The Schellman Blog

The fight against cyber threats is one that requires much more preparation than it may have in the past. Today, threats and attacks are disrupting business operations and unnerving boards of directors, managers, customers, investors, and other stakeholders in organizations of all sizes, both public and private. The first rule in a fight is to protect yourself at all times, and the AICPA's SOC for Cybersecurity reporting framework can help.

As technologies continue to advance, corporations will consistently evaluate whether responsibilities should be managed internally or outsourced to a qualified vendor. Whatever the criteria your senior management / board of directors utilize as a benchmark for vendor consideration, questions and concerns should be at the forefront of the vendor management program. A primary consideration to remember is that while the idea of outsourcing tasks may seem like the clear risk management option, an organization must understand that the associated risks are not removed from the company, but rather just transferred and still a responsibility for the firm collecting and transmitting their customer information.

Now also known as the growing Internet of Things (IoT), connected devices are becoming more and more integrated into our everyday lives, continuously collecting our personal and non-personal data to make life more convenient. As such, manufacturers are constantly searching for new ways to connect devices, expanding the IoT to include home security systems, healthcare devices, smart locks, and children’s toys to meet both expectation and demand. Though all of this indicates positive technological innovation and progress, one substantial problem remains – data security and privacy.

Now also known as the growing Internet of Things (IoT), connected devices are becoming more and more integrated into our everyday lives, continuously collecting our personal and non-personal data to make life more convenient. As such, manufacturers are constantly searching for new ways to connect devices, expanding the IoT to include home security systems, healthcare devices, smart locks, and children’s toys to meet both expectation and demand. Though all of this indicates positive technological innovation and progress, one substantial problem remains – data security and privacy.

PHI stands for Protected Health Information, while Electronic Protected Health Information (ePHI) refers to any individually identifiable health information that is created, stored, transmitted, or received electronically. That being said, many organizations run into trouble with how to define exactly what PHI and ePHI are, and that's because it's not always so simple to discern.

Imagine this, it's a late Wednesday afternoon and you are wrapping up your previous SOC engagement while simultaneously working on your current engagement. A check of your upcoming schedule reveals that next week, yet another SOC engagement for a client in your area looms. Juggling multiple engagements can be tricky, but must less so if there’s a tried and true process that’s become routine. Here are five easy steps to help an auditor prepare for a SOC engagement.

**Since the publication of this blog, the FedRAMP PMO has, in 2022, updated the FedRAMP Penetration Test Guidance. Schellman breaks down the latest in our article here.)

Well over a year ago, the PCI Standards Council announced, in addition to other requirements, that a PCI charter would now be required for service providers after January 31, 2018. Few service providers have implemented this yet, but all will soon need one to maintain or achieve PCI compliance.