IOD Incorporated. SOC 3 Report for IOD Incorporated

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "IOD Incorporated. SOC 3 Report for IOD Incorporated"

Transcription

1 SOC 3 Report for IOD Incorporated For The Period From

2 SOC 3 Report Table of Contents Section 1: Management of IOD Incorporated Service Organization s Assertion... 2 Section 2: Independent Accountant s Trust Services Report Provided by Wipfli... 4 Section 3: Description of System Provided by IOD Incorporated... 7 Company Profile... 8 Operational Overview... 8 System Overview... 9 Infrastructure... 9 Software People Procedures Data Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 1 of 12

3 Section 1 Management of IOD Incorporated Service Organization s Assertion Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 2 of 12

4 December10,2013 WipfliLLP 10000InnovationDr.Suite250 Milwaukee,WI53226 ManagementofIOD sassertionregardingtheeffectivenessofitscontrolsoverthehimsolution SystemBasedontheTrustServicesSecurity,ProcessingIntegrityandConfidentialityCriteria IODIncorporated(IOD)maintainedeffectivecontrolsoverthesecurity,processingintegrityand confidentialityofiod shimsolutionsystem( thesystem )toprovidereasonableassurancethat: 1. TheSystemwasprotectedagainstunauthorizedaccess(bothphysicalandlogical); 2. TheSystemprocessingwascomplete,accurate,timely,andauthorized;and 3. InformationdesignatedasconfidentialwasprotectedbytheSystemascommittedoragreed, and; DuringtheperiodMay1,2013throughOctober31,2013,basedontheAmericanInstituteofCertified PublicAccountants( AICPA )andthecanadianinstituteofcharteredaccountants( CICA )Trust ServicesCriteriaforSecurity,ProcessingIntegrityandConfidentialitywhichareavailableat TheattachedsystemdescriptionofIOD sinformationsystemsenvironmentandhimssolutionsystem summarizesthoseaspectsofthissystemcoveredbyourassertion. Sincerely, IOD Signature: Title:ChiefTechnologyOfficer Confidential and Proprietary to Wipfli LLP and IOD Incorporated 1 3 of 12

5 Section 2 Independent Accountant s Trust Services Report Provided by Wipfli Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 4 of 12

6 Independent Accountants Trust Services Report To the Management of IOD Incorporated We have examined management s assertion that during the period May 1, 2013 to October 31, 2013, IOD Incorporated (IOD) maintained effective controls over the Health Information Management (HIM) Solution System based on the AICPA and CICA trust services security, processing integrity, and confidentiality criteria to provide reasonable assurance that The system was protected against unauthorized access (both physical and logical); The system processing was complete, accurate, timely, and authorized; and Information designated as confidential was protected by the system as committed or agreed. IOD s management is responsible for this assertion. Our responsibility is to express an opinion based on our examination. Management s description of the aspects of the HIM Solution System covered by its assertion is attached. We did not examine this description, and accordingly, we do not express an opinion on it. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of IOD s relevant controls over the security, processing integrity, and confidentiality of the HIM Solution System; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, IOD s ability to meet the aforementioned criteria may be affected. For example, controls may not prevent or detect and correct error or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 5 of 12

7 In our opinion, management s assertion related to is fairly stated, in all material respects, based on the AICPA and CICA trust services security, processing integrity, and confidentiality criteria. Wipfli LLP Milwaukee, Wisconsin December 10, 2013 Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 6 of 12

8 Section 3 Description of System Provided by IOD Incorporated Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 7 of 12

9 Description of System Provided by IOD Incorporated Company Profile IOD provides full a suite of Health Information Management (HIM) solutions ranging from secure document imaging, coding, abstraction, record storage, Release of Information(ROI), auditing, consulting and education services. IOD has both onsite and offsite release of information (ROI) processing services, with three central processing centers located in Green Bay, WI, Trevose, PA, and Bellevue, WA. Founded in 1983, IOD employs more than 1,700 HIM associates nationwide. IOD s Green Bay, WI location serves as its corporate site. Operational Overview As part of its operations, IOD has established procedures and policies to ensure confidentiality in handling sensitive user entity information. IOD secures its facilities through limited access to the buildings via access cards, utilizing associate identification on the premises, tracking visitors, data encryption, and physically securing systems, media, and other technology via locked cabinets and rooms. Additionally, confidentiality agreements for information sharing between user entities and vendors are upheld in daily business operations. Across all lines of business the access to systems is protected via network and application security policies and procedures, and the system users (associates) are assigned tiered access based on their roles. Moreover, the access is modified in a timely manner and withheld at the time of associate termination. IOD adheres to industry standards for utilizing Secure Sockets Layer (SSL), Transport Layer Security (TLS), Advanced Encryptions Standard (AES) encryption, Virtual Private Network (VPN), and secure Electronic Data Interchange (EDI) or Secure File Transfer Protocol (SFTP) standards to protect the electronic transmission of user entity data and utilizes National Institute of Standards and Technology (NIST) recommended and Centers for Medicare & Medicaid Services (CMS) approved for Meaningful Use encryption algorithms when handling Protected Health Information (PHI). Operational effectiveness and processing integrity are achieved via the use of formal change management processes for new and existing systems to authorize, test, approve, and implement changes in business processes and systems. Policies and procedures are reviewed and approved annually and to minimize disruption of business operations, procedures have been defined in the event of a disaster situation. IOD ensures its private cloud will provide business continuity in the event of a disaster via backups, recovery, removal, and restoration of data at an off site location. Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 8 of 12

