Organizations take different approaches when it comes to documenting their policies and procedures. Some prioritize keeping them well-documented and easily accessible to employees at all times. Others may only recognize their importance when planning and preparing for an audit as they conduct an extensive review of their existing documentation to determine if they meet audit guideline requirements. Meanwhile, there are companies that overlook or neglect the need for formal policies and procedure documentation altogether.

The media has been filled with stories of high profile credit card breaches, including those from Target, Neiman Marcus, P.F. Chang’s and most recently Home Depot. Details on the Home Depot breach are still emerging, but the details around the Target and Neiman Marcus breaches are well known and causing the public to ask if it will happen again?

With proper design, implementation and maintenance, periodic user access reviews can be an effective tool for service organizations in achieving their security and compliance goals.

Although undergoing a SOC 2 examination is not a mandatory security framework and as such, is not a legal or regulatory requirement for every business, it is often considered a necessity for companies. This is especially true for organizations that regularly store customer data and handle sensitive information.

If your business has been flagged as needing a PCI DSS assessment because you're classified as a "Merchant Level 2" (or Level 1, 3, or 4), you're probably wondering: What does that actually mean? And more likely, what’s the difference between these levels, anyway?

Periodic reviews of system access are critical for service organizations who wish to maintain strong internal control around information security. Access privileges to systems or physical locations that impact the customer’s business environment should be commensurate with the requirements of the services provided. These privileges should also facilitate segregation of incompatible duties. For example, in order to segregate incompatible duties, a system developer generally should not also have access to migrate changes to the production environment.

The HIPAA Omnibus Rule which took effect on September 23, 2013, has led to the evolution of the HIPAA Compliance environment. Now more than ever it is important to understand what the security and privacy obligations are of a business associate (BA) or a subcontractor of a BA. BA’s are now mandated to comply with the HIPAA Privacy and Security rule requirements. Below are some high level requirements that BA’s need to be aware of when assessing their compliance environment: