A-LIGN’s Senior Manager Blaise Wabo recently returned to Reddit to hold another Ask Me Anything (AMA) Q&A session on Reddit’s /r/technology subreddit. Blaise fielded important questions on the state of healthcare security, HIPAA compliance and cybersecurity threats to sensitive health data.

Being a hot-button issue in the world of compliance and security, it didn’t take long for the AMA to amass hundreds of questions from curious Redditors. Below are the top questions, but we encourage everyone to read the full AMA here.

Q: Can you give a brief explanation of what’s changed with HIPAA and HITRUST regulations between the last time you were here and now? Additionally, how well have the companies affected by the seemingly-continuous massive data breaches adhered to those regulations? How much danger is the average citizen in when this info is leaked assuming the affected company encrypts the data? How about when they don’t?

I am glad to be back and doing this HIPAA AMA. So there has not been many changes in HIPAA but on February 11, 2019, HHS (Health and Human Services) announced two proposed rules to support the seamless and secure access, exchange and use of ePHI (electronic protected health information). These rules will focus on patient access to their records and APIs (application programming interfaces) with ePHI. This release was in conjunction with CMS (Centers for Medicare and Medicaid Services) and ONC (Office of the National Coordinator for Health Information Technology) announcing that they are extending the public comment period by 30 days for the two proposed regulations aimed at promoting the interoperability of health information technology and enabling patients to electronically access their health information.

Also, OCR (Office for Civil Rights) has concluded a record year in HIPAA enforcement activity. In 2018, OCR settled ten cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22%. In addition, OCR also achieved the single largest individual HIPAA settlement in history with $16 million from Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. As you can see, hackers are becoming more and more sophisticated and it is the responsibility of covered entities, business associates, patients and every other player in the food chain to secure PHI.

Regarding HITRUST, there has been the release of CSF v9.1, now v9.2 and v9.3 will be in Q3 of this year. Basically, HITRUST made their framework industry agnostic, so it is no longer specific to healthcare and any organization in any industry can now adopt the HITRUST CSF as their risk assessment framework. They have also added GDPR, NYCRR 500, California CPA, Singapore Privacy, and some other regulations to their framework.

Q: I’m an IT Director and currently evaluating 2 different vendors to perform a cybersecurity audit of our infrastructure and processes. One is providing CISSP and CISM certified resources while the other is not; their resources credentials include years of industry experience but no certifications. I’m inclined to choose the better-certified vendor. Any thoughts? The goal is to meet contractual obligations to clients and do our due diligence. We’re not doing it to meet compliance needs. Thanks!

I would say go with the firm that has certified assessors/auditors. You do not want folks that do not understand security to ask you questions.

Q: How often do you perform an audit, find significant problems and the organization does absolutely nothing about it?

It is not the auditor’s responsibility to ensure gaps are fixed; it is management’s responsibility to understand the risk and deploy controls to remediate the gaps identified. Auditors should be careful doing business with organizations that do not take security seriously as their license and reputation could be at risk.

Q: What is your position on PHI transmission before one officially becomes a patient? For instance, many people will email us, disclosing PHI in regular email or a contact form from our website. When and where does HIPAA compliance officially kick in?

It kicks in once that patient has had a diagnostic. If all you have is PII and not PHI as defined by HHS, technically HIPAA does not apply to you.

Q: The medical field is one of the fields that always seems to be out of the loop when it concerns adopting and upgrading the software of pre-existing systems. From what I understand, the certification requirements in the medical industry can make it difficult to be flexible in implementing security updates compared to other industries.

With major threats such as the newly discovered MDS vulnerability, the Spectre/Meltdown vulnerabilities discovered last year, and minor threats discovered on a weekly basis, how do security audits help prepare medical facilities against the constant onslaught of unforeseen threats? Can strict security certifications hamper the mitigation of newly discovered vulnerabilities? Do medical security audits give backend engineers the flexibility they need to quickly fix issues discovered in certified systems?

I would say before deploying any upgrades or fixes, you want to make sure it is tested in a test environment before being deployed to production. Also, security is always based on risk. Make sure a risk assessment is performed periodically to integrate any recently discovered vulnerabilities and implement controls to mitigate those risks.

