Posts Tagged ‘KirkpatrickPrice’

10 Dangerous Risks to Your Server Security

February 27th, 2013
Posted by: admin

GUEST BLOG

By Sarah Morris
KirkpatrickPrice

Security.  That’s usually the first thing on the minds of those in the IT world.  To keep up with changing technologies, we are constantly changing and improving our security standards, so that we can remain one step ahead of malicious attackers in defending our confidential information.

Royce Howard, of Global Knowledge, offers some tips about the 10 most dangerous risks to your server.  These tips are important to remember when developing and securing your IT infrastructure.

Physical Attacks. Make sure no one has physical access to your server.  Server rooms should be kept secure, and sensitive data should be encrypted.

Password Policies. Create complex passwords and change passwords every 90 days.

Privileged Accounts and Social Engineering. Vulnerabilities can be mitigated by removing administrator rights.

Email Attacks. Beware of phishing emails.  Never open an email from an untrusted source and avoid clicking on links in emails.

Worms. Worms are self-replicating programs that copy themselves from machine to machine, using up computer processing time and bandwidth.

Increasingly Malicious Malware. Scheduling regular scans can help detect and prevent against malicious malware and spyware.

Unauthorized Network Access. Network Access Control and Network Access Protection can help control network access of a computer host while using a set of protocols to define and implement a security policy.

Not Updating Patches. Automatic updating of patches can help avoid threats.

3rd-Party Applications. Check security platforms of 3rd-party vendors and applications from independent developers and manage exploits.

The Human Factor. People are the weakest link in security initiatives.  Develop strong policies and procedures so that people are prepared.

At KirkpatrickPrice, we have years of experience in information assurance by performing assessments, audits, and tests that strengthen information security controls.  Contact us at info@kirkpatrickprice.com for more information on how we can help you in your compliance efforts.

Sarah Morris is a technical writer for KirkpatrickPrice, a provider of world-class audit services. Visit www.kirkpatrickprice.com.

TAGS:

CATEGORIES:

No Comments »

Top 10 Security Risks Found by Your Auditor

February 21st, 2013
Posted by: admin

GUEST BLOG

By Sarah Morris
KirkpatrickPrice

At KirkpatrickPrice, we strive to provide the proper assurance and resources to help our clients maintain security within their organization.  Recently, we held a client webinar focused on the “Top Ten Security Risks” that your auditor finds during your auditing process.  Below is a summary of the most common risks that we find.

1.      No Formal Policies and Procedures

Formal guidelines of policies and procedures help provide your employees with clarity of what’s expected of them.  They define the accountability for each employee and also establish necessary training. Information security policies are mandated by the FTC Safeguards Rule, PCI Data Security Standards, and the HIPAA Security Rule. This means they are mandatory.

2.      Misconfigurations

Standards need to be applied consistently. Organizations should utilize benchmark configuration standards from a recognized entity such as: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute, and the National Institute of Standards Technology (NIST).

3.      No Formal Risk Assessment

Assessment should cover assets that are critical to your enterprise to continue business operations for the following: hardware, software, human resources, and processes (automated or manual). Some important things to consider when thinking about risk assessment are the threats to your assets as well as the likelihood of vulnerability being compromised. Threats can be both internal (employees or third party contractors or partners) as well as external (natural events or social engineering). Developing a proper risk assessment can help to mitigate potential risks that you face.

4.      Undefined Incident Response

It is always important to have clear instructions on reporting procedures when determining incident response. It is suggested to build a culture within your work environment that encourages reporting of all incidents the moment they present themselves.

5.      Lack of Disaster Planning

Disaster planning is important in a situation where written plans were available for others to follow in the event that key personnel are not available. A business impact analysis can help quantify what level of redundancy is required for disaster planning. Proactive arrangements should be made to care for the staff and to communicate with third parties. Walkthroughs and training scenarios can benefit organizations so employees are properly prepared in the event of a disaster.

6.      Lack of Testing

The concept of testing applies to all areas of your security. If your security is not tested, there is no way to determine whether or not vulnerabilities are present.

