Gary Nelson is a Principal based in Atlanta, Georgia. In addition to being a leader in AICPA attestation services in information security and privacy, Gary also helps lead Schellman’s HITRUST, HIPAA, DEA EPCS, and IoT compliance practices. Gary’s information security and privacy career spans over 20 years, with CPA licensure in multiple states, along with his other certifications and designations listed here. Prior to joining Schellman in 2006, Gary has previously served on the HITRUST Assessor Council and now actively participates in multiple industry organizations, such as the AICPA, ISACA, IAPP, CSA, and EHNAC.
By:
GARY NELSON
May 1st, 2017
The short answer is...yes. Now for the long answer - a SOC 2 report requires that a service organization has sufficient control activities in place to address the Trust Services Principles and Criteria (TSPC) developed by the AICPA. However, there are no stipulations by the AICPA as to what those control activities have to be. As long as the criteria are satisfactorily addressed to align with the risks that a service organization has identified, a service organization has some flexibility with the controls they implement.
SOC & Attestations | HITRUST | Healthcare Assessments
By:
GARY NELSON
August 8th, 2016
One of my favorite quotes from Ghostbusters is the exchange between Ray Stantz and Peter Venkman:
FAQs | HITRUST | Privacy Assessments
By:
GARY NELSON
December 7th, 2015
What is the difference between a HITRUST validated report and a HITRUST certification? The HITRUST Validated report and HITRUST Certification both begin with an organization engaging a CSF Assessor firm to audit against the in-scope CSF controls for the system. Contained within the in-scope CSF controls, which are derived from the details entered in the risk based questionnaire section (Factors tab) of the myCSF tool, HITRUST has designated 64 specific controls that are required for HITRUST Certification which are covered under 19 different assessment domains . In order to obtain the HITRUST certification any control that scores less than a 3+ requires a corrective action plan.
By:
GARY NELSON
November 9th, 2015
The control maturity ratings are determined by ranking the compliance maturity of each of the 5 levels of a control:
By:
GARY NELSON
August 18th, 2014
While there is no “required” minimum duration for a SOC Type 2 reporting period, AICPA guidance has suggested the use of a period of at least 6 months.
By:
GARY NELSON
May 19th, 2014
Do Service Organizations Define The Control Objectives? In a word, yes. For a SOC 1 report, service organizations are tasked with the responsibility of performing a risk assessment to define the different types of risks that are applicable to the specific service offering and infrastructure within scope.