Posts

Onsite Audits for Cloud Environments

Do you provide cloud solution services? Or, does your organization utilize the services of cloud providers? At KirkpatrickPrice, we understand that it’s important to recognize the value of cloud environments and technology, while also understanding the risk that is coupled with storing data in the cloud. Whether you provide the cloud service or use it for your business, you should know that the services are secure – and that includes auditing both the virtual and physical environments used to provide cloud services. In this webinar, KirkpatrickPrice Lead Practitioner, Mike Wise, discusses why onsite visits are the smart choice for cloud environments.

Why Onsite Audits are Necessary for Cloud Environments

The assumption that everything is based in the cloud is simply not true. Not only is it inaccurate, it is harmful to an organization to believe an onsite analysis of its security controls is a waste of time. While your data may be stored in the cloud, your physical security processes, onsite technologies, and personnel who process the data are not in the cloud. Think about it: how many processes related to your cloud environment aren’t actually in the cloud? For example:

  • You can’t manage the cloud from the cloud. Who is responsible for managing it? Where does that oversight take place? How is it secured?
  • Development and DevOps activity don’t take place in the cloud. How do you ensure that the changes you’re making to your cloud environment are secure? Who is in charge of overseeing changes and implementation?
  • Human resources, onboarding, training, team meetings, stand-ups – they don’t take place in the cloud. How are you training your personnel about cloud security?
  • Governance and compliance don’t take place in the cloud. How could this impact the security of your cloud environment?

Overcoming the misconception that everything is in the cloud is necessary if you want to make sure that the cloud environment your organization uses is secure. To learn more about why onsite audits are necessary for cloud environments, about shifting the risk when migrating to the cloud, and about how different cloud models impact your security efforts, download the full webinar now or contact us today to speak to one of our cloud experts.

5 Ways to Prepare for Your Onsite Visit

At KirkpatrickPrice, we’re committed to helping our clients get the most out of their information security engagements with us. That’s why we insist that our audits include an onsite visit. It’s part of performing our due diligence and testing. So, what happens during an onsite visit? How can organizations calm their nerves and prepare for an onsite visit?

What Happens During an Onsite Visit?

Once an organization has completed about 80% of their Online Audit Manager responses, we schedule an onsite visit. During this 3- to 4-day visit, an auditor has three tasks: interview, review, and observe. The auditor will interview the personnel responsible for various activities, physically test your networks, systems, and devices, and observe your company culture. While this process may seem straightforward, we understand that having an auditor come onsite can be stressful and nerve-wrecking. What exactly are auditors looking for? Who will they talk to? What will they ask? Let’s take a look at how organizations can prepare for an onsite visit.

How Can I Prepare My Organization for an Onsite Visit?

Every organization is different when it comes to onsite visits: levels of preparedness differs, the buy-in from personnel differs, and even the resources needed to get through the onsite differs. Regardless of this, though, every organization can proactively set themselves up for success by implementing the following five practices to prepare for an onsite visit.

1. Relax! Remind Yourself Why You’re Doing This Audit

The goal of compliance, and especially the onsite visit, is to make your organization stronger. Auditors aren’t there to get you fired. An auditor finding vulnerabilities means doesn’t mean you’ve failed – finding vulnerabilities is the only way an auditor can help you! It means that you’re receiving a thorough audit – one that will only strengthen your security in the long run. Before your onsite visit begins, remember to relax and remind your personnel what this audit means to your organization. Does it mean more revenue? Bigger clients? New industries? New locations? To hone in on the value of compliance, you might consider sending out a company-wide email prior to the auditor coming onsite, similar to this one our client sent out. This is something that acknowledges how all employees play a role in compliance, explains what compliance means for your organization, and provides reminders of what not to do when an auditor is onsite.

Audit Week - How Can I Prepare My Organization for an Onsite Visit?

2. Ask Questions, Voice Concerns

At KirkpatrickPrice, we know that undergoing any type of information security audit is difficult and stress-inducing. Often times, clients have questions, concerns, and even fears going into the onsite visit – and we want to reiterate that we are always here to help. Before the onsite visit then, ask your questions and voice your concerns. Our auditors can’t answer questions that never get answered or address concerned that are never shared. This level of transparency builds our relationship and will only help the success of your audit.