10 Description of System Provided by IOD Incorporated System Overview This description covers IOD s HIM Solution System (the System ) including its data center and processing facilities; security (both logical and physical); environmental controls; processing integrity, confidentiality, monitoring and maintenance; and change management. IOD s core platform, PRISM is a multiuser, transaction-based custom developed software platform that facilitates IOD s coding, abstracting, imaging and Release of Information (ROI) services. Specifically as it relates to ROI, PRISM enables the processing of release of information requests and delivery of records their requestor. The PRISM ROI request tracking and reporting system is coupled with technologies such as SecureCapture document scanning and imaging and SecureDelivery electronic document delivery system for release of information services. PRISM software is coupled with additional functionality for customer service management. The System is comprised of the following five components: 1. Infrastructure 2. Software 3. People 4. Procedures 5. Data The following sections describe each of these five components comprising the System. Infrastructure Associates access the PRISM platform via a company supplied desktop computers or encrypted laptops. IOD uses IPSec 3DES MD5 bit encryption with its Virtual Private Networking (VPN) software and Active Directory VPN User Group Configuration. These technologies restrict access and use Advanced Encryption Standard AES256 bit encryption to protect data and intra company communications. IOD uses the AES256 bit encryption to secure additional types of transmissions with its customers, they include: SSL 256 AES bit encryption for Web based SSL data transfers SSL 256 AES bit encryption for File Transfer Protocol Secure (FTPS) file transfers SSH 2048 bit encryption for SFTP file transfers Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 9 of 12

11 Description of System Provided by IOD Incorporated Infrastructure (Continued) Database and file servers are housed in IOD s secured data center in its Green Bay, WI corporate site. Software PRISM order processing software is developed and maintained by IOD s in house software development engineers. PRISM tracks information in real-time. The information is immediately stored in the database and is accessible for daily operations, service authorization, quality assurance, service billing and report generation. Information can be retrieved, reviewed, and reported as needed and the application creates a complete history of entries, reviews, approvals and releases of the associated records. PRISM platform software 6.0 has received the Office of the National Coordinator Authorized Testing and Certification Body (ONC ATCB) certification. PRISM is certified for both the ambulatory and inpatient practice types. PRISM platform software has been tested against the Electronic Submission of Medical Documentation (esmd) criteria for transacting medical record information electronically with the Recovergae Audit Contractor (RAC) and Medicare Administrative Contractor (MAC) CMS audit contactors, and has been approved for electronic transmission. IOD uses a defined and documented Systems Development Life Cycle (SDLC) and change management process with defined and distinct steps. These steps include user requirement definition, technical design, coding, unit test, independent QA testing, user acceptance testing (UAT) and release management to deploy custom developed software. An Agile development approach is used. PRISM platform software and the IOD Green Bay infrastructure is regularly penetration tested by Trustwave in support of the infrastructure s certification and IOD s classification as a Level 3 Payment Card Industry (PCI) Merchant. Confidential and proprietary to Wipfli LLP and IOD Incorporated Page 10 of 12 Not to be Reproduced without Permission

12 Description of System Provided by IOD Incorporated People IOD has a staff of over 1,700 associates organized in the following functional areas: Corporate: Executives, senior operations staff, and administrative support staff, such as legal, training, contracting, accounting, sales, marketing, finance and human resources. Operations: Managers and supervisor provide scheduling and operational oversight of both onsite site and central processing facilities. Processing associates provide capacity for transaction processing across all lines of business. ROI Quality Assurance: Associates validate order entry and processing accuracy and verify that release of information requests meet compliance requirements Technology Operations: Associates with responsibility for the following functions: help desk, infrastructure, system administration, software development and support, information security, and IT operations, business implementation support and telecom. Procedures IOD standards for conducting business are documented in its standard operating policies, procedures, and business process work flow diagrams. Its controls are detailed in its procedures and formal risk assessments. The policies and procedures reflect the assignment of specific compliance responsibilities to specific functions and personnel within IOD. Specific examples of the relevant policies and procedures include the following: Confidentiality and non-disclosure Health Insurance Portability and Accountability Act (HIPAA) Security Management Information Security Personnel Security Emergency Change Management System Monitoring Problem Management Data Backup and Recovery System Account Management Monitoring Confidential and proprietary to Wipfli LLP and IOD Incorporated Page 11 of 12 Not to be Reproduced without Permission

