Key Takeaways from the CCPA Audit Webinar with Dr. Maxine Henry

Written by

Dr. Maxine Henry, one of Reciprocity’s renowned GRC experts, led a webinar on the California Consumer Protection Act (CCPA). This sweeping legislation creates data privacy rights for covered consumers—which means it also imposes obligations on businesses to safeguard  personal information. Before implementation on January 1, 2020, Dr. Henry discusses how to prepare. Who Will CCPA Impact? CCPA protects California residents, recognizing all natural persons in the state as consumers.  Even companies not headquartered in California, perhaps without physical presence in California, will be subject to CCPA, because California residents are among their customers. CCPA imposes obligations on for-profit enterprises meeting any of these criteria:     Annual gross revenues over $25 million;     Handles, buys, shares, or sells personal…

Categorized in: ,

The Differences Between SOX 302 and 404 Requirements

Written by

The Sarbanes-Oxley Act of 2002 (SOX) is a law that implements regulations on publicly traded companies and accounting firms. SOX was created to improve the accuracy and reliability of corporate disclosures in financial statements and to protect investors from fraudulent accounting practices.  While the act consists of eleven titles, a significant amount of SOX requirements live within Section 302 and Section 404. These SOX compliance activities include the identification and testing of internal controls over the financial reporting process. Plus, they require the submission of specific financial certifications in quarterly and annual reports to the United States Securities and Exchange Commission (SEC).  Although these Sarbanes-Oxley sections are interrelated, there are differences between their specific requirements as well.  SOX Section 302…

Tags: ,
Categorized in:

How to Map PCI DSS to the NIST Cybersecurity Framework

Written by

Organizations face an increasing number of compliance metrics. Risk management is of paramount importance and is feeding the need for governance. Terms like PCI DSS and NIST CSF are two frameworks that help enhance data security and manage risk.  Often, it is the confusion on where businesses need to start that prevents them from taking action at all. It is important first to understand what PCI and NIST do, how they are related to each other, and how they are different to prevent analysis paralysis. What Is PCI DSS? The Payment Card Industry Data Security Standards (PCI DSS) were created to standardize the way all organizations that accept, process, transmit, and store credit card information securely. The requirements mandated by…

Tags: , ,
Categorized in: ,

California Confidentiality of Medical Information Act vs. HIPAA

Written by
Understanding the HiTrust Certification Process

Patient health information is governed by robust rules that determine how this data is handled, stored, and accessed. Federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and various state laws strengthen patient rights. HIPAA set a baseline for regulatory compliance with patient health information. Under the “preemption” language in the rule, no state may create less effective or weaker medical privacy protection for individuals.  However, states can exceed HIPAA regulations and institute more stringent requirements. One example of this is the California Confidentiality of Medical Information Act (CMIA), which has greater standards of protection of privacy than HIPAA.  Typically, in conflicts between federal and state rules, the federal rule is the governing requirement. But there is…

NIST CSF Categories and Framework Tiers

Written by
Identifying the key steps to becoming NIST compliant

NIST CSF stands for the National Institute of Standards and Technology Cybersecurity Framework. The NIST CSF consists of best practices, standards, and guidelines to manage cybersecurity program risk.  This voluntary framework is divided into three primary parts: the framework core, profiles, and tiers. The NIST CSF core comprises five functions, where each function are further broken down into categories and subcategories. There are currently 23 categories and 108 subcategories in the NIST CSF.  Below you will find a detailed assessment of the NIST CSF functions and categories: Identify Function Identify the risk to critical infrastructure, information systems, people, assets, and data. Asset Management: Inventory and manage all company assets, including people. It is important also to understand Bring You Own…

Tags:
Categorized in:

How to Maintain ISO 9001 Certification

Written by
What is the ISO 31000 Standard?

It’s not easy for an organization to implement the International Organization for Standardization (ISO) 9001 and obtain an ISO certification for the standard. But just because you’ve achieved ISO 9001:2015 (the latest version) certification, doesn’t mean your work is done. That’s because your company has to be continually audited to ensure it still meets the requirements of the ISO 9001 standard. ISO 9001 is the international standard that details the requirements necessary to create a quality management system (QMS). A quality management system focuses around providing products and services that meet customer needs, along with industry and government regulations. ISO 9001 is the most popular of the ISO 9000 series of ISO standards and the only ISO standard in the…

Tags: , ,
Categorized in:

ISO 9001 Quality Management Principles

Written by

ISO 9001 is the international standard for quality management systems (QMS), published by the International Organization for Standardization (ISO). ISO standards are the most widely used quality management standards worldwide. Increasingly, your customers are looking for a guarantee that the products they’re buying from you have gone through quality management best practices. Adopting the ISO 9001 standard is one step toward offering that guarantee. The current version is ISO 9001:2015, which was released in September 2015. The goal of ISO 9001, part of the ISO 9000 family of quality management standards, is to help you prevent quality issues that could affect your customers, employees, business partners, and even your industry.  ISO 9001 defines the requirements for creating a quality management system. The…

Tags: ,
Categorized in:

FedRAMP Low, Moderate, High: Understanding Security Baseline Levels

Written by
FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that ensures that the proper level of information security is in place when U.S. government agencies access cloud products and cloud services.  FedRAMP standardizes the approach to security assessment, authorization, and continuous monitoring of cloud service providers (CSPs). FedRAMP grants authorizations to CSPs at three impact levels: low, medium, and high.  These levels refer to the intensity of a potential impact that may occur if an information system is jeopardized. Here’s a quick summary of each level, with detailed sections below: Low impact risk: Encompasses data intended for public use. Any loss of data wouldn’t compromise an agency’s mission, safety, finances, or reputation. Moderate impact risk: Mainly includes…

Sox Management Review Controls

Written by

The Sarbanes-Oxley Act of 2002 (SOX) designates management review controls (MRCs) as one of the required internal controls. MRCs are the reviews of key financial information conducted by a company’s management to assess its reasonableness and accuracy. They are a key aspect of a public company’s internal control over financial reporting (ICFR).  Examples of these SOX management reviews include:      Review of reconciliations     Review of journal entries     Trigger events     The work supporting an estimate     Budget to actual variances  Management review controls are more complex than other controls since they require the examination of combined results as opposed to individual transactions. They involve comparisons of recorded amounts with associated projections based on…

Tags: ,
Categorized in:

Introducing ZenGRC + ZenConnect

Written by
ZenConnect

A Connected Information Security Ecosystem  At Reciprocity, our mission has always been to simplify the way your organization manages risk and compliance, and to encourage transparency and trusted relationships with your key stakeholders.  With ZenGRC, we delivered the industry’s best GRC solution and simplified a traditionally complicated tool to make it easy for CISOs, CROs and CCOs to manage their organization’s information security.  Today, we are excited to announce our next massive milestone: ZenConnect.  ZenGRC + ZenConnect is the first and only integrated GRC solution that fosters a continuous flow of information between the systems, applications and people that are core to your business. It enables out-of-the-box connections to the tools you have in your tech stack to empower a…