The Schellman Blog

If your business has been flagged as needing a PCI DSS assessment because you're classified as a "Merchant Level 2" (or Level 1, 3, or 4), you're probably wondering: What does that actually mean? And more likely, what’s the difference between these levels, anyway?

Periodic reviews of system access are critical for service organizations who wish to maintain strong internal control around information security. Access privileges to systems or physical locations that impact the customer’s business environment should be commensurate with the requirements of the services provided. These privileges should also facilitate segregation of incompatible duties. For example, in order to segregate incompatible duties, a system developer generally should not also have access to migrate changes to the production environment.

The HIPAA Omnibus Rule which took effect on September 23, 2013, has led to the evolution of the HIPAA Compliance environment. Now more than ever it is important to understand what the security and privacy obligations are of a business associate (BA) or a subcontractor of a BA. BA’s are now mandated to comply with the HIPAA Privacy and Security rule requirements. Below are some high level requirements that BA’s need to be aware of when assessing their compliance environment:

Effective January 1, 2002, the Institute of Internal Auditors (IIA) released updated standards in the International Professional Practices Framework (IPPF). Internal auditing departments, according to Standard 1312 of the IPPF, must complete an external assessment once every five years from a qualified independent assessor or assessment team. In addition, the chief audit executive (CAE) must discuss the form and frequency of external assessments and the qualifications and independence of the external assessor or assessment team with the board of directors. Standards (unlike practice advisories, practice guides and position papers) are principal focused mandatory requirements consisting of statements for the professional practice of internal auditing and for evaluating the effectiveness of performance which are applicable at the organizational and individual levels.

When auditors begin to test procedures for compliance examinations (i.e., SOC 1, SOC 2), there are cases where the clients are performing certain tasks; however, they are not documented, which puts the auditors in a precarious position.

In my line of work, it is not only advisable to have a mastery of the facts, but prudence would suggest that a good dose of foresight and reason based on actual experience can often times be as valuable a tool. Since the days of the SAS 70, we have seen several subjective opinions about both the appropriateness and/or the ineffectiveness of the SAS 70 report. Even today, there continues to be concerns on how SOC 1 reports, also known as SSAE 16 examinations, are being used in situations that fail to have bearing on internal controls over financial reporting.

Undoubtedly, the ISO 27001 Certification is recognized globally and revered as one of the highest and most comprehensive certifications an organization can attain. The high esteem that the certification is held is substantiated by the effort and dedication that is required by an organization to attain ISO 27001 certification. As an internationally accepted certification, ISO 27001 represents an organization's ability to effectively manage information security risks with a certified information security management system (ISMS).