MASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2



Similar documents
Rackspace Archiving Compliance Overview

Page 1 of 15. VISC Third Party Guideline

HIPAA PRIVACY AND SECURITY AWARENESS

Compliance and Industry Regulations

Security Controls What Works. Southside Virginia Community College: Security Awareness

plantemoran.com What School Personnel Administrators Need to know

HIPAA Security Rule Compliance

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Compliance and the Protection of Patient Health Information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS

Self-Service SOX Auditing With S3 Control

HIPAA Compliance Guide

Regulatory Compliance: How Digital Data Protection Helps

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Overview of the HIPAA Security Rule

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Global Privacy Japan Sets its Rules for Personal Data

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Security Information Lifecycle

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Design of Database Security Policy In Enterprise Systems

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

That s why outsourcing using a Qualified Contractor is the best solution to the problem of assuring a compliant hard drive destruction audit trail.

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Active Directory Auditing The Need and Result

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Online Lead Generation: Data Security Best Practices

Page 1 Disclaimer: None of the provisions of this document constitute legal advice. If you need legal advice on the provisions of the laws listed,

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Datto Compliance 101 1

HIPAA Compliance: Are you prepared for the new regulatory changes?

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

General HIPAA Implementation FAQ

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

M E M O R A N D U M. Definitions

HIPAA/HITECH Compliance Using VMware vcloud Air

BUSINESS ASSOCIATE AGREEMENT ( BAA )

VMware vcloud Air HIPAA Matrix

HIPAA Compliance Guide

Why Encryption is Essential to the Safety of Your Business

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Managing data security and privacy risk of third-party vendors

California State University, Sacramento INFORMATION SECURITY PROGRAM

My Docs Online HIPAA Compliance

Preparing for the HIPAA Security Rule

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Article 29 Working Party Issues Opinion on Cloud Computing

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

HIPAA Privacy & Security White Paper

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

AlienVault for Regulatory Compliance

Achieving Regulatory Compliance

White Paper on Financial Institution Vendor Management

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Information Security Overview

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

HIPAA BUSINESS ASSOCIATE AGREEMENT

Guidelines on Data Protection. Draft. Version 3.1. Published by

HIPAA BUSINESS ASSOCIATE AGREEMENT

Instructions for Completing the Information Technology Officer s Questionnaire

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Compliance in 5 Steps

And Take a Step on the IG Career Path

Feature. Log Management: A Pragmatic Approach to PCI DSS

Transcription:

MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements... 2 MASSIVE NETWORKS ONLINE BACKUP SOX Compliance...... 2 Gramm-Leach-Bliley Financial Services Modernization Act of 1999... 2 GLBA Requirements... 2 MASSIVE NETWORKS ONLINE BACKUP GLBA Compliance... 3 HIPAA - Health Insurance Portability and Accountability Act of 1996... 3 HIPAA Requirements... 3 MASSIVE NETWORKS ONLINE BACKUP HIPAA Compliance... 3 SAS 70 Type 2 Certified Datacenters In Use by MASSIVE NETWORKS Online Backup... 4 SAS 70 Background... 5 SAS 70 Who is Affected... 5 PCI DSS...... 5

Sarbanes-Oxley (SOX) The Sarbanes-Oxley Act of 2002 is landmark legislation designed to make public companies more transparent in their financial reporting and more proactive in sharing material information with other participants in the financial reporting chain such as auditors, audit committees, analysts and investors. It requires CEO s, CFO s and auditors of companies to certify accuracy of financial statements and disclosures and report on deficiencies in the design or operation of internal controls. It requires a business continuity / disaster recovery plan be in place. Recent legislation activity, if passed, extends the requirements of Sarbanes-Oxley to privately owned businesses. SOX Requirements CEO s and CFO s must personally certify financial statements and filings, as well as affirm that they are responsible for establishing and enforcing disclosure controls and procedures at all levels of their corporation. It also requires an annual evaluation of internal controls and procedures for financial reporting, document retention, retrieval, and disaster recovery. The corporation must document its existing controls that have a bearing on financial reporting, test them for efficacy and report on gaps and deficiencies, and verify they can recover data and documents in the event of a disaster, natural or intentional. MASSIVE NETWORKS ONLINE BACKUP SOX Compliance In addition to achieving and maintaining in-house compliance, corporations must verify that its suppliers and other partners comply with the level or control, reporting and testing. All partners must have auditable and documented standards, industry best practices and standardized processes. MASSIVE NETWORKS ONLINE BACKUP partners with Sarbanes-Oxley compliant companies. MASSIVE NETWORKS ONLINE BACKUP has, through the completion of our SAS 70 audit, process and procedure surrounding all activities. Our large storage network and vaulting options is qualified and meets all industry regulated compliances and requirements to act as the repository of your company s data. Gramm-Leach-Bliley Financial Services Modernization Act of 1999 The Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) addresses the protection of nonpublic personal information by all financial institutions. The new government regulations are not only for publicly traded companies. As a business, best practices require you also know the important sections of current regulations, and that you incorporate the spirit of these into your activity. GLBA Requirements GLBA is intended to ensure the confidentiality and security of customers against any reasonably anticipated internal or external threat or hazard while protecting them against unauthorized access to or use of such data that would result in substantial harm or inconvenience. GLBA requires financial institutions (defined as banks, thrifts and credit unions, as well as numerous non-depository institutions) to develop a written security plan that MASSIVE NETWORKS Online Backup does best their protection programs for customer information (defined as any record containing nonpublic, personal information about a customer, whether in paper, electronic or other form, that is maintained by or on behalf of the institution).

