The Scope Episode
Transcript
Introduction to the Guest and Topic:
Host Allie Krings introduces Randy Bartell, Vice President of Security at Kirkpatrick Price. The conversation focuses on the concept of scoping in cybersecurity and compliance—specifically how organizations determine which systems, people, and processes must be protected. Randy shares his background, explaining that he began his career in the late 1990s after earning a computer science degree and chose to pursue cybersecurity because of its dynamic nature and focus on protecting systems from threats.
What Is Scope?:
Scope refers to identifying which parts of an organization—its systems, data, people, and processes—must have security controls applied. It defines the boundary of what must be protected under a given framework, such as PCI, HIPAA, or SOC 2. At its core, scoping is about determining where sensitive data exists and ensuring appropriate protections are in place.
What Does Scoping Look Like Up Close?:
For Data: Scoping begins with understanding the type of data being protected. Different frameworks focus on different data types. For example, PCI focuses on credit card data, while HIPAA focuses on protected health information. Identifying the data determines the scope of controls required.
For Organizations: Businesses must analyze where data is created, processed, stored, or transmitted. This includes mapping out systems and processes that interact with the data, often using tools like data flow diagrams to track how information moves across the organization.
What Are the Key Components of Scope?:
People: Any individual who interacts with sensitive data—or can impact its security—is part of the scope. Even if someone does not directly access data, their role in maintaining systems or controls can place them within scope.
Processes: Business processes that involve handling or supporting sensitive data must be included. This includes activities like capturing, processing, and transmitting information.
Technology: Systems that store, process, or transmit data are in scope. Additionally, supporting technologies—like firewalls, authentication systems, and infrastructure—are also included because they impact the overall security environment.
What Are the Biggest Gaps in Scoping?:
One of the most common gaps occurs when organizations overlook where data actually exists. For example, sensitive data may be stored in unexpected places, such as testing environments, scanned documents, or employee-created spreadsheets. These overlooked areas can create major vulnerabilities if not properly secured.
Another gap is assuming that only primary systems need protection. In reality, supporting systems and users who can influence security must also be included, even if they never directly interact with the data itself.
How Do We Determine What Is In Scope?:
Organizations start by identifying where sensitive data is handled—whether it is created, processed, stored, or transmitted. They then evaluate every person, process, and system connected to that data. Additionally, they assess whether any supporting technology could impact the security of that data, such as network controls or authentication systems.
A key question often used is: “What could happen if this system or device were compromised?” If the answer indicates potential risk to sensitive data, it must be included in scope.
How Do We Determine What Is Out of Scope?:
To determine what is out of scope, organizations must prove that certain people, systems, or processes have no interaction with sensitive data and no ability to impact its security. This often requires demonstrating strong segmentation or isolation, such as using network controls to prevent communication between in-scope and out-of-scope systems.
If a system cannot access or influence sensitive data—and cannot be used as a pathway to reach it—it can be considered out of scope.
Why Is Network Segmentation Important?:
Network segmentation (or isolation) is critical for limiting scope. By separating systems and preventing unauthorized communication, organizations can reduce the number of assets that require strict controls. This helps lower risk while also minimizing the cost and complexity of compliance efforts.
How Do Cloud Environments Impact Scope?:
In cloud environments, scope must still be clearly defined. Not everything in “the cloud” is automatically in scope. Organizations must identify specific accounts, subscriptions, or resources and ensure proper isolation between them. Cloud providers offer tools to segment environments, but it is the organization’s responsibility to properly configure and enforce those boundaries.
What Are Real-World Examples of Scoping Issues?:
Organizations often discover unexpected scope issues during assessments. For example, sensitive data may be scanned and stored in file systems without being considered in scope, or employees may maintain spreadsheets containing regulated data outside of controlled systems. These situations highlight how easily scope can expand beyond what was originally intended.
What Is the Best Advice for Managing Scope?:
Scoping is not a one-time activity. Organizations should continuously reassess and validate their scope, as systems, processes, and business operations evolve over time. Asking thorough questions, investigating how data is used, and routinely reviewing scope are essential practices for maintaining effective security and compliance.
Notes
The Scope Episode
In this episode, host Allie Krings sits down with Randy Bartels, VP of Security Services, to get the real scoop on Scope—one of the most misunderstood (and most critical) parts of an audit. What’s included in scope? What’s not? And is everything really just “in the cloud”? Randy breaks down common misconceptions, explains why scope matters more than most organizations realize, and shares how clearly defining it upfront can save time, stress, and surprises during an audit. Whether you’re preparing for your first audit or looking to make your next one run more smoothly, this conversation offers practical insight and clarity you won’t want to miss.
At KirkpatrickPrice, we’re on a mission to help 10,000 organizations raise the bar for cybersecurity and compliance. Join Our Cybersecurity Mission. If you’re going to invest in an audit, it should deliver real value. That’s why we partner with you from audit readiness to final report, ensuring you get the assurance you deserve.
Ready to strengthen your security and compliance posture? Connect with an expert today and learn how we can help you meet your toughest goals.
Send a Question
Do you have a question for our podcast? Send it to us here.