13 Description of System Provided by IOD Incorporated Data Data as defined by IOD constitutes the following: Customer and user master file data Input data (scanned images, electronic records from Electronic Health Records (her) via SecureCapture and Software Security Assurance (SSA) Globally Unique Identified (GUID) numbers) Order transaction data Electronic download and upload files Output reports System files Error logs Confidential and Proprietary to Wipfli LLP and IOD Incorporated Page 12 of 12

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Copyright Telerad Tech 2009. RADSpa. HIPAA Compliance

Copyright Telerad Tech 2009. RADSpa. HIPAA Compliance RADSpa HIPAA Compliance 1. Introduction 3 1.1. Scope and Field of Application 3 1.2. HIPAA 3 2. Security Architecture 4 2.1 Authentication 4 2.2 Authorization 4 2.3 Confidentiality 4 2.3.1 Secure Communication

More information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights

More information

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability

Service Organization Controls 3 Report. Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability Service Organization Controls 3 Report Report on Hyland Software, Inc. s OnBase Online Cloud Platform, relevant to Security and Availability for the period May 1, 2015 through October 31, 2015 Ernst &

More information

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2015 through June 30, 2015 SOC 3 SM SOC 3 is a service

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

SOC 3 for Security and Availability

SOC 3 for Security and Availability SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2013 through September 30, 2014 Independent SOC 3 Report for the Security and Availability Trust

More information

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for

More information

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012

System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 System Description of the Date Center System Relevant to Security and Availability (SOC 3) November 1, 2011 through April 30, 2012 Moss Adams LLP 9665 Granite Ridge Drive, Suite 600 San Diego, CA 92123

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure

More information

DRAFT Standard Statement Encryption

DRAFT Standard Statement Encryption DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held

More information

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed

More information

Independent Service Auditor s Report

Independent Service Auditor s Report Independent Service Auditor s Report Microsoft Corporation Global Foundation Services Independent SOC 3 Report for the Security and Availability Trust Principle for Microsoft GFS 1 Independent Service

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

Print4 Solutions fully comply with all HIPAA regulations

Print4 Solutions fully comply with all HIPAA regulations HIPAA Compliance Print4 Solutions fully comply with all HIPAA regulations Print4 solutions do not access, store, process, monitor, or manage any patient information. Print4 manages and optimize printer

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

Security Considerations

Security Considerations Concord Fax Security Considerations For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

White Paper. BD Assurity Linc Software Security. Overview

White Paper. BD Assurity Linc Software Security. Overview Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about

More information

Qualification Guideline

Qualification Guideline Qualification Guideline June 2013 Disclaimer: This document is meant as a reference to Life Science companies in regards to the Microsoft O365 platform. Montrium does not warrant that the use of the recommendations

More information

Ayla Networks, Inc. SOC 3 SysTrust 2015

Ayla Networks, Inc. SOC 3 SysTrust 2015 Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2

More information

Intel Enhanced Data Security Assessment Form

Intel Enhanced Data Security Assessment Form Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

Small Business IT Risk Assessment

Small Business IT Risk Assessment Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

White Paper: Librestream Security Overview

White Paper: Librestream Security Overview White Paper: Librestream Security Overview TABLE OF CONTENTS 1 SECURITY OVERVIEW... 3 2 USE OF SECURE DATA CENTERS... 3 3 SECURITY MONITORING, INTERNAL TESTING AND ASSESSMENTS... 4 3.1 Penetration Testing

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems Security Tool Kit System Checklist Departmental Servers and Enterprise Systems INSTRUCTIONS System documentation specifically related to security controls of departmental servers and enterprise systems

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

USING GENIE REMOTELY

USING GENIE REMOTELY USING GENIE REMOTELY This document outlines the available options for using Genie in offsite logging mode (Genie single user) or remotely in real-time via a remote desktop (terminal services) connection.

