PCI

Sep 26 2009   10:07PM GMT

HIPAA Privacy Rule | Attention Data Centers | Are you HIPAA Compliant?

Posted by: Charles Denyer
HIPAA Privacy rule, SAS 70, PCI, PHI, protected Health Information

First it was SAS 70, then PCI, now HIPAA is fast becoming a requirement for data centers. Here’s what you need to know about the HIPAA Privacy Rule.

An electronic medical record (EMR) is usually a computerized legal medical record created in an organization in which the health information system allows storage, retrieval and manipulation of these respective records.

Electronic medical records, similar to that of hard copy medical records, must be kept in unaltered form and authenticated by the creator. Under data protection legislation, such as HIPAA, responsibility for patient records (irrespective of the form they are kept in) is always on the creator along with one of many custodians of the records, usually a health care practice, facility, or entity, such as DATA CENTERS.

Privacy Rule: The HIPAA Privacy Rule regulates the use and disclosure of certain information held by “covered entities”, which includes health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. It establishes regulations for the use and disclosure of Protected Health Information (PHI).
Although HIPAA was enacted in 1996, the enforcement of the Privacy Rule began in 2003. The Privacy Rule mandates the following:

• Regulates the use and disclosure of protected health information by health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically.
• Establishes a set of basic consumer protections
• Permits any person to file an administrative complaint for violations
• Authorizes the imposition of civil or criminal penalties.

If your data center needs to be compliant with HIPAA, then find a competent auditor to assist you.

Aug 23 2009   8:47PM GMT

Will HIPAA compliance ever have any Teeth like SAS 70 and PCI DSS?

Posted by: Charles Denyer
HIPAA, PCI, SAS 70, PCI DSS, charles denyer, payment card industry data security standards, health insurance portability and accountability act, type II, The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards

HIPAA, The Health Insurance Portability and Accountability Act, has been with us for years now. Upon reading through the vast and cumbersome documentation, one quickly realizes that HIPAA has many moving parts, enough to make you truly gaze at amazement as to what the actual explicit intent is for compliance. In regards to the security provisions of HIPAA, The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule, there are a number of broad based requirements for ensuring HIPAA compliance.

But that’s really where it ends, because unlike a SAS 70 Type II audit and a Payment Card Industry Data Security Standards (PCI DSS) assessment, compliance is, for the most part, not actively overseen. What does it really mean to be HIPAA compliant? What part of HIPAA do organizations need to be compliant with? What are the true penalties for non-compliance, if any?

HIPAA needs to take a more aggressive approach, possibly a revision of the law along with explicit rules for what compliance is and for what part of the HIPAA legislation. Only then will HIPAA really have the bite like SAS 70 or PCI DSS.

Jul 24 2009   8:00PM GMT

PCI DSS Compliance | Why You Need a QSA for Level 1 Compliance

Posted by: Charles Denyer
payment card industry data security standards (PCI DSS), PCI, dss, qsa, qualified security assessor (QSA), charles denyer, service provider, merchant, level 1, payment card industry security standards council, pci ssc

PCI DSS Compliance for Level 1 Merchants and Service Providers is mandatory. In short, if you are a Merchant or Service Provider and have been called upon to become Payment Card Industry Data Security Standards (PCI DSS) compliant, then an on-site assessment by a Qualified Security Assessor (QSA) is what you will need.

A QSA is simply an individual who has gone through the licensing to become an expert in PCI DSS compliance. This is somebody who has been awarded the designation by the Payment Card Industry Security Standards Council, known as the PCI SSC.

For more information about PCI DSS compliance and in hiring a QSA for all your Level 1 needs, visit the official PCI DSS Resource Guide.

And lastly, MasterCard has now strengthened their requirements to make Level 2 merchants also undertake an on-site PCI DSS assessment.

Apr 27 2009   2:06AM GMT

Sarbanes Oxley (SOX) and SAS 70 | What Does the Future Hold?

Posted by: Charles Denyer
Compliance, Sarbanes-Oxley, SAS 70, SOX, PCI, charles denyer, corporate governance

Sarbanes Oxley and SAS 70 audits have had a monumental impact on corporate governance and compliance. So much so, they almost invented a huge part of the pie. As a SAS 70 auditor, i’m often asked what does the future hold for Sarbanes Oxley (SOX) compliance and also SAS 70.

Well, my friends, let’s take a look at the crystal ball and let me give you my thoughts on SOX and SAS 70.

First and foremost, compliance is NOT going away. Sure, there have been growing pains with the cost and time associated with SOX compliance, but those costs are starting to become greatly streamlined as organizations are finding ways to be more efficient with SOX compliance. In short, it’s here to stay, so consider it a part of life in the business world. With the rash of fraud that occurred on Wall Street which almost toppled the capital markets overnight, there will no doubt be MORE compliance laws, regulations, and rules echoing out of the halls of congress. I would not be worried and thinking too much about SOX, but rather, what else is in the witches brew that could be cooked up on Capital Hill. Think i’m kiding? PCI compliance recently became codified into law in MN with many other states following closely behind.

With SOX staying, you can rest assured that SAS 70 will be hanging around like a little brother. And why not, it’s been a hugely successful internal control auditing mechanism that has shed light on service organizations and how they conduct business.

Compliance is a way of life; as sure as death and taxes. The key is finding a way to meet compliance in a cost-effective and streamlined manner.

