Understanding changes to the Trust Services Principles for SOC 2 reporting

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Understanding changes to the Trust Services Principles for SOC 2 reporting"

Transcription

1 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting

2 Agenda SOC 2 defined and clarified Changes to the Trust Services Principles 2

3 SECTION 1 SOC 2: DEFINED AND CLARIFIED 3

4 SOC Framework SOC 1 (Service organization control 1) SOC 2 (Service organization control 2) SOC 3 (Service organization control 3) Applicable to services that are likely to be relevant to user entities internal control over financial reporting Applicable to services that don t directly impact financial reporting Applicable to services that don t directly impact financial reporting Reports on controls supporting financial statement audits Reports on controls related to operations Reports on controls related to operations Restricted to customers during the audit period Restricted to those familiar with the subject matter General use report Example organizations: payroll processors, transaction processors Example organizations: Direct mailers, call centers Example organizations: Direct mailers, call centers 4

5 Trust services What are trust services ( TS )? A set of professional attestation and advisory services» based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Consists of five key components organized to achieve a specified objective. 5

6 Key components of trust services Infrastructure > The physical and hardware components of a system (facilities, equipment, and networks) Software > The programs and operating software of a system (systems, applications, and utilities) People > The personnel involved in the operation and use of a system (e.g. developers, operators, users, and managers) Procedures > The programmed and manual procedures involved in the operation of a system (automated or manual) Data > The information used and supported by a system (e.g. transaction streams, files, databases, and tables) 6

7 Trust services principles and criteria (cont.) Principles Objectives Privacy Security Security Availability The protection of the system from unauthorized access, both logical and physical The accessibility to the system, products, or services as advertized or committed by contact, service-level, or other agreements Confidentiality Availability Processing integrity The completeness, accuracy, validity, timeliness, and authorization of system processing Processing integrity Confidentiality Privacy The system s ability to protect the information designated as confidential, as committed or agreed Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice 7

8 Previous Structure of the Trust Services Principles and Criteria Previous Structure > Security, Availability, Processing Integrity and Confidentiality were previously subdivided into common domains: Policies Communication Procedures Monitoring A lot of overlap built into the criteria > 51 unique criteria across security, availability, processing integrity, confidentiality > Separate criteria specific to privacy to be revised at a later date 8

9 Redesigned Structure of the Trust Services Principles and Criteria Redesigned Structure > As a result of the overlaps, criteria applicable to all four principles has been placed together as common criteria organized into the following categories: Organization and management Communications Risk management and design implementation of controls Monitoring of controls Logical and physical access controls System operations Change management > Additional criteria specific to Availability, Processing Integrity and Confidentiality > Separate criteria specific to privacy to be revised at a later date 9

10 CC1.0 Common criteria organization management CC1.1 The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance and monitoring of the system enabling it to meet its commitments and requirements as the relate to [insert in scope principles. Criteria is new and was not covered previously CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity s system controls are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and placed in operation. Previously fell under S1.3, A1.3, I1.3, and C1.3 CC1.3 Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the system affecting [insert in scope principles] have the qualifications and resources to fulfill their responsibilities. Previously fell under S3.11, A3.14, I3.15, C3.17 CC1.4 The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.11, A3.14, I3.15, C

11 CC2.0 Common criteria communications Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized CC2.1 Previously fell under S2.1, A2.1, I2.1, C2.1 internal and external system users to permit users to understand their role in the system and the results of system operation. The entity s [insert in scope principles] commitments are communicated to external users, as appropriate, and those commitments and the associated Previously fell under S2.2 A2.2, I2.2, C2.2 CC2.2 system requirements are communicated to internal system users to enable them to carry out their responsibilities. The entity communicates the responsibilities of internal and external users Previously fell under S2.2, A2.2, I2.2, C2.2 CC2.3 and others whose roles affect system operation. Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the Previously fell under S2.3, A2.3, I2.3, C2.3 CC2.4 [insert in scope principles] of the system, have the information necessary to carry out those responsibilities. Internal and external system users have been provided with information on Previously fell under S2.4, A2.4, I2.4, C2.4 CC2.5 how to report [insert in scope principles] failures, incidents, concerns, and other complaints to appropriate personnel. CC2.6 Previously fell under S2.5, A2.5, I2.5, C2.5 System changes that affect internal and external system user responsibilities or the entity s commitments and requirements relevant to [insert in scope principles] are communicated to those users in a timely manner. 11

