California Confidentiality of Medical Information Act vs. HIPAA

Written by
Published 11/20/2019

Patient health information is governed by robust rules that determine how this data is handled, stored, and accessed. Federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and various state laws strengthen patient rights. HIPAA set a baseline for regulatory compliance with patient health information. Under the “preemption” language in the rule, no state may create less effective or weaker medical privacy protection for individuals.  However, states can exceed HIPAA regulations and institute more stringent requirements. One example of this is the California Confidentiality of Medical Information Act (CMIA), which has greater standards of protection of privacy than HIPAA.  Typically, in conflicts between federal and state rules, the federal rule is the governing requirement. But there is…

NIST CSF Categories and Framework Tiers

Written by
Published 11/19/2019

NIST CSF stands for the National Institute of Standards and Technology Cybersecurity Framework. The NIST CSF consists of best practices, standards, and guidelines to manage cybersecurity program risk.  This voluntary framework is divided into three primary parts: the framework core, profiles, and tiers. The NIST CSF core comprises five functions, where each function are further broken down into categories and subcategories. There are currently 23 categories and 108 subcategories in the NIST CSF.  Below you will find a detailed assessment of the NIST CSF functions and categories: Identify Function Identify the risk to critical infrastructure, information systems, people, assets, and data. Asset Management: Inventory and manage all company assets, including people. It is important also to understand Bring You Own…

Tags:
Categorized in:

How to Maintain ISO 9001 Certification

Written by
Published 11/14/2019

It’s not easy for an organization to implement the International Organization for Standardization (ISO) 9001 and obtain an ISO certification for the standard. But just because you’ve achieved ISO 9001:2015 (the latest version) certification, doesn’t mean your work is done. That’s because your company has to be continually audited to ensure it still meets the requirements of the ISO 9001 standard. ISO 9001 is the international standard that details the requirements necessary to create a quality management system (QMS). A quality management system focuses around providing products and services that meet customer needs, along with industry and government regulations. ISO 9001 is the most popular of the ISO 9000 series of ISO standards and the only ISO standard in the…

Tags: , ,
Categorized in:

ISO 9001 Quality Management Principles

Written by
Published 11/12/2019

ISO 9001 is the international standard for quality management systems (QMS), published by the International Organization for Standardization (ISO). ISO standards are the most widely used quality management standards worldwide. Increasingly, your customers are looking for a guarantee that the products they’re buying from you have gone through quality management best practices. Adopting the ISO 9001 standard is one step toward offering that guarantee. The current version is ISO 9001:2015, which was released in September 2015. The goal of ISO 9001, part of the ISO 9000 family of quality management standards, is to help you prevent quality issues that could affect your customers, employees, business partners, and even your industry.  ISO 9001 defines the requirements for creating a quality management system. The…

Tags: ,
Categorized in:

FedRAMP Low, Moderate, High: Understanding Security Baseline Levels

Written by
Published 09/24/2019

The Federal Risk and Authorization Management Program (FedRAMP) is a federal program that ensures that the proper level of information security is in place when U.S. government agencies access cloud products and cloud services.  FedRAMP standardizes the approach to security assessment, authorization, and continuous monitoring of cloud service providers (CSPs). FedRAMP grants authorizations to CSPs at three impact levels: low, medium, and high.  These levels refer to the intensity of a potential impact that may occur if an information system is jeopardized. Here’s a quick summary of each level, with detailed sections below: Low impact risk: Encompasses data intended for public use. Any loss of data wouldn’t compromise an agency’s mission, safety, finances, or reputation. Moderate impact risk: Mainly includes…

Sox Management Review Controls

Written by
Published 09/19/2019

The Sarbanes-Oxley Act of 2002 (SOX) designates management review controls (MRCs) as one of the required internal controls. MRCs are the reviews of key financial information conducted by a company’s management to assess its reasonableness and accuracy. They are a key aspect of a public company’s internal control over financial reporting (ICFR).  Examples of these SOX management reviews include:      Review of reconciliations     Review of journal entries     Trigger events     The work supporting an estimate     Budget to actual variances  Management review controls are more complex than other controls since they require the examination of combined results as opposed to individual transactions. They involve comparisons of recorded amounts with associated projections based on…

Tags: ,
Categorized in:

Introducing ZenGRC + ZenConnect

Written by
Published 08/19/2019

A Connected Information Security Ecosystem  At Reciprocity, our mission has always been to simplify the way your organization manages risk and compliance, and to encourage transparency and trusted relationships with your key stakeholders.  With ZenGRC, we delivered the industry’s best GRC solution and simplified a traditionally complicated tool to make it easy for CISOs, CROs and CCOs to manage their organization’s information security.  Today, we are excited to announce our next massive milestone: ZenConnect.  ZenGRC + ZenConnect is the first and only integrated GRC solution that fosters a continuous flow of information between the systems, applications and people that are core to your business. It enables out-of-the-box connections to the tools you have in your tech stack to empower a…

ZenGage #AMA Series with Dr. Maxine Henry on the CCPA

Written by
Published 08/16/2019

ZenGage, the new Slack community for information security and GRC professionals, recently hosted CCPA expert Dr. Maxine Henry, in its first #AMA (Ask Me Anything) live Slack chat series. The nation’s most stringent data protection law (so far), the California Consumer Privacy Act of 2018 takes effect Jan. 1, 2020— and it’s generating a lot of buzz. Businesses from coast to coast are girding themselves for sweeping changes in how they collect, share, and protect California residents’ personal information. With the deadline for compliance right around the corner, GRC professionals have a lot of work to do.   In this candid discussion, Dr. Henry answers a broad range of questions, starting with the rights that the CCPA grants to California residents,…

Preparing for an ISO 27001 and 27002 Audit

Written by
Published 08/12/2019

Preparing for an ISO 27001 and 27002 Audit Getting your certification for ISO 27001 is a complex and time-consuming endeavor. But for many organizations, it’s worth the effort. That’s because ISO 27001 is the international standard for Information Security Management System (ISMS). Being able to say you’re “ISO 27001 certified” tells stakeholders that your organization is serious about protecting the security and privacy of their information. Stakeholders include your current and future clients, business partners, suppliers, and customers. In this day and age, that’s no small claim. And in fact, ISO 27001 certification is a must for many enterprises that do business with you. Mere ISO 27001 compliance isn’t always enough. To become certified as ISO compliant, you must pass…

Tags: , , ,
Categorized in:

Which PCI SAQ Do I Need?

Written by
Published 07/31/2019

Which PCI SAQ Do I Need? Which of the nine Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaires (SAQs) your organization needs to fill out and submit depends on several factors:     How you process credit-card transactions. Do you outsource these transactions to a third party to process, or do it yourself?     What type of payment processing machine or terminal you use for credit and debit card transactions.     Whether you accept payments in-store from customers with a physical card or phone-pay application, or are strictly e-commerce only.   What is an SAQ, and what is it for?  PCI DSS Self-Assessment Questionnaires (SAQs) are tools provided by the PCI Security Standards Council (PCI SSC)…