Understanding changes to the Trust Services Principles for SOC 2 reporting
|
|
- Christina Morton
- 8 years ago
- Views:
Transcription
1 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting
2 Agenda SOC 2 defined and clarified Changes to the Trust Services Principles 2
3 SECTION 1 SOC 2: DEFINED AND CLARIFIED 3
4 SOC Framework SOC 1 (Service organization control 1) SOC 2 (Service organization control 2) SOC 3 (Service organization control 3) Applicable to services that are likely to be relevant to user entities internal control over financial reporting Applicable to services that don t directly impact financial reporting Applicable to services that don t directly impact financial reporting Reports on controls supporting financial statement audits Reports on controls related to operations Reports on controls related to operations Restricted to customers during the audit period Restricted to those familiar with the subject matter General use report Example organizations: payroll processors, transaction processors Example organizations: Direct mailers, call centers Example organizations: Direct mailers, call centers 4
5 Trust services What are trust services ( TS )? A set of professional attestation and advisory services» based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Consists of five key components organized to achieve a specified objective. 5
6 Key components of trust services Infrastructure > The physical and hardware components of a system (facilities, equipment, and networks) Software > The programs and operating software of a system (systems, applications, and utilities) People > The personnel involved in the operation and use of a system (e.g. developers, operators, users, and managers) Procedures > The programmed and manual procedures involved in the operation of a system (automated or manual) Data > The information used and supported by a system (e.g. transaction streams, files, databases, and tables) 6
7 Trust services principles and criteria (cont.) Principles Objectives Privacy Security Security Availability The protection of the system from unauthorized access, both logical and physical The accessibility to the system, products, or services as advertized or committed by contact, service-level, or other agreements Confidentiality Availability Processing integrity The completeness, accuracy, validity, timeliness, and authorization of system processing Processing integrity Confidentiality Privacy The system s ability to protect the information designated as confidential, as committed or agreed Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the privacy notice 7
8 Previous Structure of the Trust Services Principles and Criteria Previous Structure > Security, Availability, Processing Integrity and Confidentiality were previously subdivided into common domains: Policies Communication Procedures Monitoring A lot of overlap built into the criteria > 51 unique criteria across security, availability, processing integrity, confidentiality > Separate criteria specific to privacy to be revised at a later date 8
9 Redesigned Structure of the Trust Services Principles and Criteria Redesigned Structure > As a result of the overlaps, criteria applicable to all four principles has been placed together as common criteria organized into the following categories: Organization and management Communications Risk management and design implementation of controls Monitoring of controls Logical and physical access controls System operations Change management > Additional criteria specific to Availability, Processing Integrity and Confidentiality > Separate criteria specific to privacy to be revised at a later date 9
10 CC1.0 Common criteria organization management CC1.1 The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance and monitoring of the system enabling it to meet its commitments and requirements as the relate to [insert in scope principles. Criteria is new and was not covered previously CC1.2 Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity s system controls are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and placed in operation. Previously fell under S1.3, A1.3, I1.3, and C1.3 CC1.3 Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the system affecting [insert in scope principles] have the qualifications and resources to fulfill their responsibilities. Previously fell under S3.11, A3.14, I3.15, C3.17 CC1.4 The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.11, A3.14, I3.15, C
11 CC2.0 Common criteria communications Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized CC2.1 Previously fell under S2.1, A2.1, I2.1, C2.1 internal and external system users to permit users to understand their role in the system and the results of system operation. The entity s [insert in scope principles] commitments are communicated to external users, as appropriate, and those commitments and the associated Previously fell under S2.2 A2.2, I2.2, C2.2 CC2.2 system requirements are communicated to internal system users to enable them to carry out their responsibilities. The entity communicates the responsibilities of internal and external users Previously fell under S2.2, A2.2, I2.2, C2.2 CC2.3 and others whose roles affect system operation. Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the Previously fell under S2.3, A2.3, I2.3, C2.3 CC2.4 [insert in scope principles] of the system, have the information necessary to carry out those responsibilities. Internal and external system users have been provided with information on Previously fell under S2.4, A2.4, I2.4, C2.4 CC2.5 how to report [insert in scope principles] failures, incidents, concerns, and other complaints to appropriate personnel. CC2.6 Previously fell under S2.5, A2.5, I2.5, C2.5 System changes that affect internal and external system user responsibilities or the entity s commitments and requirements relevant to [insert in scope principles] are communicated to those users in a timely manner. 11