More information

Memeo C1 Secure File Transfer and Compliance

Memeo C1 Secure File Transfer and Compliance Overview and analysis of Memeo C1 and SSAE16 & SOX Compliance Requirements Memeo C1 Secure File Transfer and Compliance Comply360, Inc Contents Executive Summary... 2 Overview... 2 Scope of Evaluation...

More information

Compliance and Industry Regulations

Compliance and Industry Regulations Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy

More information

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Alliance Key Manager Cloud HSM Frequently Asked Questions

Alliance Key Manager Cloud HSM Frequently Asked Questions Key Management Alliance Key Manager Cloud HSM Frequently Asked Questions FAQ INDEX This document contains a collection of the answers to the most common questions people ask about Alliance Key Manager

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Meaningful Use and Release of Information

Meaningful Use and Release of Information Meaningful Use and Release of Information Understanding IOD s Role IOD Incorporated 1030 Ontario Road Green Bay, WI 54311 800.236.3355 iodincorporated.com INTRODUCTION According to HIMSS, Meaningful Use

More information

With Eversync s cloud data tiering, the customer can tier data protection as follows:

With Eversync s cloud data tiering, the customer can tier data protection as follows: APPLICATION NOTE: CLOUD DATA TIERING Eversync has developed a hybrid model for cloud-based data protection in which all of the elements of data protection are tiered between an on-premise appliance (software

More information

Service Level Agreement (SLA) Arcplace Backup Enterprise Service

Service Level Agreement (SLA) Arcplace Backup Enterprise Service (SLA) Arcplace Backup Enterprise Service 1. Introduction This Service Level Agreement ( SLA ) forms an integral part of the Agreement between Arcplace and Customer. This SLA describes the Backup Enterprise

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

HIPAA Risk Assessments for Physician Practices

HIPAA Risk Assessments for Physician Practices HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM DISCLAIMER The statements and opinions presented

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

The silver lining: Getting value and mitigating risk in cloud computing

The silver lining: Getting value and mitigating risk in cloud computing The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations

More information

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

Exhibit B5b South Dakota. Vendor Questions COTS Software Set Appendix C Vendor Questions Anything t Applicable should be marked NA. Vendor Questions COTS Software Set Infrastructure 1. Typically the State of South Dakota prefers to host all systems. In the event

More information

Brochure Achieving security with cloud data protection. Autonomy LiveVault

Brochure Achieving security with cloud data protection. Autonomy LiveVault Achieving security with cloud data protection Autonomy LiveVault Can cloud backup be secure? Today, more and more companies recognize the value and convenience of using cloud backup to protect their server

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

Agio Remote Monitoring and Management

Agio Remote Monitoring and Management Remote Monitoring and Management s Remote Monitoring & Management is a 24x7x365 service in which we proactively manage your infrastructure and IT environment to make sure it s in a healthy state and stays

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

ShareFile Security Overview

ShareFile Security Overview ShareFile Security Overview ShareFile Company Policy All ShareFile employees undergo full background checks and sign our information security policy prior to beginning employment with the company. The

More information

SERVICE ORGANIZATION CONTROL 3 REPORT

SERVICE ORGANIZATION CONTROL 3 REPORT SERVICE ORGANIZATION CONTROL 3 REPORT Digital Certificate Solutions, Comodo Certificate Manager (CCM), and Comodo Two Factor Authentication (Comodo TF) Services For the period April 1, 2013 through March

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment

More information

Independent Accountants Report

Independent Accountants Report KPMG LLP 1601 Market Street Philadelphia, PA 19103-2499 Independent Accountants Report To the Management of Unisys Corporation: We have examined the assertion by the management of Unisys Corporation (

More information

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s Network Security Please describe the preferred connection method(s) between the PierianDx network and a healthcare organization s

More information

REQUEST FOR PROPOSALS. EMS BILLING AND COLLECTION SERVICES and ELECTRONIC PATIENT CARE REPORTING (epcr)

REQUEST FOR PROPOSALS. EMS BILLING AND COLLECTION SERVICES and ELECTRONIC PATIENT CARE REPORTING (epcr) REQUEST FOR PROPOSALS EMS BILLING AND COLLECTION SERVICES and ELECTRONIC PATIENT CARE REPORTING (epcr) Page i Table of Contents 1.0 Background... 2 2.0 Proposal Submission... 2 3.0 Scope of Work... 2 3.1

More information

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,

More information

SECTION 1: INTRODUCTION

SECTION 1: INTRODUCTION 3117 NETWORK ARCHITECTURE STANDARD OWNER: Security Management Branch ISSUE DATE: 10/25/2011 DISTRIBUTION: All Employees REVISED DATE: 7/1/2013 SECTION 1: INTRODUCTION The California Department of Technology