Jan 16 2009   3:46PM GMT

SAS 70 Audits & Data Centers | Tips on Preparing for the Audit

Posted by: Charles Denyer
SAS 70, sas70, payment card industry, PCI, PCI DSS, sas 70 data centers, co-locations, managed services sas 70, change management sas 70, incident management sas 70, physical security, environmental security, incident management

Today’s data centers and managed services providers are complex businesses, providing customers with a wide array of services. As such, SAS 70 audits have become the standard compliance audit for assessing internal controls for data centers and managed services. But buyer beware, not all SAS 70 audits are the same when being conducted on data centers and managed service providers. So, what’s the scope, you say? Well, generally speaking a good quality SAS 70 audit process and its subsequent report should include the following areas for considerations of controls:

1. Executive Management/Strategic Management Drivers
2. Human Resources
3. Quality Assurance Activities
3. Client Contract Processes
4. Technical Client Provisioning Processes and Activities
5. Change Management
6. Incident Management
7. Logical Security
8. Network Security
9. Shipping and Receiving Management
10. Physical Security
11. Environmental Security

Any SAS 70 conducted on data centers, managed services providers and co-locations entities that encompass the following above referenced areas can be considered a quality audit and report, at least in terms of scope. It’s then up to the CPA firm conducting the audit to actually perform testing for these above referenced areas, but that’s a whole other topic of discussion for a later date.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit the Payment Card Industry (PCI) Resource Guide.

Dec 31 2008   11:19PM GMT

SAS 70 and Regulatory Audits | What is the Impact to our Economy?

Posted by: Charles Denyer
sas70, SAS 70, glbay, HIPAA, Sarbanes-Oxley, impacts of audits to economy, section 404, SOX, PCI, payment card industry

The impacts, in my opinion, are the following. Interestingly, the last decade has seen somewhat of a shift in auditing. That’s not to say there has been a decrease in this specialized service, quite to the contrary. The shift has occurred as financial statement auditing has begun to see somewhat of a flat line in growth, while highly specialized audits, such as Statement on Auditing Standards No. 70 (SAS 70) have been given the limelight. Regulatory legislation, such as the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and numerous other federal and state laws have pushed audits, such as SAS 70, into the forefront. Additional audit or examination procedures that are non-financial in nature include the Payment Card Industry (PCI) audits, which are undertaken by entities that process credit card transactions, along with numerous ISO quality audits.

From a regulatory compliance perspective, impacts of audits to the economy have resulted in many service organizations having to become SAS 70 Type II compliant. It all starts with Section 404 of the Sarbanes-Oxley Act of 2002. In simple terms, section 404 states that management must establish effective internal controls as it relates to financial reporting and must also gain assurances from outsourced third-party vendors (i.e., service organizations) whose controls can affect financial reporting. Though it may sound somewhat vague and blurred, it’s really quite straightforward. Take note of the following example to see the effect SAS 70 has on section 404 of publicly traded companies.

Dec 30 2008   3:21PM GMT

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

Posted by: Charles Denyer
Security, SOX, regulatory compliance, audits, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 checklist, sas70, sas70 sample reports, pci dss qsa, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, pci assessment, sas 70 sample report, sas 70 audit report, payment card industry data security standards

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.

Dec 30 2008   2:08PM GMT

PCI Payment Card Industry Compliance | PCI DSS | Important Tips

Posted by: Charles Denyer
payment card industry, PCI DSS, PCI, pci compliance, pci dss qsa, pci assessment, payment card industry data security standards, pci dss requirement 1.1.1, pci dss requirement 1.1.2

Is your organization seeking to become Payment Card Industry (PCI) Data Security Standards (DSS) compliant for 2009? Are you a merchant or service provider that is directly involved in the processing, storage, or transmission of transaction data or cardholder data? If you answered yes to these questions, then its time you learn more about PCI DSS compliance and what the road ahead holds for your organization.

First and foremost, PCI DSS compliance is spreading like wildfire, to say the least. From small start up, locally owned companies to large e-commerce entities, PCI DSS compliance is becoming mandatory for every conceivable organization that conducts commerce with payment cards.

To be fair, regulation for PCI DSS compliance was somewhat lax and disjointed in the beginning, but much has changed in the last six months as the major payment brands are starting to push PCI DSS compliance much deeper and in a more transparent way then ever before.

If you want to learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, then visit pciassessment.org, one of the most in-depth sites currently available for PCI DSS news and information.

2009 is just around the corner, so properly plan for having your organization become PCI DSS compliant.

Nov 23 2008   7:24PM GMT

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1.2

Posted by: Charles Denyer
regulatory compliance, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, qsa, pci dss qsa, policies and procedures, pci assessment, sas 70 audit report, payment card industry data security standards, pci dss requirement 1.1.2

Payment Card Industry (PCI) Data Security Standards (DSS) compliance for PCI DSS requirement 1.1.2 calls for “Current network diagram with all connections to cardholder data, including any wireless networks” Thus, testing for validating 1.1.2 requires verification “that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.”

Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.

And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide
To learn more about PCI DSS compliance, visit pciassessment.org

Nov 23 2008   7:14PM GMT

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1.1

Posted by: Charles Denyer
payment card industry, PCI DSS, PCI, pci compliance, qsa, pci dss qsa, policies and procedures, pci assessment, payment card industry data security standards, pci dss requirement 1.1.1

PCI DSS Requirement 1.1.1 calls for “A formal process for approving and testing all network connections and changes to the firewall and router configurations”. Thus, the test to validate this, in accordance with PCI DSS 1.2 standards is to “Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations”. Thus, network connections, firewall rulesets/configurations and settings to routers must be placed in a proactive mode for ensuring continuous protection for the organization. As threats become known and as business needs change, this formal process needs to be documented to address this specifically.

The key phrase here my friends is “formal process”. What does that really mean? It means having documented policies and procedures in place for approving and testing connections/changes to these critical devices. Easier said than done as most organizations do not have the time or resources to formally write out documented policies and procedures. Beware, as this is a very large part of ensuring PCI DSS compliance. To learn more about PCI DSS and documented policies and procedures for PCI DSS compliance, visit pciassessment.org.