3. Review the Agenda

The best auditors will supply you an agenda of topics prior to the onsite visit, so be sure to work with your auditor to ensure that you have the right personnel lined up to speak to an auditor. This will help prevent any confusion or stress when the auditor comes onsite. If your staff knows when they’ll be interviewed, they’ll be much more prepared.

4. Involve Senior Management

At every stage of an information security engagement, senior management involvement is extremely important, although this is especially true when it comes to the onsite visit. The best auditors will be sure to hold briefings will all involved in the audit at both the start and finish of the onsite engagement. This gives the auditor the opportunity to address questions about timeline, expectations for the group, any issues in need of attention, as well as any other notable findings. If senior management is not involved during this process, critical information could be missed, which could prolong the engagement or prevent your organization from receiving your report on time.

5. Develop a Method for Tracking Action Items

Whether it’s during the onsite visit or afterwards, there will be a number of items which the auditor may ask for more information on, such as logs, files, reports, etc. Most organizations will utilize Excel or other GRC software, but at KirkpatrickPrice, we’ve develop our own online tool for tracking action items. Using a tool like KirkpatrickPrice’s Online Audit Manager can facilitate the process through various time statuses and compliance frameworks.

The Online Audit Manager - Develop a Method for Tracking Action Items

Have more questions about our audit process? Want more information on how to prepare for your next onsite visit? We’re here to help! Contact us today to speak to one of our Information Security Specialists.

More Onsite Visit Resources

Remote Auditing vs. Onsite Assessments: What Do I Want?

Why Quality Audits Will Always Pay Off: You Get What You Pay For

Was the Gap Analysis Worth It?

Was the Audit Worth It?

Why Onsite Visits are the Smart Choice for Cloud Environments 

The National Institute of Standards and Technology, NIST, defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Cloud computing is both a transformative and disruptive technology that provides an opportunity to rethink the way organizations fix problems that have been around for a long time. It’s important to recognize the value cloud environments can bring to the table, while also understanding the risk that is coupled with storing data in the cloud.

The assumption that everything is based in the cloud is simply not true. Not only is it inaccurate, it is harmful to an organization to believe an onsite analysis of its security controls is a waste of time. While your data may be stored in the cloud, your physical security processes, onsite technologies, and personnel who process the data are not in the cloud.

Risky Business in the Cloud

The 2019 Cloud Adoption and Risk Report from McAfee reports that 48% of all files in the cloud are eventually shared. The risk that is inevitably born out of cloud computing increases with the amount of sensitive data that is stored. While your organization can work to minimize risk from the inside, the best way to reduce security threats is to have an independent auditor reviewing an organization’s controls onsite.

While some organizations believe an onsite visit for a company that works in the cloud is pointless, at KirkpatrickPrice, we know there are many moving parts to an organization with a cloud environment that need to be reviewed onsite. Although your data may be stored in the cloud, there are security measures that should be in place to protect access to the cloud.

Onsite Security for a Cloud Environment

Physical security practices must be implemented to mitigate the risk that cloud computing brings to an organization’s data. There are physical security processes auditors review during an onsite visit that an organization should be aware of:

  • Employee Operations: How does sensitive data get into the cloud? Who processes the information and manages updates to data? How often do your employees access the data stored in the cloud?
  • Physical Security: Do you have badges, biometric access controls, or security guards that allow access into your organization’s secure areas? Do your employees understand your physical security controls and use them properly?
  • Identification and Authentication: Who has access to the cloud? What multi-factor authentication processes are in place to properly identify personnel with access?

An auditor needs to review and monitor these security controls as they happen on an everyday basis. It’s a necessary component of a high-quality audit to have an auditor onsite during the audit process, especially for an organization that stores data in a cloud environment. Your organization is still susceptible to harm even with a cloud-based system. Don’t let threats have the upper hand on your organization’s data because you think an onsite visit is unnecessary. Let KirkpatrickPrice perform an audit that will leave you assured in your cloud environment’s security.

