PCI Requirement 9.1 – Use Appropriate Facility Entry Controls to Limit and Monitor Physical Access to CDE

by Randy Bartels / May 31, 2023

Limit and Monitor Physical Access Applying the appropriate physical security and facility entry controls are vital to complying with PCI Requirement 9.1, which states, “Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.” Wherever your cardholder data lives, it must be protected. Complying with PCI Requirement 9.1 comes in two parts: limit and monitor. Your organization must limit physical access to…

PCI Requirement 9 – Restrict Physical Access to Cardholder Data

by Randy Bartels / May 31, 2023

Why Should I Restrict Physical Access to Cardholder Data? What would happen if your organization had no physical access controls protecting cardholder data? Made no effort to restrict physical access to cardholder data? No locks on the doors, no badge or identification system, no security guards, no receptionist? Without physical access controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility and to steal, disable,…

Understanding Your SOC 1 Report: Auditor’s Test of Controls

by Joseph Kirkpatrick / December 20, 2022

The Auditor's Test of Controls: Review, Observe, and Interview At the end of a SOC 1 Type II report, you’ll find a section titled, “Information Provided by the Independent Service Auditor.” Within this section, you will find “Auditor’s Test of Controls,” which is a description of the controls that were tested during the audit, procedures used for testing these controls, and the results of the testing. The test of controls…

Understanding Your SOC 1 Report: Audit Risk, Control Risk, and Detection Risk

by Joseph Kirkpatrick / December 20, 2022

Driven by Risk An information security audit is largely driven by risk. We know that your clients rely upon our opinion; we don’t take that lightly. We will do everything possible to gain reasonable assurance that controls are in place and operating effectively. This is why audit risk, control risk, and detection risk are so important to us. These elements of risk overlap and work together, but they also drive…

Understanding Your SOC 1 Report: Determining your Audit Period

by Joseph Kirkpatrick / December 20, 2022

Operating Effectively Over a Period of Time When considering pursuing a SOC 1 Type II report, there’s a new element to consider: determining your audit period. It’s important to remember that a SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. However, unlike a Type I report,…