7.      Insecure Code

Developing secure coding is something we find lots of companies struggling with. To develop secure coding, training must be implemented as well as specific development standards and quality assurance.

8.      Lack of Monitoring/Audit Trails

Log Harvesting, parsing, and alerting methods must be determined to efficiently deal with massive event logs. The responsibility for review must be formally assigned as part of daily operations.  Audit trails should be stored in such a way that system administrators cannot modify without alerting someone with and oversight role.

9.      Data Leakage

Some things we often forget are where the data is located and how long should it be retained? How is encryption implemented and verified? How is access to data granted and audited?  These things are all very important, and if not corrected, can keep you from complying with federal and industry standards and regulations.

10.  Lack of Training

A lack of training can prove to be a striking blow to the security of your organization. Employers should recognize the importance of properly training all employees on safety and security best practices. Standards and guidelines should be clearly set and determined in each organization. Several training opportunities are offered through KirkpatrickPrice to properly train you and your company on the basics of security awareness, awareness for managers, awareness for IT professionals, and awareness for credit card handling.

Determining your individual risks is the first step toward the mitigation process.  Maximum security of your sensitive information is KirkpatrickPrice’s number one priority.

If you’re ready to get started with your assurance process, you’ve come to the right place. We’re ready to help. Let’s work together.

Sarah Morris is a technical writer for KirkpatrickPrice, a provider of world-class audit services. Visit www.kirkpatrickprice.com.

 

TAGS:

CATEGORIES:

No Comments »

Why Is Compliance in the Cloud Important?

May 7th, 2012
Posted by: Donna Hemmert

GUEST BLOG

By Joseph Kirkpatrick
Managing Partner, KirkpatrickPrice

The world’s digital infrastructure is a constantly growing industry.  This is why the use of data centers has become exceedingly popular.  What is the scary thing about collecting and storing highly sensitive information?  The risk of a security breach.

When a company utilizes a data center, such as for cloud computing and hosting, it’s important that they are aware of the security of their organization’s data, especially because data centers often times outsource to other vendors.  What does this mean to you?  This means they may also have access to your data.  This is why cloud hosting providers must be in compliance with all applicable privacy laws when it comes to keeping data secure during the collection, storage and use of your sensitive information.

How is compliance measured?  Compliance is measured by how well organizations meet the data security standards and regulations that are meant to help you keep your information confidential and secure.  The use of data centers is very resourceful as long as you’re sure your service provider is complying with these industry accepted security standards and regulations.  Some of the companies that comply with SSAE 16, PCI Data Security Standards, and Trust Services Principles and Criteria have already taken these steps and have been audited by third parties, such as Certified Public Accountants (CPAs) and Quality Security Assessors (QSAs).

So, what steps should you be taking?  Start taking your organization’s security into consideration and ensure compliance in the cloud.

(more…)

TAGS:

CATEGORIES:

1 Comment »

SSAE 16 Type II Compliance: The New High Bar for Hosting

November 1st, 2011
Posted by: admin

SSAE 16 Type II

What does it mean to be SSAE 16 Type II-compliant?

By Jay Atkinson
AIS Network CEO

Goodbye, SAS 70.  Hello, SSAE 16.

SSAE 16?  That’s somewhat new terminology among hosting providers and their customers and investors.  SSAE 16 certification has officially replaced the SAS 70 certification process.

This week, AIS Network announces its favorable completion of the SSAE 16 Type II audit, which was conducted by the independent auditing firm, KirkpatrickPrice, LLC.  AISN is now “SSAE 16 Type II compliant.”

So, of what significance to hosting customers is the switch from SAS 70 to SSAE 16?  And, why now?

SAS 70:  A Brief History

For almost 20 years, hosting customers, who were forced to comply with stringent regulatory or auditing standards, actively sought out hosting services providers that had completed SAS 70 (more formally known as the U.S. Statement on Auditing Standards No. 70) infrastructure and internal control examinations by independent auditors.

Until mid-June, SAS 70 was the leading standard for assurance reports for hosting providers and other service organizations.  Customers and investors relied upon independent auditors’ SAS 70 reports to understand what internal controls a hosting provider used and gain confidence that the hosting provider was implementing those controls properly.