12 Common criteria risk management and design and implementation of controls and monitoring controls CC3.0 CC3.1 CC3.2 The entity (1) identifies potential threats that would impair system [insert in scope principles] commitments and requirements, (2) analyzes the significance of risks associated with the identified threats, and (3) determines mitigation strategies for those risks (including controls and other mitigation strategies). The entity designs, develops, and implements controls, including policies and procedures, to implement its risk mitigation strategy. Previously fell under S3.1, S3.8, A3.1, A3.11, I3.1, I3.12, C3.1 and C3.14 Previously fell under S1.1, S1.2, S2.3, A1.1, A1.2, A2.3, I1.1, I1.2, I2.3, C1.1, C1.2 and C2.3 CC3.3 The entity (1) identifies and assesses changes (for example, environmental, regulatory, and technical changes) that could significantly affect the system of internal control for [insert in scope principles] and reassesses risks and mitigation strategies based on the changes and (2) reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary. Previously fell under S4.3, A4.3, I4.3 and C4.3 CC4.0 Common Criteria Related to Monitoring of Controls CC4.1 The design and operating effectiveness of controls are periodically evaluated against [insert in scope principles] commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner. Previously fell under S4.1, S4.2, A4.1, A4.2, I4.1, I4.2, C4.1, C4.2 12
13 CC5.0 Common Criteria Logical and Physical Access Controls CC5.1 Logical access security software, infrastructure, and architecture have been implemented to support (1) identification and authentication of authorized users; (2) restriction of authorized user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access. Previously fell under S3.2.a, S3.2.e, S3.2.f, S3.2.g, S3.8, A3.5.a, A3.5.e, A3.5.f, A3.11, I3.6.a, I3.6.e, I3.f, I3.6.g, I3.12, C3.8.a, C3.8.g, C3.8.h, C3.8.i, C3.8.e, C3.8.f, and C3.14 CC5.2 New internal and external system users are registered and authorized prior to being issued system credentials, and granted the ability to access the system. User system credentials are removed when user access is no longer authorized. Previously fell under S3.2.c, S3.2.d, A3.5.c, A3.5.d, I3.6.c, I3.6d, C3.8.c and C3.8.d CC5.3 Internal and external system users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data). Previously fell under S3.2.b, A3.5.b, I3.6.b and C3.8.b CC5.4 Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to them. Previously fell under S3.2.c, S3.2.d, A3.5.c, A3.5.d, I3.6.c, I3.6d, C3.8.c and C3.8.d 13
14 CC5.0 Common Criteria Logical and Physical Access Controls CC5.5 Physical access to facilities housing the system (for example, data centers, backup media storage, and other sensitive locations as well as sensitive system components within those locations) is restricted to authorized personnel. Previously fell under S3.3, A3.6, I3.7 and C3.9 CC5.6 Logical access security measures have been implemented to protect against [insert in scope principles] threats from sources outside the boundaries of the system. Previously fell under S3.4, A3.7, I3.8 and C3.10 CC5.7 The transmission, movement, and removal of information is restricted to authorized users and processes, and is protected during transmission, movement or removal enabling the entity to meet its commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.6, A3.9, I3.10 and C3.12 CC5.8 Controls have been implemented to prevent or detect and act upon the introduction of unauthorized or malicious software. Previously fell under S3.5, A3.8, I3.9 and C
15 CC6.0 Common criteria system operations CC6.1 Vulnerabilities of system components to [insert in scope principles] breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities. Criteria is new and was not covered included previously. CC6.2 [Insert in scope principles] incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures. Previously fell under S3.7, S3.9, A3.10, A3.12, I3.11, I3.13 and C3.13 and C
16 CC7.0 Common Criteria change management CC7.1 [Insert in scope principles] commitments and requirements, are addressed, during the system development lifecycle including design, acquisition, implementation, configuration, testing modification, and maintenance of system components. Previously fell under S3.10, A3.13, I3.14 and C3.15 CC7.2 Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the system commitments and requirements as they relate to [insert in scope principles]. Previously fell under S3.12, A3.15, I3.16 and C3.18 CC7.3 Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and monitoring. Criteria is new and was not covered included previously. CC7.4 Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert in scope principles] commitments and requirements. Previously fell under S3.13, S3.14, A3.16, A3.17, I3.17, I3.18, C3.2 and C
17 A1. 0 Additional criteria - availability Current processing capacity and usage are maintained, monitored, and Previously fell under A3.2 and I3.19 A1.1 evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements. A1.2 Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements. Previously fell under A3.2, A3.3, I3.2 and I3.19 A1.3 Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements. Previously fell under A3.4 and I
