements relating to patient rights, patient choices, covered entities obligations, and contact information.

2. Review your Business Associate Agreements

Covered entities should also review their business associate agreements to ensure the agreements are current, specifically outline the expectations of the business associate, and are in place with all business associates.

3. Conduct a Security Rule Risk Analysis

To comply with the Security Rule, covered entities and business associates should conduct a risk analysis to identify all systems that include electronic protected health information (ePHI), potential vulnerabilities and threats to that ePHI, the impact that an incident involving ePHI could have on your organization, and the controls in place to reduce the risks of an ePHI incident.

4. Review Policies and Procedures related to PHI Vulnerability

Covered entities and business associates should also review all of their policies and procedures related to all PHI vulnerability, accessibility, and integrity in order to ensure that they are accurate and comprehensive. It’s also important to ensure that these policies and procedures have been communicated to everyone within the organization.

5. Evaluate Breach Notification Policies and Procedures

Lastly, covered entities and business associates need to evaluate their breach notification policies and procedures. Covered entities should review the content of their breach notification to patients who have been affected to ensure that the notice includes the required elements.

If you’re finding yourself stressing about whether you are prepared for a potential Phase 2 HIPAA Audit from the OCR and don’t know where to begin, we’re here to help. Contact us today for information about our HIPAA Risk Analysis, Audit, and Policy and Procedure development.