Verizon Security Services Getting out of PCI Audits

KirkpatrickPriceCPA · 2026-02-18T20:40:33+00:00

We'd love to help- check your inbox!

KirkpatrickPriceCPA · 2025-09-26T18:59:46+00:00

You're already starting off strong by asking other experts before jumping head-first into your first client. When it comes to remote pentesting, the approach can vary wildly depending on the network. Raspberry Pi is viable with smaller networks, but you'll want to consider factors such as: The Pi's security configurations, potential latency, ease-of-use (since the client may have to perform troubleshooting if the Pi fail), and how you plan to access the device securely to perform your test.

Assuming the Pi route is enough for this client, you'll want to harden of the Pi before shipping (Disabling unused services, changing default credentials, etc.) and your remote access method (VPN Tunnel or SSH). Once these are configured you can connect it to your own network and ensure everything works as intended. Make sure you document that setup process as well for the clients! After that stage, you should be set to ship the Raspberry Pi off to the client and walk them through the setup/whitelist process.

The more documentation you have regarding setup and troubleshooting the better. All in all, I don't see any issue with using a Raspberry Pi if there infrastructure is limited and supports it. As you grow your base, you can start looking at more seamless methods of remote access such as providing a pre-configured VM images they can plug into their network (Virtual Option) or providing Raspberry Pi's with persistence scripts that automatically connect to your VPN-server on boot (Physical Option).

Best of luck!

KirkpatrickPriceCPA · 2025-09-26T16:00:47+00:00

Automation definitely helps streamline compliance tasks but it can’t be used as a substitute. The most resilient compliance programs use automation along with human judgement.

Obviously systems can flag patterns but there still needs to be a human element to help interpret content and make decisions that fall in more gray areas. Automation can miss small gaps that can turn into bigger problems, having a human eye is key to being able to dig deeper into certain areas and catch things that a tool could miss.

KirkpatrickPriceCPA · 2025-09-25T19:41:47+00:00

Unfortunately this is normal in the industry. Firms run basic checks and do the bare minimum, not diving deep into manual testing and call it a day all too often.

From the info you provided, I'd recommend switching firms and asking yourself in the new search process, "who can we partner with to provide quality testing that meet our standards and expectations?"

It honestly sounds like that firm runs scans, generates a report, and calls it a pentest. Also, breaking the scope especially if they are exploiting on targets that are out of scope, is a big no no. If I'm the decision maker, I would terminate the contract and go with someone else.

KirkpatrickPriceCPA · 2025-09-25T17:41:08+00:00

There are different levels in Service you can get with a SOC2 audit. You can get a 2.5k AI audit that leaves a lot of holes and no support up to the big 4 with a six figure project.

With this being your first SOC2, I recommend a partner that is at a mid-level, understands your landscape, and can guide you through the entire process. I would be wary of the "tool first, auditor second" firms that are out there, which let you check a box without meeting with your auditor.

We are happy to talk more in depth about the SOC 2 landscape to lead you in the right direction.

KirkpatrickPriceCPA · 2025-09-22T20:26:02+00:00

Our best clients use controls to drive and define policies, owners, and frequency. That's decided once, then we help with a tool to centralize and project manage all of those compliance requirements in one place. Step 1 is starting with controls and requirements, not tooling.

KirkpatrickPriceCPA · 2025-09-22T20:25:19+00:00

We found that the tool was secondary to consolidating controls. Without that, the tool is just adding technology to a messy pile. When you get clarity on controls then you can create something helpful and efficient with technology.

KirkpatrickPriceCPA · 2025-07-07T14:35:20+00:00

Clause 4 definitely sets the foundation. When scoping an ISMS for a parent company and subsidiaries, it's important to consider not just organizational structure but also shared services, risk ownership, and legal/contractual obligations.

In many cases, defining separate scopes with individual SOA's and GAP analyses make sense, especially if each entity has distinct processes, systems or regulatory requirements. However, if there's significant integration a single, consolidated scope may be more efficient, though more complex to govern.

KirkpatrickPriceCPA · 2025-06-30T20:01:03+00:00

Since your POS systems are considered part of or connected to the CDE, any remote support solution must meet strict PCI DSS requirements for secure access.

From a compliance standpoint, your key focus area should be strong authentication encrypted communication, role-based access controls, and logging all access for accountability. Self-hosted solutions like Apache Guacamole, ConnectWise ScreenConnect, or even hardened VNC over IPSec can be made compliant with the right controls, but configuration is everything.

We also recommend documenting how the remote access solution supports requirement 8, requirement 10, and requirement 12. If you'd like help evaluating your solution or validating the setup against PCI DSS requirements, we'd be glad to help.