Transcript

One of the biggest issues these days is that a company needs to go through an audit, but they’re not willing to bear the expense of an auditor traveling and meeting them in person. The argument that we’re given is, “Well, everything is in the cloud. That’s where our production environment is. There’s nothing to see here, right?” I think ignorance is bliss in that situation. We really like the idea of outsourcing the responsibility to a cloud service provider, but the truth is, everything is not in the cloud. What about your people? What about the processes that you expect your people to follow? What about the locations and the environment that the people work in? What about the data? How did it get into the cloud? Who has access to it? What about the developers and the code they have access to? Wouldn’t you want a qualified, experienced auditor to come inspect your environment and understand how you’re interacting with that cloud service? Last year in the McAfee security report, it talked about how 48% of the files in the cloud are eventually shared. This is one of the primary things we find in our audit. When we come and inspect your processes and what you’re doing, we usually find surprises about where your data resides. Our clients are really appreciative to finally understand how those things are working. Another thing that we find is that you might have some good processes for securely accessing your cloud environment, but sometimes your people will bypass those security controls. They won’t use multi-factor authentication, for example. This is something we want to inspect and work with you on so we can understand the risks that you’re truly facing when you’re interacting with that cloud environment. Be sure to work with a qualified, experienced auditor that’s willing to come and meet you, get to know you, work with you personally, and inspect your environment to identify the risks that you’re actually facing.

6 Steps of a PCI Audit

To protect the security of cardholder data, the PCI Security Standards Council requires organizations that work with payment cards to maintain compliance with the PCI DSS. If you’re an entity that stores, processes, or transmits cardholder data, you may be asking QSA firms, “How do you conduct a PCI audit?” At KirkpatrickPrice, we take a six-step approach in the PCI audit process to help your organization gain PCI compliance.

1. Gap Analysis

How do you conduct a PCI audit? Before you begin a PCI audit for the first time, we recommend going through a gap analysis. A gap analysis helps to identify any administrative, physical, and technical gaps in your information security program; specifically, in the way that you handle cardholder data. Going through a gap analysis allows our senior-level QSAs to understand your business and your level of readiness for a PCI audit. The gap analysis is an important step towards PCI compliance because your QSA can create remediation strategies that will guide you through the PCI audit process and towards compliance. Next, your organization will move on to remediate the findings found during the gap analysis.

2. Remediation

Are you worried that after a gap analysis, you’ll be left to mitigate areas of non-compliance on your own? Not when you partner with KirkpatrickPrice on a PCI audit. Now that your organization understands its administrative, physical, and technical gaps, a QSA from KirkpatrickPrice will work to develop a detailed remediation plan with findings from the gap analysis and recommendations on proper ways to mitigate areas of non-compliance. The remediation step in the PCI audit process will help your organization to recognize its gaps and remediate those areas for a smoother path towards PCI compliance.

3. Scoping and Planning

You’ve been through weeks of remediation work, what’s next? It’s time to start the PCI audit by verifying the scope of the engagement. We will work with your organization to analyze your services, geographic locations, payment applications, third parties, and other system factors to develop an accurate scope for the PCI audit. The narrower the scope, the more accurate and efficient your PCI audit process will be, so we aim for a detailed and defined scope. The scoping and planning stage prepares the entire engagement team to move to the next step of gathering information.

4. Gathering

At KirkpatrickPrice, we will collect your policies, procedures, and other documentation needed for your PCI audit through the Online Audit Manager. Alongside your designated Audit Support Professional and QSA, you will begin answering questions and describing systems relating to your organization’s internal controls. The Online Audit Manager provides a platform that streamlines the PCI audit process and aids you in completing 80% of the PCI audit before one of our senior-level QSAs even visits your office for an onsite visit. Gathering and preparing data beforehand gives you the opportunity to be more effective with time and communication during your onsite visit.

5. Onsite Visit

How do you conduct a PCI audit? An onsite visit is probably what you envision when thinking about a stereotypical audit. Onsite visits during the PCI audit process are important for not only testing internal controls that cannot be accurately tested remotely, but also seeing your people and technology in-action. We are putting our name, our reputation, and our firm’s reputation on the line when we issue a report – we take that responsibility seriously, and onsite visits are major part of that responsibility. During the onsite visit, a senior-level QSA, who has been partnered with you throughout the PCI audit process, will observe and test your organization to determine if your processes meet the 12 requirements of PCI compliance.

6. Report Delivery

The final step in the PCI audit process is receiving a Report on Compliance (RoC), which provides you with a detailed report on the results from your PCI audit. To generate RoCs, KirkpatrickPrice has a team of Professional Writers, who are trained and knowledgeable about the PCI DSS, that write high quality reports. Your report will also go through our Quality Assurance processes to ensure it meets our quality standards. You can take a deep breath knowing your PCI audit was performed by a QSA and a firm that is committed to your organization’s compliance success!

