Gary Nelson is a Principal based in Atlanta, Georgia. In addition to being a leader in AICPA attestation services in information security and privacy, Gary also helps lead Schellman’s HITRUST, HIPAA, DEA EPCS, and IoT compliance practices. Gary’s information security and privacy career spans over 20 years, with CPA licensure in multiple states, along with his other certifications and designations listed here. Prior to joining Schellman in 2006, Gary has previously served on the HITRUST Assessor Council and now actively participates in multiple industry organizations, such as the AICPA, ISACA, IAPP, CSA, and EHNAC.
Healthcare Assessments | SOC Examinations
By:
GARY NELSON
May 1st, 2017
The short answer is...yes. Now for the long answer - a SOC 2 report requires that a service organization has sufficient control activities in place to address the Trust Services Principles and Criteria (TSPC) developed by the AICPA. However, there are no stipulations by the AICPA as to what those control activities have to be. As long as the criteria are satisfactorily addressed to align with the risks that a service organization has identified, a service organization has some flexibility with the controls they implement.
Healthcare Assessments | SOC Examinations
By:
GARY NELSON
August 8th, 2016
One of my favorite quotes from Ghostbusters is the exchange between Ray Stantz and Peter Venkman: