Why Payroll Companies are Subject to a SSAE 16 Examination

By: Scott Price, Managing Partner of A-LIGN Classification First, lets get down to the basics.  Payroll companies are classified as “classic” service organizations.  This is due to the fact that payroll companies typically use the same processes, procedures, controls, and systems to process payroll for a variety of companies.

Read More

Comprehend Compliance: A-LIGN Speakers are Available for your Next Event!

Looking for qualified compliance professionals to speak at your next event? A-LIGN is pleased to offer speakers who are strictly focused in the regulatory compliance arena and posses extensive knowledge in the following industries: payroll, collections, healthcare, data and information management.

Read More

Ask A-LIGN: When receiving our first SSAE 16 audit, if the auditors find minor mistakes, will we have the opportunity to correct them?

By: Scott Price, Managing Partner of A-LIGN Answer: I hear this question often and, my answer is, “it depends.” I realize this is not the response most of you were hoping for, but I will elaborate. If your audit is a Type 1 SSAE 16, you can elect to have the review date of the report dated for when the service organization has remediated all deficiencies found in the controls. This is one of the main reasons why service organizations like to start with a Type 1 audit. However, in the same breath, the user community sees the limitations of a Type 1 since it only gives assurance at a specific point in time. It is a snapshot.

Read More

New HIPAA Rules: Impact on Business Associates

As I read the “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” recently released by the Department of Health and Human Services, I struggled to think how to summarize the 563 page PDF document into a meaningful summary for A-LIGN’s clients.  The title alone is a paragraph long.  A large part of the document is minutia that is not relevant for the everyday conversation on how to protect electronic protected health information (“ePHI”) but there are some key points and clarifications that are made which I believe should be understood by our clients.  As a provider of audit, compliance and security services primarily to companies defined as service organizations or service providers, I will focus on two key points that impact service organizations that handle ePHI, applicability and liability.

Read More

PCI Security Standards Council Releases New Information Supplement on Cloud Computing

In February the PCI Security Standards Council (the “Council”) released a new information supplement related to the application of the Payment Card Industry Data Security Standards (“PCI DSS”) requirements in the Cloud. The goal of the information supplement is to assist Merchants and Cloud Service Providers (“CSP”) maintain PCI DSS compliant environments and also to guide the Qualified Security Assessors (“QSA”) that are tasked with performing the validation assessments.

Read More

PCI Security Standards Council Releases New Information Supplement on Cloud Computing

  By: Gene Geiger, Partner of A-lign Security and Compliance Services In February the PCI Security Standards Council (the “Council”) released a new information supplement related to the application of the Payment Card Industry Data Security Standards (“PCI DSS”) requirements in the Cloud. The goal of the information supplement is to assist Merchants and Cloud Service Providers (“CSP”) maintain PCI DSS compliant environments and also to guide the Qualified Security Assessors (“QSA”) that are tasked with performing the validation assessments.

Read More

Preparing your Collection Agency for the CFPB Examination

By: Neil Gonsalves, Director at A-LIGN OVERVIEW On October 24, 2012 the Consumer Financial Protection Bureau (CFPB) published a rule that would allow the CFPB to federally supervise the larger consumer debt collectors/collection agencies. One of the main objectives of the CFPB Examination is to ultimately help ensure that consumers that are affected by the debt collection process are treated fairly. The CFPB’s supervision authority over these debt collectors/collection agencies took effect on January 2, 2013. Under the rule, any firm that has more than $10 million in annual receipts from consumer debt collection activities are subject to the CFPB’s supervisory authority. The CFPB may adopt a risk based approach focusing on debt collectors/collection agencies that pose a heightened risk to consumers based on information available from regulators, complaints, litigation, and media among other sources.

Read More

Ask A-LIGN: What is the difference between a SOC logo and a SOC seal?

By: Scott Price, Managing Partner of A-LIGN  Answer: Misuse of Service Organization Control (SOC) terminology is a common mishap in the marketplace. When it comes to the use of the SOC logo or seal, many tend to assume the terms mean the same thing (six of one, half a dozen of the other), but in reality they are classified as entirely different entities. Let me explain…

Read More

Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?

A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project.  I would like to outline the purpose of the two projects and when you would select each.

Read More

Ask A-LIGN: What is the difference between a Penetration Test and a Vulnerability Assessment?

By: Gene Geiger, Partner of A-LIGN Security and Compliance Services  A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project. I would like to outline the purpose of the two projects and when you would select each.

Read More