18 PI1.0 Additional criteria processing integrity PI1.1 Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and requirements. Criteria is new and was not covered included previously. System inputs are measured and recorded completely, accurately, and timely Previously fell under I3.2 PI1.2 in accordance with processing integrity commitments and requirements. Data is processed completely, accurately, and timely as authorized in Previously fell under I3.3 and I3.5 PI1.3 accordance with processing integrity commitments and requirements. PI1.4 Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity commitments and requirements.. Criteria is new and was not covered included previously. System output is complete, accurate, distributed, and retained in accordance Previously fell under I3.4 PI1.5 with processing integrity commitments and requirements. PI1.6 Modification of data is authorized, using authorized procedures in accordance with processing integrity commitments and requirements. Criteria is new and was not covered included previously. 18
19 C1.0 Additional criteria confidentiality Confidential information is protected during the system design, development, C1.1 testing, implementation, and change processes in accordance with Previously fell under C3.21 confidentiality commitments and requirements. Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, Previously fell under C3.2, C3.3 and C3.4 C1.2 retention, output, and disposition in accordance with confidentiality commitments and requirements. Access to confidential information from outside the boundaries of the system Previously fell under C3.5 C1.3 and disclosure of confidential information is restricted to authorized parties in accordance with confidentiality commitments and requirements. The entity obtains confidentiality commitments that are consistent with the entity s confidentiality requirements from vendors and other third parties Previously fell under C3.6 C1.4 whose products and services comprise part of the system and have access to confidential information. Compliance with confidentiality commitments and requirements by vendors and other third parties whose products and services comprise part of the Previously fell under C3.6 C1.5 system is assessed on a periodic and as needed basis and corrective action is taken if necessary. C1.6 Previously fell under C3.7 Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the system. 19
20 Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought Baker Tilly Virchow Krause, LLP 20
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated
More informationWELCOME TO SECURE360 2013
WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationCTR System Report - 2008 FISMA
CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control
More informationAcceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15
Acceptance Page 2 Revision History 3 Introduction 14 Control Categories 15 Scope 15 General Requirements 15 Control Category: 0.0 Information Security Management Program 17 Objective Name: 0.01 Information
More informationUnderstanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016
Understanding SOC Reports for Effective Vendor Management Jason T. Clinton January 26, 2016 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2012 Wolf & Company, P.C. Before we
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationPractical Overview on responsibilities of Data Protection Officers. Security measures
Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationAuditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP
Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationConducting a System Implementation Risk Review at Higher Education Institutions
Conducting a System Implementation Risk Review at Higher Education Institutions October 23, 2013 1 Webinar moderator Justin T. Noble ACUA Distance Learning Chairman 2 Your presenters Mike Cullen, Senior
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More information5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE
5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy
More informationInformation for Management of a Service Organization
Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationNIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich
NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationTITLE III INFORMATION SECURITY
H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationINFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire
Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationUtility consulting. > > Operate as a quasi-standalone business with its own profit center > > Focus solely on internal customers
Shared services utility accounting How using a service company approach can help with cost allocations for multiple utility departments Cost allocations can strain a relationship Cost allocations are a
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationStandard CIP 007 3a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3a 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationPublic Law 113 283 113th Congress An Act
PUBLIC LAW 113 283 DEC. 18, 2014 128 STAT. 3073 Public Law 113 283 113th Congress An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Be it
More informationInternal audit value optimization for insurance organizations
