Notes from the Field: Center for Internet Security Control 08 – Audit Log Management 

by Greg Halpin / August 16, 2023

During a recent SOC 2 Gap Assessment with a medical billing company, the IT Manager and I discussed the logging and alerting tools the organization had in place. He explained that the company uses the default logging settings and capabilities of the operating systems, applications, and network gear. However, they didn't configure any alerts. The IT team reviewed logs when there was a problem but did not conduct regular reviews.…

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

by Tori Thurmond / August 29, 2023

As of 2022, 83% of organizations have had more than one data breach, costing those organizations millions of dollars in damages. In today's cyber-landscape, companies are no longer wondering if they will ever experience a breach but when a breach will occur. Developing an Incident Response Plan is imperative for when an organization thinks they may have experienced a data security breach or security incident. One of the most important…

What Are the Penetration Testing Steps?

by Tori Thurmond / January 8, 2024

If your organization or technology hasn’t gone through a penetration test or security testing before, you may not know what to expect. Even if you have, maybe you’re wondering what KirkpatrickPrice’s methodology and stages of penetration testing are. Once you know what to expect, you can reap the benefits of the more in-depth process with additional analysis by certified ethical hackers. At KirkpatrickPrice, there are seven stages of penetration testing.…

Conducting Incident Response Plan Table Top Exercises

by Tori Thurmond / July 10, 2023

So, your Incident Response Plan looks good on paper – it’s been mapped, planned, and documented. But has it been tested? Will it actually work? According to the 2022 IBM Cost of a Data Breach Report, organizations that had an incident response (IR) team in place and tested their incident response plan had an average of $2.66 million lower breach cost than organizations without an IR team and that didn't…

Notes from the Field: Center for Internet Security Control 7 – Continuous Vulnerability Management

by Greg Halpin / July 10, 2023

This is the seventh in a series of posts expert auditor Greg Halpin is writing on the Center for Internet Security (CIS) Controls (Version 8) discussing vulnerability management.  As a reminder, the CIS Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. In this post Greg discusses what he sees in his work…