HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for
protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure
that all the required physical, network, and process security measures are in place and followed. This
includes: covered entities (CE); all treatment providers; healthcare payment and operations; business
associates; personnel with access to patient information to provide support in treatment, payment or
operations. Subcontractors and business associates must also follow HIPAA compliance.
HITECH
The Health Information Technology for Economic and Clinical Health Act (HITECH Act)
mandates audits of health care providers to investigate and determine if they follow the HIPAA Privacy Rule
(effective in 2003) and Security Rule (effective in 2005).
PCI-DSS
The PCI Security Standards Council offers comprehensive standards and supporting
materials to enhance data security for payment cards. They include a framework of specifications, tools,
measurements and support resources to help organizations ensure the safe handling of cardholder information at
every step. PCI Data Security Standard (PCI DSS) provides an actionable framework for developing a robust
payment card data security process, including prevention, detection and appropriate reaction to security
incidents.
ISAE-3402
International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on
Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance
Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). ISAE 3402 was
developed to provide an international assurance standard for allowing public accountants to issue a report for
use by user organizations and their auditors (user auditors) on the controls at a service organization that
are likely to impact or be a part of the user organization’s system of internal control over financial
reporting.
SSAE-16 Type 1
A SSAE 16 audit measures the controls relevant to financial reporting. Like SAS 70, the
SSAE 16 standard focuses on guidance for auditors assessing financial statement controls at service
organizations. Type 1 refers to a data center’s description and assertion of controls, as reported by the
company.
SSAE 16 Type 2
A SSAE 16 audit measures the controls relevant to financial reporting. Like SAS 70, the
SSAE 16 standard focuses on guidance for auditors assessing financial statement controls at service
organizations. Type 2 refers to how auditors test the accuracy of the controls and the implementation and
effectiveness of controls over a specified period.
SOC2 Type 1
An internationally recognized best practice framework that specifies the requirements for
establishing, implementing, maintaining and continually improving an Information Security Management System
(ISMS). ISMS is a systematic approach to managing sensitive company information including people, processes
and IT systems.
SOC2 Type 2
A standard designed for technology companies, including: data centers, IT managed
services, SaaS vendors, cloud-computing based businesses and other technology. SOC2 criteria is based on the
Trust Services Principles (TSP) of security, availability, processing integrity, confidentiality and privacy
as well as controls outside of financial reporting.
SOC 2
The SOC 2 report focuses on a business's non-financial reporting controls as they relate
to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC
1/SSAE 16 which is focused on the financial reporting controls.
SOC 3
A Service Organization Control 3 (SOC 3) report outlines information related to a service
organization's internal controls for security, availability, processing integrity, confidentiality or privacy.
These five areas are the focuses of the AICPA Trust Services Principles and Criteria.
ISO 27001
An internationally recognized best practice framework that specifies the requirements for
establishing, implementing, maintaining and continually improving an Information Security Management System
(ISMS). ISMS is a systematic approach to managing sensitive company information including people, processes
and IT systems.
ISO 22301
An international standard for Business Continuity Management (BCM), ISO 22301 replaces
British standard (BS) 25999. It specifies requirements to plan, establish, implement, operate, monitor,
review, maintain and continually improve a documented management system to prepare for, respond to and recover
from disruptive events such as natural disasters, environmental accidents, technology mishaps and man-made
crises.
ISO 50001
ISO 50001, the most current version being ISO 50001:2011, specifies requirements for
establishing, implementing, maintaining and improving an energy management system, whose purpose is to enable
an organization to follow a systematic approach in achieving continual improvement of energy performance,
including efficiency, use and consumption. It has been designed to be used independently, but it can be
aligned or integrated with other management systems.
ISO 90001
ISO 90001 is a certified quality management system (QMS) for organizations who want to
demonstrate their ability to consistently provide products and services that meet the needs of their customers
and other relevant stakeholders.
ISO 14001
ISO 14001, the most current version being ISO1400:2015, specifies the requirements for an
environmental management system that an organization can use to enhance its environmental performance in a
systematic manner that contributes to the environmental pillar of sustainability.
NIST-800-53
NIST 800-53 is published by the National Institute of Standards and Technology, which
creates and promotes the standards used by federal agencies to implement the Federal Information Security
Management Act (FISMA) and manage other programs designed to protect information and promote information
security. Agencies are expected to meet NIST guidelines and standards within one year of publication. National
security is not included in these standards.
NIST Cloud
The National Institute of Standards and Technology (NIST) 800-53 security controls are
generally applicable to Federal Information Systems. These are typically systems that must go through a formal
assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and
availability of information and information systems, based on the security category and impact level of the
system (low, moderate, or high), and a risk determination.
FISMA
United States legislation that defines a comprehensive framework to protect government
information, operations and assets against natural or man-made threats. FISMA was signed into law part of the
Electronic Government Act of 2002. The National Institute of Standards and Technology (NIST) outlines nine
steps toward compliance with FISMA
DIACAP
The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the
Department of Defense (DoD) process to ensure that risk management is applied on information systems (IS).
DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure
process for the certification and accreditation (C&A) of a DoD IS that will maintain the Information Assurance
(IA) posture throughout the system’s life cycle.
SOX
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect
shareholders and the public from accounting errors and fraudulent practices in enterprises, and to improve the
accuracy of corporate disclosures. The act sets deadlines for compliance and publishes rules on requirements.
All public companies now must comply with SOX, both on the financial side and on the IT side. The way in which
IT departments store corporate electronic records changed because of SOX.
FIPS-140
FIPS 140-2 certification is important to any vendor selling cryptography into the Federal
market space. If your IT product utilizes any form of encryption, it will likely require validation against
the FIPS 140 criteria by the Cryptographic Module Validation Program (CMVP) run jointly by NIST in the United
States and CSE in Canada before it can be sold and installed in a Federal agency or DoD facility. The standard
defines the security requirements that must be satisfied by a cryptographic module used in a security system
protecting unclassified information within IT systems.
EHNAC
Founded in 1993, the Electronic Healthcare Network Accreditation Commission (EHNAC) is an
independent, federally recognized, standards development organization and tax-exempt, 501(c)(6) non-profit
accrediting body designed to improve transactional quality, operational efficiency and data security in
healthcare.
EU-US Privacy Shield
The EU-US and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department
of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the
Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the
European Union and Switzerland to the United States in support of transatlantic commerce.