More information

Cloud Contact Center. Security White Paper

Cloud Contact Center. Security White Paper Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may

More information

Online Lead Generation: Data Security Best Practices

Online Lead Generation: Data Security Best Practices Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:

More information

NCR CLOUD SERVICES OVERVIEW. An NCR Brochure

NCR CLOUD SERVICES OVERVIEW. An NCR Brochure NCR CLOUD SERVICES OVERVIEW An NCR Brochure Are you looking for a partner to provide unparalleled security, uptime and performance for your core applications? You have chosen to host your applications

More information

SAS 70 Type II Audits

SAS 70 Type II Audits Thinking from IntraLinks SAS 70 Type II Audits SAS 70 Type II Audits Ensuring Data Security, Reliability and Integrity If your organization shares sensitive data over the Internet, you need rigorous controls

More information

RSS Cloud Solution COMMON QUESTIONS

RSS Cloud Solution COMMON QUESTIONS RSS Cloud Solution COMMON QUESTIONS 1 Services... 3 Connectivity... 5 Support... 6 Implementation... 7 Security... 8 Applications... 9 Backups... 9 Email... 10 Contact... 11 2 Services What is included

More information

Fortinet Solutions for Compliance Requirements

Fortinet Solutions for Compliance Requirements s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized

More information

CMS Operational Policy for Infrastructure Router Security

CMS Operational Policy for Infrastructure Router Security Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS Operational Policy for Infrastructure Router Security September 2005 Document Number: CMS-CIO-POL-INF05-01

More information

Cloud Contact Center. Security White Paper

Cloud Contact Center. Security White Paper Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may

More information

How Managed File Transfer Addresses HIPAA Requirements for ephi

How Managed File Transfer Addresses HIPAA Requirements for ephi How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts

More information

General Computer Controls

General Computer Controls 1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

TACKLING THE ENCRYPTION CONUNDRUM

TACKLING THE ENCRYPTION CONUNDRUM TACKLING THE ENCRYPTION CONUNDRUM Feisal Nanji DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Research Information Security Guideline

Research Information Security Guideline Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different

More information

Overview... 2. Servers and Infrastructure... 2. Communication channels... 3. Peer-to-Peer connections... 3. Data Compression and Encryption...

Overview... 2. Servers and Infrastructure... 2. Communication channels... 3. Peer-to-Peer connections... 3. Data Compression and Encryption... Data security is a high priority at Brosix, enabling us to continue achieving the goal of providing efficient and secure online realtime communication services. Table of Contents Overview... 2 Servers

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006 Electronic Prescribing of Controlled Substances Technical Framework Panel Mark Gingrich, RxHub LLC July 11, 2006 RxHub Overview Founded 2001 as nationwide, universal electronic information exchange Encompass

More information

Achieving HIPAA Compliance with Red Hat

Achieving HIPAA Compliance with Red Hat Achieving HIPAA Compliance with Red Hat Enterprise Virtualization for Desktops The Health Insurance Portability and Accountability Act (HIPAA) of 1996 introduced a sweeping set of regulations that have

More information

Achieving HIPAA Compliance with Red Hat

Achieving HIPAA Compliance with Red Hat Achieving HIPAA Compliance with Red Hat Enterprise Virtualization for Desktops The Health Insurance Portability and Accountability Act (HIPAA) of 1996 introduced a sweeping set of regulations that have

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Security Policy Revision Date: 23 April 2009

Security Policy Revision Date: 23 April 2009 Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure

More information

HOW MX PROTECTS YOUR DATA

HOW MX PROTECTS YOUR DATA HOW MX PROTECTS YOUR DATA Overview MX is passionate about and dedicated to protecting, safeguarding, and securing customer data. To do so, MX has established a strong security program supported by a comprehensive

More information

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 As organizations unlock the true potential of meeting over the web as an alternative to costly and timeconsuming travel,

More information

The Internet Corporation for Assigned Names and Numbers (ICANN)

The Internet Corporation for Assigned Names and Numbers (ICANN) The Internet Corporation for Assigned Names and Numbers (ICANN) Root Zone Key Signing Key System SysTrust Report based on the Trust Services Principles of Availability, Security and Processing Integrity

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM Las Vegas Datacenter Overview Product Overview and Data Sheet Product Data Sheet Maintaining a Software as a Service (SaaS) environment with market leading availability and security is something that Active

More information

Enterprise level security, the Huddle way.

Enterprise level security, the Huddle way. Enterprise level security, the Huddle way. Security whitepaper TABLE OF CONTENTS 5 Huddle s promise Hosting environment Network infrastructure Multiple levels of security Physical security System & network

More information