12 Common criteria risk management and design and implementation of controls and monitoring controls CC3.0 CC3.1 CC3.2 The entity (1) identifies potential threats that would impair system [insert in scope principles] commitments and requirements, (2) analyzes the significance of risks associated with the identified threats, and (3) determines mitigation strategies for those risks (including controls and other mitigation strategies). The entity designs, develops, and implements controls, including policies and procedures, to implement its risk mitigation strategy. Previously fell under S3.1, S3.8, A3.1, A3.11, I3.1, I3.12, C3.1 and C3.14 Previously fell under S1.1, S1.2, S2.3, A1.1, A1.2, A2.3, I1.1, I1.2, I2.3, C1.1, C1.2 and C2.3 CC3.3 The entity (1) identifies and assesses changes (for example, environmental, regulatory, and technical changes) that could significantly affect the system of internal control for [insert in scope principles] and reassesses risks and mitigation strategies based on the changes and (2) reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary. Previously fell under S4.3, A4.3, I4.3 and C4.3 CC4.0 Common Criteria Related to Monitoring of Controls CC4.1 The design and operating effectiveness of controls are periodically evaluated against [insert in scope principles] commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner. Previously fell under S4.1, S4.2, A4.1, A4.2, I4.1, I4.2, C4.1, C4.2 12

13 CC5.0 Common Criteria Logical and Physical Access Controls CC5.1 Logical access security software, infrastructure, and architecture have been implemented to support (1) identification and authentication of authorized users; (2) restriction of authorized user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access. Previously fell under S3.2.a, S3.2.e, S3.2.f, S3.2.g, S3.8, A3.5.a, A3.5.e, A3.5.f, A3.11, I3.6.a, I3.6.e, I3.f, I3.6.g, I3.12, C3.8.a, C3.8.g, C3.8.h, C3.8.i, C3.8.e, C3.8.f, and C3.14 CC5.2 New internal and external system users are registered and authorized prior to being issued system credentials, and granted the ability to access the system. User system credentials are removed when user access is no longer authorized. Previously fell under S3.2.c, S3.2.d, A3.5.c, A3.5.d, I3.6.c, I3.6d, C3.8.c and C3.8.d CC5.3 Internal and external system users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data). Previously fell under S3.2.b, A3.5.b, I3.6.b and C3.8.b CC5.4 Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to them. Previously fell under S3.2.c, S3.2.d, A3.5.c, A3.5.d, I3.6.c, I3.6d, C3.8.c and C3.8.d 13

14 CC5.0 Common Criteria Logical and Physical Access Controls CC5.5 Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within those locations) is restricted to authorized personnel. Previously fell under S3.3, A3.6, I3.7 and C3.9 CC5.6 Logical access security measures have been implemented to protect against [insert in scope principles] threats from sources outside the boundaries of the system. Previously fell under S3.4, A3.7, I3.8 and C3.10 CC5.7 The transmission, movement, and removal of information is restricted to authorized users and processes, and is protected during transmission, movement or removal enabling the entity to meet its commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.6, A3.9, I3.10 and C3.12 CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software. Previously fell under S3.5, A3.8, I3.9 and C

15 CC6.0 Common criteria system operations CC6.1 Vulnerabilities of system components to [insert in scope principles] breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities. Criteria is new and was not covered included previously. CC6.2 [Insert in scope principles] incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures. Previously fell under S3.7, S3.9, A3.10, A3.12, I3.11, I3.13 and C3.13 and C

16 CC7.0 Common Criteria change management CC7.1 [Insert in scope principles] commitments and requirements, are addressed, during the system development lifecycle including design, acquisition, implementation, configuration, testing modification, and maintenance of system components. Previously fell under S3.10, A3.13, I3.14 and C3.15 CC7.2 Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the system commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.12, A3.15, I3.16 and C3.18 CC7.3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and monitoring. Criteria is new and was not covered included previously. CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert in scope principles] commitments and requirements. Previously fell under S3.13, S3.14, A3.16, A3.17, I3.17, I3.18, C3.2 and C

17 A1. 0 Additional criteria - availability Current processing capacity and usage are maintained, monitored, and Previously fell under A3.2 and I3.19 A1.1 evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements. A1.2 Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements. Previously fell under A3.2, A3.3, I3.2 and I3.19 A1.3 Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements. Previously fell under A3.4 and I

