PCI Requirement 8.1 – Define and Implement Policies and Procedures to Ensure Proper User Management

by Randy Bartels / December 19, 2022

Never Share User IDs and Passwords PCI Requirement 8.1 focuses on proper user identification management. If there’s no management of users within your system, you’ve lost accountability for the actions that take place within your systems. It’s hard to determine who has taken which actions if you cannot identify users. The PCI DSS states that having uniquely identified users, instead of using one user ID for several employees, allows organizations…

PCI Requirement 8: Identify and Authenticate Access to System Components

by Randy Bartels / May 31, 2023

What is PCI-DSS Requirement 8? PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your systems. When the PCI DSS describes system components in its requirements, it’s referring to internal and external networks, servers, and applications that are connected to cardholder data. This could be anything from firewalls to switches to databases. PCI Requirement 8 states, “Identify and authenticate access to system components.”…

Vendor Compliance Management: Carve-Out vs Inclusive Method

by Joseph Kirkpatrick / July 12, 2023

Vendor Compliance Management As you’re preparing your service organization for a SOC 1 audit, you want to identify who your third parties or vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Any control that governs the vendors you utilize will be reviewed in a SOC 1 engagement. Your vendors might include a data center, an application service provider, a managed IT provider, or…

Understanding Your SOC 1 Report: What is a Gap Analysis?

by Joseph Kirkpatrick / December 19, 2022

A gap analysis is designed to prepare organizations for an audit. If it’s your first time going through an audit (SOC 1, SOC 2, PCI, HIPAA, HITRUST CSF, etc.), KirkpatrickPrice strongly recommends a gap analysis. This is a process of discovery, a chance to find areas of weakness, and an opportunity to gain industry insight. A gap analysis is not an audit. This process will examine your internal controls in…

Understanding Your SOC 1 Audit Report: What are Control Objectives?

by Joseph Kirkpatrick / December 19, 2022

What are Control Objectives and How are They Used in a SOC 1 Audit Report? A key aspect of a SOC 1 audit report is the concept of control objectives. Control objectives are a series of statements that address how risk is going to be effectively mitigated. According to the PCAOB, “A control objective provides a specific target against which to evaluate the effectiveness of controls. A control objective for…