Are You Ready for GDPR Compliance?

by Sarah Harvey / December 20, 2022

Have you been hearing about the General Data Protection Regulation? Do you collect, use, or process personal data of subjects in the European Union? What is GDPR? Who must comply? How can you prepare? Should you complete a GDPR assessment? With the repercussions of data breaches hitting the headlines more often every day, it’s important to understand how this privacy legislation is going to affect your business and to ask…

Understanding Your SOC 1 Report: Audit Risk, Control Risk, and Detection Risk

by Joseph Kirkpatrick / December 20, 2022

Driven by Risk An information security audit is largely driven by risk. We know that your clients rely upon our opinion; we don’t take that lightly. We will do everything possible to gain reasonable assurance that controls are in place and operating effectively. This is why audit risk, control risk, and detection risk are so important to us. These elements of risk overlap and work together, but they also drive…

Understanding Your SOC 1 Report: Determining your Audit Period

by Joseph Kirkpatrick / December 20, 2022

Operating Effectively Over a Period of Time When considering pursuing a SOC 1 Type II report, there’s a new element to consider: determining your audit period. It’s important to remember that a SOC 1 Type I and a SOC 1 Type II both report on the controls and processes at a service organization that may impact their user entities’ internal control over financial reporting. However, unlike a Type I report,…

Understanding Your SOC 1 Report: What is Scope?

by Joseph Kirkpatrick / December 20, 2022

So What Is Scope, Anyway? No matter what kind of data you’re protecting – financial information, cardholder data, ePHI – you need to understand where your assets reside and what controls are protecting them. This is why the scoping process is so important. If you don’t know where your data is, how do you plan to protect it? What is scope? How do you determine an accurate definition of scope?…

PCI Requirement 8.8 – Ensure Policies and Procedures for Identification and Authentication are Documented, in Use, and Known to All Affected Parties

by Randy Bartels / February 7, 2023

 Identification and Authentication Policies and Procedures PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your system. PCI Requirement 8 states, “Identify and authenticate access to system components.” In these videos, we’ve discussed authentication mechanisms, user IDs, secure passwords, inactive user IDs, cryptography, administrative access, multi-factor authentication, and more. But as we’ve learned with every PCI DSS requirement, it’s not enough just…