18 PI1.0 Additional criteria processing integrity PI1.1 Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and requirements. Criteria is new and was not covered included previously. System inputs are measured and recorded completely, accurately, and timely Previously fell under I3.2 PI1.2 in accordance with processing integrity commitments and requirements. Data is processed completely, accurately, and timely as authorized in Previously fell under I3.3 and I3.5 PI1.3 accordance with processing integrity commitments and requirements. PI1.4 Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity commitments and requirements.. Criteria is new and was not covered included previously. System output is complete, accurate, distributed, and retained in accordance Previously fell under I3.4 PI1.5 with processing integrity commitments and requirements. PI1.6 Modification of data is authorized, using authorized procedures in accordance with processing integrity commitments and requirements. Criteria is new and was not covered included previously. 18

19 C1.0 Additional criteria confidentiality Confidential information is protected during the system design, development, C1.1 testing, implementation, and change processes in accordance with Previously fell under C3.21 confidentiality commitments and requirements. Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, Previously fell under C3.2, C3.3 and C3.4 C1.2 retention, output, and disposition in accordance with confidentiality commitments and requirements. Access to confidential information from outside the boundaries of the system Previously fell under C3.5 C1.3 and disclosure of confidential information is restricted to authorized parties in accordance with confidentiality commitments and requirements. The entity obtains confidentiality commitments that are consistent with the entity s confidentiality requirements from vendors and other third parties Previously fell under C3.6 C1.4 whose products and services comprise part of the system and have access to confidential information. Compliance with confidentiality commitments and requirements by vendors and other third parties whose products and services comprise part of the Previously fell under C3.6 C1.5 system is assessed on a periodic and as needed basis and corrective action is taken if necessary. C1.6 Previously fell under C3.7 Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the system. 19

20 Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought Baker Tilly Virchow Krause, LLP 20

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated

More information

WELCOME TO SECURE360 2013

WELCOME TO SECURE360 2013 WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

CTR System Report - 2008 FISMA

CTR System Report - 2008 FISMA CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control

More information

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15 Acceptance Page 2 Revision History 3 Introduction 14 Control Categories 15 Scope 15 General Requirements 15 Control Category: 0.0 Information Security Management Program 17 Objective Name: 0.01 Information

More information

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016 Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we

More information

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements

More information

Information for Management of a Service Organization

Information for Management of a Service Organization Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure

More information

Conducting a System Implementation Risk Review at Higher Education Institutions

Conducting a System Implementation Risk Review at Higher Education Institutions Conducting a System Implementation Risk Review at Higher Education Institutions October 23, 2013 1 Webinar moderator Justin T. Noble ACUA Distance Learning Chairman 2 Your presenters Mike Cullen, Senior

More information

Utility consulting. > > Operate as a quasi-standalone business with its own profit center > > Focus solely on internal customers

Utility consulting. > > Operate as a quasi-standalone business with its own profit center > > Focus solely on internal customers Shared services utility accounting How using a service company approach can help with cost allocations for multiple utility departments Cost allocations can strain a relationship Cost allocations are a

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers. Security measures Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures

More information

Standard CIP 007 3a Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for

More information

Standard CIP 007 3 Cyber Security Systems Security Management

Standard CIP 007 3 Cyber Security Systems Security Management A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Get Confidence in Mission Security with IV&V Information Assurance

Get Confidence in Mission Security with IV&V Information Assurance Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving

More information

Owner s project control review. 2014 Baker Tilly Virchow Krause, LLP

Owner s project control review. 2014 Baker Tilly Virchow Krause, LLP Owner s project control review 2014 Baker Tilly Virchow Krause, LLP About Baker Tilly > Established in 1931 > One of the top 20 largest accounting and advisory firms in the United States according to Accounting

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

TITLE III INFORMATION SECURITY

TITLE III INFORMATION SECURITY H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable

More information

Financial Institutions Industry Insights

Financial Institutions Industry Insights February 2011 Address the heightened risks of your mortgage lending and servicing activities with enhanced internal controls The continuing stress within the housing and mortgage finance industries has

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007

More information

Public Law 113 283 113th Congress An Act

Public Law 113 283 113th Congress An Act PUBLIC LAW 113 283 DEC. 18, 2014 128 STAT. 3073 Public Law 113 283 113th Congress An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Be it

