How bad is a qualified report? This question comes up almost every time a qualified report is issued to a service organization.
In simple terms, security data breaches are when a company vulnerability (technical or non-technical [i.e. employee related]) is exploited and, as a result, access to customer information or other data, applications, or networks is granted to an unauthorized individual. When a breach occurs, depending on the security framework, notification of the security breach is required. […]
For many people, the words “internal audit” conjure a sense of fear and anticipation of high cost. Even under the best circumstances, having someone review your activities can be intimidating, but internal audit provides an unbiased, independent review of data and business processes.
When considering HIPAA compliance, it’s a bit of the wild west out there right now. The Office of Civil Rights (OCR), enforces fines and sanctions for HIPAA violations, but it is mostly on a reactionary basis. You can review the HIPAA cases currently under investigation and get a sense of the type of incidents and […]
As we discussed in our FedRAMP compliance article, there are two paths to obtain a FedRAMP Authorization to Operate (ATO). The first option is to obtain a FedRAMP ATO from a specific government agency, and the second option is to receive a FedRAMP Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB). The […]
If you are being asked to obtain a Service Organization Control (SOC) report by your existing user entity or a potential user entity, you may question whether you should obtain a Type I or a Type II report. If you are a service provider that is considering your first SOC audit to satisfy an existing […]
In its simplest form, a royalty audit is a financial inspection that determines whether a licensee (user of a patent/license/franchise) is paying the licensor (owner of the patent/license/franchise) the correct amount of royalty fees.
A request for proposal has just come out that is in your company’s wheelhouse but instead of only requiring HIPAA, the proposal suggests that those who are HITRUST compliant either receive more consideration or may be the only proposals considered at all. What happens now? Are you prepared? Do you know what that means? It […]
The International Organization for Standardization (ISO) is an independent, non-governmental organization made up of members from the national standards bodies of over 160 countries that set international standards related to products and services.
Our firm has been a HITRUST CSF assessor for nearly a year and we have numerous lessons learned. We have seen common pitfalls as well as identified what is needed to make HITRUST compliance achievable, even for a small company. This article will summarize what we have learned about HITRUST and the process for HITRUST […]