Legal Services

Understanding the Impact of Testing Exceptions in Type 2 SOC 1 and SOC 2 Reports

By: Ivan Reyes, Senior Consultant at A-LIGN Standards for Attestation Engagements No. 16 (“SSAE 16”) is an attestation standard whereby a service organization’s auditor issues an opinion on a service organization’s internal controls over financial reporting (ICFR). This is delivered in the form of a Service Organization Controls 1 (“SOC…

Read More

3 Step Guide on How To Avoid Data Breaches Through Soft Targets

By: Chris Berberich, Senior Consultant and Penetration Tester at A-LIGN In the real world of budgets and limited personnel, prioritizing security resources is a must. For the majority of companies who depend on IT resources, prioritizing information security resources is based on the significance of an asset to their overall…

Read More

7 New COSO Updates that Impact Your SSAE 16 Report

By: Scott Price, Managing Partner of A-LIGN The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its “Internal Control – Integrated Framework” in May, 2013. The changes are a progressive move to align its framework with today’s business operating environment, much like the change from SAS 70 to SOC 1/SSAE 16. As technology and business practices evolve, organizations need updated guidance on how and what to address in their internal controls.

Read More

Accredited vs Unaccredited ISO 27001 Certification – Does it Matter?

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services ISO 27001, published by the International Organization for Standardization, is a comprehensive information security standard that defines processes and controls that should be in place for the information security management system (“ISMS”) to protect the sensitive data and technology in your environment. Once these processes and controls are implemented and the ISMS is up and running you are ready to have those processes and controls audited by an outside security company. The certification audit is performed by a certification body (“CB”), like A-LIGN, to assess the conformity of your ISMS with the documented standard. 

Read More

Updating the SOC 1 System Description

By: Sue Wells, Senior Consultant at A-LIGN In preparation for a SOC 1 audit, a service organization’s management is required to provide a system description per the SSAE 16 auditing standards. Until recently, little guidance had been provided to assist service organization management in preparing the system description. In January 2014, the AICPA’s Information Management and Technology Assurance section issued the following whitepaper, “CPAs Guide to Developing the System Description for a SOC 1 Engagement.” To assist organizations with a suitable development of a system description for SOC 1 reports, we have created an outline to easily break down the AICPA’s new guide.

Read More

What Everyone Should Take Away from the Recent Retail Breaches

By: Gene Geiger, Partner of A-LIGN Recent Retail Breaches – What Should You Do When news of the Target breach was announced, in the middle of the holiday shopping season, it made headlines and re-kindled the debate on payment card data security and more specifically, the effectiveness of the PCI Data Security Standard (“PCI DSS”), which was established to protect payment card data. This debate has only intensified as news of breaches at other major retailers has surfaced. So what went wrong? How were millions of records exposed? You don’t have to go very far to find the finger pointing and criticism of everyone involved, including Target, the PCI Security Standards Council (“PCI SSC”) and the core infrastructure used in the payment card industry. These discussions will continue and additional guidance may be produced, but at the end of the day, the clients I speak with want to know one thing “What should we do?” Outlined below are some thoughts I would like to share on how to increase the security in your environment.

Read More

PCI Data Security Standard Version 3.0 – Breakdown of Changes to Anticipate

By: Gene Geiger, Partner of A-LIGN Following the 36 month lifecycle the PCI Security Standards Council (“Council”) has established for the published standards, Version 3.0 of the PCI Data Security Standard is in the final stages before it will be released on November 7, 2013. Through several webinars and documents provided to stakeholders, the Council has provided information on the final draft in order to receive feedback at the 2013 Community that will be held in Las Vegas September 24 – 26. The core twelve requirements remain the same, but after a review of the changes and guidance provided by the Council, the change to Version 3.0 is more comprehensive than we experienced with previous version changes. However, due to the impact of these changes and the time it may take to fully comply with the requirements of Version 3.0, Version 2.0 may be used for assessment until December 31, 2014. Nonetheless, the Council encourages adoption of Version 3.0 as soon as practical.

Read More

Ask A-LIGN: When receiving our first SSAE 16 audit, if the auditors find minor mistakes, will we have the opportunity to correct them?

By: Scott Price, Managing Partner of A-LIGN Answer: I hear this question often and, my answer is, “it depends.” I realize this is not the response most of you were hoping for, but I will elaborate. If your audit is a Type 1 SSAE 16, you can elect to have the review date of the report dated for when the service organization has remediated all deficiencies found in the controls. This is one of the main reasons why service organizations like to start with a Type 1 audit. However, in the same breath, the user community sees the limitations of a Type 1 since it only gives assurance at a specific point in time. It is a snapshot.

Read More

New HIPAA Rules: Impact on Business Associates

As I read the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” recently released by the Department of Health and Human Services, I struggled to think how to summarize the 563 page PDF document into a meaningful summary for A-LIGN’s clients.  The title alone is a paragraph long.  A large part of the document is minutia that is not relevant for the everyday conversation on how to protect electronic protected health information (“ePHI”) but there are some key points and clarifications that are made which I believe should be understood by our clients.  As a provider of audit, compliance and security services primarily to companies defined as service organizations or service providers, I will focus on two key points that impact service organizations that handle ePHI, applicability and liability.

Read More