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Internal audit value optimization for insurance organizations

Internal audit value optimization for insurance organizations Internal audit value optimization for insurance organizations Webinar May 13, 2015 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

More information

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Uncovering outpatient operations hidden revenue busters

Uncovering outpatient operations hidden revenue busters Healthcare industry insights Uncovering outpatient operations Our client s need This case study will discuss the findings and implementation recommendations following a comprehensive review of a large

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

February 2015. Sample audit committee charter

February 2015. Sample audit committee charter February 2015 Sample audit committee charter Sample audit committee charter This sample audit committee charter is based on observations of selected companies and the requirements of the SEC, the NYSE,

More information

Construction auditing: Continuous monitoring of active construction projects

Construction auditing: Continuous monitoring of active construction projects Construction auditing: Continuous monitoring of active construction projects Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

More information

Cybersecurity Framework Security Policy Mapping Table

Cybersecurity Framework Security Policy Mapping Table Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered

More information

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - 45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently

More information

Legislative Language

Legislative Language Legislative Language SECTION 1. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY. Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended (a) in section 201(c) by striking

More information

REQUEST FOR BOARD ACTION

REQUEST FOR BOARD ACTION REQUEST FOR BOARD ACTION HENDERSON COUNTY BOARD OF COMMISSIONERS MEETING DATE: 23 March 2005 SUBJECT: ATTACHMENT(S): HIPAA 1. Proposed Resolution adopting policies 2. Proposed policies SUMMARY OF REQUEST:

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Security and Privacy Controls for Federal Information Systems and Organizations

Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication

More information

REPORT NO. 2014-022 OCTOBER 2013 SEMINOLE STATE COLLEGE OF FLORIDA. Operational Audit

REPORT NO. 2014-022 OCTOBER 2013 SEMINOLE STATE COLLEGE OF FLORIDA. Operational Audit REPORT NO. 2014-022 OCTOBER 2013 SEMINOLE STATE COLLEGE OF FLORIDA Operational Audit BOARD OF TRUSTEES AND PRESIDENT Members of the Board of Trustees and President who served during the 2012-13 fiscal

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy

More information

GSA Option Extensions

GSA Option Extensions GSA Option Extensions Are Your Commercial Sales Practices Current, Accurate and Complete? Baker Tilly Beers & Cutler, PLLC, is a wholly-owned subsidiary of Baker Tilly Virchow Krause, LLP. 2010 Baker Tilly

More information

Rowan University Data Governance Policy

Rowan University Data Governance Policy Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Auditing construction contract change orders

Auditing construction contract change orders Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Auditing construction contract change orders Presenter Tony Ollmann, CPA,

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Institutional Data Governance Policy

Institutional Data Governance Policy Institutional Data Governance Policy Policy Statement Institutional Data is a strategic asset of the University. As such, it is important that it be managed according to sound data governance procedures.

More information

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data 1 Table of Contents Executive Summary... 3 Template

More information

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit

More information

Orchestrating the New Paradigm Cloud Assurance

Orchestrating the New Paradigm Cloud Assurance Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems

More information

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE

HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts

More information

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

Oceaneering International, Inc. Audit Committee Charter

Oceaneering International, Inc. Audit Committee Charter Oceaneering International, Inc. Audit Committee Charter Purpose The Audit Committee of the Board of Directors (the Committee ) is appointed by the Board of Directors (the Board ) to assist the Board in

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Auditing Engineer-Procure-Construct (EPC) Projects

Auditing Engineer-Procure-Construct (EPC) Projects Auditing Engineer-Procure-Construct (EPC) Projects Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2012 Baker Tilly Virchow

More information

January 2013. Sample audit committee charter

January 2013. Sample audit committee charter January 2013 Sample audit committee charter Sample audit committee charter This sample audit committee charter is based on a review of selected Fortune 1000 company charters, as well as the requirements

More information

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009 Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012

2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 Legal Issues Involved in Creating Security Compliance Plans W. David Snead Attorney + Counselor Washington,

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor)

Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Audit and Permitted Non-Audit Services Pre-Approval Policy (Pertaining to the Company s Independent Auditor) Statement of Principles Pursuant to the Sarbanes-Oxley Act of 2002 (the Act ) and in accordance

More information

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

The Next Generation of Security Leaders

The Next Generation of Security Leaders The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish

More information