But while a SAS 70 auditing report was helpful in providing transparency to customers or investors who needed certain assurances about a hosting provider’s internal controls, the audit itself lacked consistency with international standards.  Moreover, there was no standard or set of criteria for hosting companies to use in defining their internal controls for the purpose of the SAS 70 audit.

SSAE 16:  Setting the Bar Higher

This spring, a new standard took effect for U.S.-based colocation, cloud, managed hosting and other services providers — the Statement on Standards for Attestation Engagements No. 16, the SSAE 16.

Created by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), the SSAE 16 replaces the SAS 70 for periods ending after June 15, 2011.

Why a new standard? Largely, SSAE 16 reflects AICPA’s efforts to converge the U.S. auditing standard with the international standard (not merely regional or national standards), and in the process, set a higher bar by refining the procedures for auditing a service provider’s internal controls.

SSAE 16 mirrors more closely the international audit standard, known as International Auditing and Assurance Standards Board (IAASB) International Standard on Assurance Engagements 3402 (ISAE 3402).  It also levels the playing field for companies by adding a new attestation standard and two more Service Organization Control (SOC) reports, all of which allow independent auditors to audit service providers more consistently – and with a standard set of criteria.  For more details, see AICPA’s discussion of SSAE 16 audits.

As with the SAS 70 audit reports, the SSAE 16 audit reports come in two flavors:  Type I and Type II.  According to the standards put forth by AICPA, Type I reports document the independent auditors’ opinion regarding the design of controls as of a set date. Type II reports go further; they include Type I criteria and audit the effectiveness of the controls over a minimum six-month period.  AISN, for example, has a SSAE 16 Type II report because it provides the highest level of assurance.

So what’s new about the SSAE 16? Like the SAS 70, SSAE 16 still reports on controls related to security, availability, confidentiality, processing integrity and privacy.  However, the primary difference between SAS 70 and the SSAE 16 is that SSAE 16 includes a new attest standard (not a new audit standard), which requires the auditor to include in its report the hosting company management’s written description (“attestation”) of the design and operating effectiveness of the internal controls to be audited and the suitable criteria used for its assessment.  A similar requirement is made of any subservice organization (for example, a data center) involved in the audit.

How will SSAE 16 impact the hosting industry? Most top-tier hosting providers have already implemented internal controls around security, availability, confidentiality, processing integrity and privacy.  They have also likely gone through the SAS 70 auditing process more than a few times.  For them, transitioning to the higher SSAE 16 standard will be painless.  However, the transition may prove more challenging for competitors that may have set less stringent controls during previous SAS 70 audits.

What does this mean for customers or investors with Sarbanes-Oxley Act (SOX) requirements? In a word, accountability.  The fact that a hosting company’s management must now make certain written attestations about their internal controls – and then include those in the independent auditors’ report – further underscores that they must take full responsibility for the controls in operation.

In this way, SSAE 16 is better aligned with SOX, which primarily impacts publicly traded companies and those who service them.  SOX mandates that a publicly traded company’s management team be held accountable for the veracity and completeness of its financial report attestations.  To achieve this, the company must have quality internal controls in place.

By using an SSAE 16-compliant hosting provider, the company is assured that the hosting company, which is more than likely hosting their mission-critical data, also maintains the same level of accountability.  The independent auditor’s SSAE 16 report essentially saves the SOX-affected customer the trouble of auditing the hosting company’s critical internal controls for SOX compliance.

What is the future of SSAE 16? We at AISN applaud the transition from SAS 70 to SSAE 16.  It represents a more meaningful audit standard that:

  • achieves parity with international standards and helps us better meet our international customers’ needs,
  • enhances our ability to provide customers with assurances about our internal controls, and
  • sets higher the bar for accountability and professionalism within our industry.

Be sure to check out AISN’s SSAE 16 Type II certification statement.  If you have any questions, we’d love to hear from you.  Contact us!

TAGS:

CATEGORIES:

5 Comments »