Internal audit value optimization for insurance organizations Webinar May 13, 2015 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationThe Cloud in Regulatory Affairs - Validation, Risk Management and Chances -
45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART
More informationStandard CIP 007 3 Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-3 3. Purpose: Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing
More informationPRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES
PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationSecurity and Privacy Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems JOINT TASK FORCE TRANSFORMATION INITIATIVE This document contains excerpts from NIST Special Publication
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationOwner s project control review. 2014 Baker Tilly Virchow Krause, LLP
Owner s project control review 2014 Baker Tilly Virchow Krause, LLP About Baker Tilly > Established in 1931 > One of the top 20 largest accounting and advisory firms in the United States according to Accounting
More informationAudit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013
Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,
More informationBPA Policy 434-1 Cyber Security Program
B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationFISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
More informationOrchestrating the New Paradigm Cloud Assurance
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationInformation Shield Solution Matrix for CIP Security Standards
Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability
More informationLegislative Language
Legislative Language SECTION 1. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY. Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended (a) in section 201(c) by striking
More informationCybersecurity Framework Security Policy Mapping Table
Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered
More informationHIPAA Privacy Rule Policies
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationHIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationREQUEST FOR BOARD ACTION
REQUEST FOR BOARD ACTION HENDERSON COUNTY BOARD OF COMMISSIONERS MEETING DATE: 23 March 2005 SUBJECT: ATTACHMENT(S): HIPAA 1. Proposed Resolution adopting policies 2. Proposed policies SUMMARY OF REQUEST:
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationSample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat
Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationFinancial Institutions Industry Insights
February 2011 Address the heightened risks of your mortgage lending and servicing activities with enhanced internal controls The continuing stress within the housing and mortgage finance industries has
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationHIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More informationIT Security Management Risk Analysis and Controls
IT Security Management Risk Analysis and Controls Steven Gordon Document No: Revision 770 3 December 2013 1 Introduction This document summarises several steps of an IT security risk analysis and subsequent
More informationFebruary 2015. Sample audit committee charter
February 2015 Sample audit committee charter Sample audit committee charter This sample audit committee charter is based on observations of selected companies and the requirements of the SEC, the NYSE,
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationConstruction auditing: Continuous monitoring of active construction projects
Construction auditing: Continuous monitoring of active construction projects Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationRowan University Data Governance Policy
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationVISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data
VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data 1 Table of Contents Executive Summary... 3 Template
More informationHot Topics in IT. CUAV Conference May 2012
Hot Topics in IT CUAV Conference May 2012 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
More informationPrivacy and Security Meaningful Use Requirement HIPAA Readiness Review
Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit
More informationMinimum Security Requirements for Federal Information and Information Systems
FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory
More informationBest practices and insight to protect your firm today against tomorrow s cybersecurity breach
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of
More informationCLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
More information2/9/2012. The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012
The Third International Conference on Technical and Legal Aspects of the e-society CYBERLAWS 2012 Legal Issues Involved in Creating Security Compliance Plans W. David Snead Attorney + Counselor Washington,
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationUncovering outpatient operations hidden revenue busters
Healthcare industry insights Uncovering outpatient operations Our client s need This case study will discuss the findings and implementation recommendations following a comprehensive review of a large
More informationTABLE OF CONTENTS. University of Northern Colorado
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
More informationHUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE
PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts
More information