Bonus: How to Market Your PCI Compliance

Going through the PCI audit process can do more than assure your clients that their sensitive data is protected; PCI compliance can also be a powerful tool for your sales and marketing team. How do you take your PCI compliance and market it to prospects and clients? When you work with KirkpatrickPrice, you will receive a complimentary press kit that includes compliance logos, the writing and distribution of a press release announcing your recent PCI compliance, copy to use in marketing materials, and advice on how to best your market PCI compliance achievements.

How do you conduct a PCI audit? Now you know how we perform PCI audits at KirkpatrickPrice. Are you ready to work with a QSA firm that partners with you throughout the PCI audit process? Contact us today!

More PCI Resources

Beginner’s Guide to PCI Compliance

PCI Demystified

What is a PCI audit?

Remote Auditing vs. Onsite Assessments: What Do I Want?

There’s a lot to consider when choosing an audit partner. What does their audit process look like? What kind of services do they offer? How will they help you reach your audit objectives? How much do they charge? Will they perform a remote audit or an onsite assessment? While these are all valid concerns, organizations also have to consider their own intentions behind pursing compliance: is it required to partner with new business partners? Is it to help strengthen your security posture? Is it just another item to check off on a to-do list? If an organization is looking to partner with a firm that doesn’t come onsite because it’s “easier” or cheaper, KirkpatrickPrice won’t be a good fit for you. At KirkpatrickPrice, we want to partner with organizations to help them meet their compliance objectives, and part of that is performing our due diligence and conducting an onsite visit. Why do many other audit firms advertise that they can effectively conduct an audit 100% remotely? Why do so many organizations loathe an onsite visit? Is there really that big of a difference between a remote and onsite audit?

Why the Difference Matters

For organizations that are just starting out on their compliance journey or for organizations looking for a new audit firm to work with, there’s one critical component that needs to be kept in mind: the audit firm you choose should always perform an onsite assessment. Why? Audit firms who promote remote-only audits are doing you a disservice. And we would know – in 2006, we were the pioneers of the remote audit. However, our remote audit methodology was never intended to eradicate the onsite visit. Instead, we positioned ourselves as a trusted audit partner for helping our clients streamline the audit process and complete 80% of the audit before going onsite.

Licensed CPA firms also have an ethical obligation to perform their due diligence while conducting audits, and we take that obligation very seriously. We are committed to delivering quality audits, which would not be possible if we did not perform onsite visits. Without an onsite visit, an auditor can’t personally experience a company’s culture and integrity, processes, or physical security. For example, when our auditors have gone onsite in the past, they’ve gained access to “secure” locations, plugged into network jacks “hidden” in public spaces, found “protected” cardholder data printed out and stacked into piles in offices, and even found physical holes in walls of data centers due to construction. So, when you’re choosing an audit partner, ask yourself: what are you willing to risk so that your auditor doesn’t come onsite?

Controls that Require an Onsite Assessment

We know that undergoing audits requires a financial, personnel, and time investment from our clients, and we want to help them get the most out of their compliance efforts. Even more so, we want our clients to actually remain compliant, and performing an onsite visit assists us in doing that. Information security frameworks require that an auditor verifies that physical controls are in place to safeguard sensitive data. For example, PCI Requirement 9 says that entities should “restrict physical access to cardholder data.” How will an auditor be able to determine if an organization has implemented physical safeguards to protect their cardholder data environment if they don’t come onsite?

Getting Over the Fear of the Onsite Assessment

The onsite assessment versus remote audit debate really comes down to this: getting over the fear of the onsite visit. Because the audit process can be so rigorous and intimidating, many organizations fall into the trap of fearing the audit process altogether. This has resulted in organizations seeking out those audit firms that “guarantee” that they can deliver “quality” audits without coming onsite. Many of our clients  that come to us after working with other information security firms actually enjoy our onsite visits because they can feel good about knowing their auditor. While you may want a remote audit, you need an onsite assessment – it’s critical for ensuring compliance and strengthening your security posture.

If your audit partner isn’t currently performing an onsite assessment, it’s time to rethink that partnership. We know audits can be hard, but don’t take the easy way out. Contact us today to learn more about our commitment to quality, thorough audits and how we can overcome the fear of the onsite together.

More Assurance Resources

Was the Audit Worth It?

Was the Gap Analysis Worth It?

Getting Executives On Board with Information Security Needs

Why Quality Audits Will Always Pay Off: You Get What You Pay For