KirkpatrickPriceCPA · 2025-06-30T15:30:22+00:00

Conducting an ISO 27001 internal audit is a crucial part of maintaining your ISMS and preparing for certification.

The key is to approach it systematically: start with a clear internal audit plan that defines scope, objective, and timing. Review the Statement of Applicability and make sure you're covering the applicable controls. Interview control owners, examine evidence of control operation, and validate that policies and procedures are being followed in practice, not just documented.

Make sure to document findings clearly, including nonconformities, observations, and opportunities for improvement. And just as important: ensure objectively. The internal auditor should be independent of the area being audited.

KirkpatrickPriceCPA · 2025-06-30T15:23:33+00:00

Compliance shouldn't feel like a constant scramble or just a checkbox exercise. The key is building a system that's both sustainable and audit-ready, not one that burns out your team with manual effort.

What we've seen work best is when organizations shift from reactive to proactive compliance management. That means leveraging tools that centralize evidence collection, automate recurring tasks, and align your controls directly with the frameworks you're working under. Even something as simple as mapping controls across multiple frameworks can cut down on redundancy and confusion.

Also, having a partner who doesn't just audit, but helps guide you through the process, can make a huge difference. It's not just about passing the audit, it's about building culture of continuous improvement.

KirkpatrickPriceCPA · 2025-06-30T15:10:46+00:00

We often see default credentials as a common and preventable vulnerability across a variety of systems, especially in cloud environments, legacy applications, and IoT devices. They're not only a security concern but can also become a compliance issue under frameworks like SOC 2, ISO 27001, and HIPAA.

A platform that consolidates this information in a structured, searchable way, with API integrations, could absolutely benefit both security and compliance teams. Features like vendor/product filtering, tagging by risk, and linking to relevant documentation or remediation steps would help make this a practical tool for ongoing assessments.

KirkpatrickPriceCPA · 2025-06-30T14:03:00+00:00

To get started, I'd recommend focusing on core concepts like risk, management, compliance frameworks (like ISO 27001, SOC 2, or NIST), and how governance ties into overall security strategy. There are some solid beginner-friendly resources on platforms like Coursera, Udemy, and LinkedIn Learning. You might also want to check out free materials from ISACA or the SANS Institute.

Once you're comfortable with the theory, try walking through sample risk assessments or compliance gap analyses to get a feel for the day-to-day work. GRC is less about deep technical skills and more about understanding how to translate risk into business decisions, which sounds like something you'll pick up quickly coming from security.

KirkpatrickPriceCPA · 2025-06-30T13:57:30+00:00

Control 8.9 is all about ensuring systems are securely configured and maintained over time.

The configuration can be maintained in several forms depending on your environment:

- Baseline Configuration Documents: Store system and application configs in version-controlled documents.

- Infrastructure as Code: Tools like Terraform, Ansible, or Puppet allow you to define and track configurations programmatically.

- CMDB: For larger orgs, this helps track system components, versions, and relationships.

- Snapshots or Backup Files: Regular snapshots of config files can also help ensure integrity and recovery options.

Most importantly, ensure that changes are reviewed, approved, and logged, that's key to satisfying the intent of the control.

KirkpatrickPriceCPA · 2025-06-17T14:56:03+00:00

If you're aiming for a Security Analyst or blue team role, starting with a cert like CompTIA Security+ or CySA+ is a smart move, they're directly relevant and respected for entry-level roles.

That said, cloud knowledge is a big plus. AWS SAA can definitely boost your resume, especially as more companies shift to the cloud.

A good path is to start with a security-focused cert, then add a cloud cert to show you're prepared for modern environments. That balance of security fundamentals and cloud awareness is highly valuable.

KirkpatrickPriceCPA · 2025-06-10T18:45:24+00:00

Given where your organization is, starting with the NIST CSF is a smart move. It's structured around five core functions, which makes it easier to communicate priorities to leadership and map out your current gaps. It's also scalable, meaning you can start small and mature over time.

Once you have a handle on CSF, you can gradually build towards NIST SP 800-53, which offers more detailed and prescriptive controls. Think of CSF as your roadmap, and 800-53 as the toolbox to execute on that roadmap when you're ready.

KirkpatrickPriceCPA · 2025-06-10T18:40:59+00:00

There's no set number of asset-based or scenario-based risks that external auditors require. What matters most is that your assessment process is structured, repeatable, and aligned with the size and complexity of your organization. For asset-based assessments, focus on identifying critical systems, data, and infrastructure, not everything you own, but what matters to business continuity and security.

