Blog

Vendor Compliance Management: Carve-Out vs Inclusive Method

by Joseph Kirkpatrick / July 12, 2023

Vendor Compliance Management As you’re preparing your service organization for a SOC 1 audit, you want to identify who your third parties or vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Any control that governs the vendors you utilize will be reviewed in a SOC 1 engagement. Your vendors might include a data center, an application service provider, a managed IT provider, or…

Understanding Your SOC 1 Report: What is a Gap Analysis?

by Joseph Kirkpatrick / December 19, 2022

A gap analysis is designed to prepare organizations for an audit. If it’s your first time going through an audit (SOC 1, SOC 2, PCI, HIPAA, HITRUST CSF, etc.), KirkpatrickPrice strongly recommends a gap analysis. This is a process of discovery, a chance to find areas of weakness, and an opportunity to gain industry insight. A gap analysis is not an audit. This process will examine your internal controls in…

Understanding Your SOC 1 Audit Report: What are Control Objectives?

by Joseph Kirkpatrick / December 19, 2022

What are Control Objectives and How are They Used in a SOC 1 Audit Report? A key aspect of a SOC 1 audit report is the concept of control objectives. Control objectives are a series of statements that address how risk is going to be effectively mitigated. According to the PCAOB, “A control objective provides a specific target against which to evaluate the effectiveness of controls. A control objective for…

PCI Requirement 7.3 – Ensure Policies and Procedures for Restricting Access to Cardholder Data are Documented, in Use, and Known to all Affected Parties

by Randy Bartels / December 19, 2022

Documentation for Restricting Access to Cardholder Data PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. For this requirement, we’ve discussed access control systems, how to define access needs, limiting privileges based on business need to know, and how to further protect your cardholder data environment. But,…

PCI Requirement 7.2.3 – Default “Deny-All” Setting

by Randy Bartels / December 19, 2022

What is a Default "Deny-All" Setting? PCI Requirement 7.2.3 requires that your organization’s access control systems are set to a default “deny-all” setting, which means that no one is granted access, unless it’s explicitly assigned to someone. Some access control systems are set to a default “allow-all” setting, but PCI Requirement 7.2.3 requires yours is set to a default “deny-all” setting. This ensures no one is granted access unless a rule…

Vendor Compliance Management: Carve-Out vs Inclusive Method

Understanding Your SOC 1 Report: What is a Gap Analysis?

Understanding Your SOC 1 Audit Report: What are Control Objectives?

PCI Requirement 7.3 – Ensure Policies and Procedures for Restricting Access to Cardholder Data are Documented, in Use, and Known to all Affected Parties

PCI Requirement 7.2.3 – Default “Deny-All” Setting

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.