MASSIVE NETWORKS ONLINE BACKUP GLBA Compliance Auditors are specifically asking for documented policies for MASSIVE NETWORKS Online Backup to bring the controls on the security and integrity of personal and private financial data. They are also looking for copies of business continuity plans and manuals and want to see evidence of general testing of deployed solutions in addition to improvements from test to test. They are also asking for proof of Statement of Auditing Standards (SAS) 70 compliance, which seeks evidence of effectively designed control objectives and control activities and sometimes requiring network diagrams. HIPAA - Health Insurance Portability and Accountability Act of 1996 In February 2003 the Department of Health and Human Services released the final security standards of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA Requirements The IT areas of covered entities (CE s) including organizations that transmit health information in electronic form such as health plans, healthcare clearinghouses and healthcare providers make changes to their technology processes to secure customer information. It covers administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information and require CE s to implement basic safeguards to keep electronic protected health information from unauthorized access, alteration, deletion and transmission. Compliance is due by February 2005. The government will not conduct regular reviews, but will investigate based on complaints they receive, punishable by fines as well as MASSIVE NETWORKS Online Backup min. prosecution. CE employees can be sued individually and as members of the organization. MASSIVE NETWORKS ONLINE BACKUP HIPAA Compliance In addition to achieving and maintaining in-house compliance, a CE must also verify that its suppliers and other partners who share electronic protected health information have addressed the Administrative, Physical and Technical safeguards. The legislation requires the establishment and maintenance of contracts or other arrangements with every business associate in a chain of trust. These contracts must show how information will be protected as it is electronically transmitted, and business associates must notify CE s of security breaches. SAS 70 Type 2 Certified Datacenters in Use by MASSIVE NETWORKS Online Backup Anyone preparing to comply with important legislation such as Sarbanes-Oxley, HIPAA, or Gramm- Leach-Bliley, or even Federal Rules 26 and 34* understands the need to partner with those who have performed the due diligence to ensure our standards exceed that of the typical co-location industry. MASSIVE NETWORKS Online Backup has made the commitment as well as dedicated the time and resources to guarantee that it works with a qualified partner. Making the time and devoting the resources to a SAS 70 audit is a significant process. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

A SAS 70 audit or examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion ("Service Auditor's Report") is issued to the service organization at the conclusion of a SAS 70 examination. SAS 70 provides guidance to enable an independent auditor ("service auditor") to issue an opinion on a service organization's MASSIVE NETWORKS Online Backup option of controls through a Service Auditor's Report (see below). SAS 70 is not a pre-determined set of control objectives or control activities that service organizations must achieve. Service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting. A SAS 70 examination is not a "checklist" audit. SAS No. 70 is generally applicable when an auditor ("user auditor") is auditing the financial statements of an entity ("user organization") that obtains services from another organization ("service organization"). Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus. In an audit of a user organization's financial statements, the user auditor obtains an understanding of the entity's internal control sufficient to plan the audit as required in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach. If a service organization provides transaction processing or other data processing services to the user organization, the user auditor may be required to gain an understanding of the controls at the service organization. * Overview Federal Rules of Civil Procedure Rule 26: General Provisions Governing Discovery; Duty of Disclosure Rule 34: Production of Documents and Things and Entry Upon Land for Inspection and Other Purposes. SAS 70 Background The Federal Rules of Civil Procedure govern the conduct of civil actions brought in Federal district courts. Rules 26 and 34 govern discovery and disclosure of information relevant to the civil actions. In 1993, Rule 26 was amended substantially to accelerate the exchange of information. SAS 70 Who is Affected Entities affected by these Rules are: Organizations facing litigation Organizations that are aware that a discovery request may be made

In addition, since any entity may face litigation concerning activities long after the activities were carried out, each organization should consider its ability to comply with Rules 26 and 34 as it conducts its business in the ordinary course, so that it is able to comply with the Rules' requirements if a litigation event occurs. In many instances it may be too late to respond efficiently when faced with litigation if the groundwork for compliance was not in place when relevant records were created. Payment Card Industry Data Security Standard (PCI Compliance) Version 2.0 of PCI DSS was released on 26 October 26, 2010. PCI DSS version 2.0 must be adopted by all organizations with payment card data by January 1 st, 2011, and from January 1 st, 2012 all assessments must be against version 2.0 of the standard. The 12 requirements for compliance are: 1. Build and maintain a secure network 2. Protect cardholder data a. Encrypt transmission of cardholder data across networks. 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy a. Maintain a policy that addresses information security

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information