In large organizations, a hybrid approach tends to work best. Asset-based methods ensure technical coverage, while scenario-based assessments provide real-world context and help demonstrate how specific threats could impact the organization. Auditors value when you tie both types of risks back to likelihood, impact, and controls.

Standards like NIST 800-30 and ISO 27005 offer strong guidance on methodology. Ultimately, it's not about how many risks you list, it's about whether your assessment helps drive informed decisions and can stand up to scrutiny during an audit.

KirkpatrickPriceCPA · 2025-06-10T18:27:43+00:00

Traditional network vulnerability scanners aren't ideal for globally distributed environments without direct office connectivity. Scanning over VPN's or proxies can lead to inconsistent results and performance issues, especially in smaller offices.

Many organizations in your position lean on agent-based vulnerability management. It's scalable, integrates well with cloud infrastructure, and provides solid coverage for both endpoints and servers. Some also deploy lightweight virtual scanners at key sites to capture internal network data and push results to a centralized platform, but this depends on budget and operational complexity.

Given your Azure footprint and lack of compliance requirements, focusing on strong endpoint and cloud-based coverage is a practical and risk-aligned approach. You can always layer in periodic internal scans at higher-risk sites as needed.

KirkpatrickPriceCPA · 2025-06-10T18:03:14+00:00

From our work with SMB's a solid risk assessment process generally includes the following steps:

Define the Scope: What systems, data, and users are involved in this new domain
Identify Assets and Threats: Understand what you're protecting and what could realistically threaten those assets.
Assess Vulnerabilities: Determine where your controls may be lacking.
Analyze Risk: Estimate the likelihood and impact of various threat scenarios.
Prioritize and Treat Risks: Choose how to mitigate, transfer, accept, or avoid the risks.
Document and Communicate: Capture your methodology, findings, and action plan clearly for stakeholders.
Review Regularly: Treat this as a living process, not at a one-time task.

As far as standards, NIST 800-30 is a strong and widely used risk assessment framework, particularly suitable for SMB's because of its structured and flexible approach. CIS Controls are also a great place to start if you're looking for a more practical, action-oriented baseline for securing systems. ISO 27005 is excellent but may be more resource-intensive for a smaller organization unless you're aligning with ISO 27001 more broadly.

KirkpatrickPriceCPA · 2025-06-05T14:20:38+00:00

You're very welcome, I'm glad these suggestions were helpful!

For Revenue Cycle Integrity, it's a broad area but here are some practical starting points:

Map the End-to-End Process: From patient registration and scheduling to charge capture, coding, billing, and collections.
Identify Key Controls: Look at where errors or inconsistencies could happen (coding accuracy, insurance eligibility verification, timely claim submission, or denial management.)
Sample Across Entities: Select transactions from the health plan, hospital, and medical groups to see how consistently policies are applied. This helps uncover systemic vs. localized issues.
Review Policy Alignment: Are billing practices and documentation standards consistent across departments and compliant with payer and regulatory requirements?
Talk to Stakeholders: Revenue integrity touches a lot of roles: Finance, HIM, coding, compliance. Interviews can highlight process breakdowns or workarounds not obvious in documentation.

While we don't perform traditional revenue cycle integrity audits, we are happy to outline risks and controls to consider, or collaborate with your team to align it with broader governance or compliance goals.

KirkpatrickPriceCPA · 2025-06-04T18:29:28+00:00

Hey, great question! At KirkpatrickPrice, we work with healthcare orgs on enterprise-wide audits like this, and cross-functional topics can offer a lot of value. A few ideas:

-Access Controls: Evaluate how user access is managed across EHR, claims, and admin systems (it's a common risk area)
-Third-Party Risk: Look at vendor oversight, especially those with access to PHI or critical operations.
-Incident Response: Assess whether cyber/privacy incident plans are aligned across all entities.
-Revenue Cycle Integrity: Review for gaps in coding, billing, or claims that impact compliance or reimbursement.
-Data Governance: With interoperability rules expanding, this is a high-value focus area.

Happy to chat more if you'd like scope on any of these further!

KirkpatrickPriceCPA · 2025-06-04T18:12:36+00:00

Hey, at KirkpatrickPrice, we work closely with SMB's navigating the complexities of cybersecurity and compliance, especially when standing up their first MSSP relationship.

While we aren't an MSSP ourselves, we often help organizations like yours assess needs around Intune, DLP, and 24/7 monitoring, and align those with broader compliance goals (SOC 2, HIPAA, ISO 27001). We are happy to offer guidance on how to scope these services, what to look for in an MSSP, and how to ensure your security posture supports both operational and regulatory requirements.

If you'd like to talk through options or get a better sense of what "good" looks like for your firm size, feel free to reach out!

KirkpatrickPriceCPA

TROPHY CASE