Q: Can you give some tips for staying secure & HIPAA compliant in therapy sessions conducted online (like trustworthy video chat clients with location tracking), and for storage of therapy notes and records?

1. Use a trusted and secure platform
2. Ensure the sessions are encrypted including the voice recordings and any notes/chat
3. Always advise patients to keep any data confidential and be in a safe environment before initiating the session

Q: Despite more and more organizations taking cybersecurity seriously, breaches continue to happen. Why do you think this is? What is the most common missing control you encounter?

What do you believe is the best bang-for-your-buck control an organization can implement to increase their security posture?

Great question. No matter how secure your environment might be, your weakest link is always your people. So, we must make sure we dedicate a lot of resources to training our people on security awareness, social engineering, etc.

Q: There’s always a lot of attention paid to insufficiently strong security and data breaches but what do you think most healthcare providers do well in terms of cybersecurity (if anything)?

I think healthcare providers are taking security more and more seriously, but to your point, we have a long way to go. I suppose that is why there are laws like HIPAA and consequences for not doing due diligence to follow these laws.

Download our HIPAA checklist now!

Bridge letters are an important element of SOC 1 and SOC 2 examinations that you may not be aware of and can help provide your clients with additional confidence regarding the effectiveness of your organization’s controls environment at no additional cost or time.

What is a Bridge Letter?

SOC 1 and 2 examinations take a lot of preparation and time to ensure compliance, but as you may have noticed, SOC reports often cover only a portion of an organization’s fiscal year. What do you do if your organization’s SOC report doesn’t cover the entire fiscal year? Thankfully, there are bridge letters.

As the name implies, a bridge letter – also known as a gap letter – is a letter that bridges the gap between the end date of the review period from your most recently completed SOC report and the date of the bridge letter. For instance, if your organization’s most recently completed SOC 1 report covers the period from November 1^st, 2017 through October 31^st, 2018, but your organization’s fiscal year-end is December 31^st, 2018, you can provide your clients a bridge letter that states there has been no significant changes, issues or deficiencies to your organization’s controls between October 31^st and December 31^st. This notice gives your clients confidence that there have been no significant changes to their controls environment that could adversely impact the conclusions reached in their most recently completed SOC examination.

Note that a bridge letter is signed off by the organization itself and provided directly to its customers. The CPA firm who performed the SOC examination does not attest to anything in the bridge letter or sign the bridge letter, as they did not perform any additional procedures to verify whether the organization’s controls environment changed or continued to operate effectively since the actual SOC audit was completed.

How Long Can a Bridge Letter Cover?

A bridge letter normally covers a period of three months, as it is only meant to cover a short duration of time between the report period end date and the organization’s fiscal year-end. If you are wanting to use a bridge letter to cover a period of more than three months, you should consider whether it is time to perform another SOC examination. Because bridge letters are meant to cover a short duration, it is important that SOC examinations be regularly completed (at least annually), as they provide actual third-party assurance on the effectiveness of your organization’s controls environment.

What’s in a Bridge Letter?

There are a few important elements of a bridge letter including:

• The review period of the most recently completed SOC 1 report, including beginning and ending dates
• Any changes in the organization’s controls environment (if applicable). If there are no changes, the letter must state that the organization is not aware of any material changes in their controls environment
• A statement that, as of the date of the bridge letter, the service organization is unaware of any material changes, issues or deficiencies in the control environment that could change the opinion of the auditor who performed the SOC examination
• A statement that the bridge letter relates solely to the organization and may not be relied upon by any other entity

Protecting Your Organization and Business Relationships

By providing your clients with additional confidence in your organization’s compliance, a bridge letter can save your organization additional cost and time. While not a replacement for an actual SOC examination, a bridge letter can be a vital and helpful asset for your organization and its clients in between examinations.

Running an organization today means not only performing expected business requirements and generating revenue, but also defending yourself against an endless onslaught of cybersecurity threats. The NIST Cybersecurity Framework is designed to help you grow your organization while defending yourself from cyberattacks.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a framework to support businesses and combat cybersecurity threats. Created from an executive order in 2013, the National Institute of Standards and Technology (NIST) worked with over 3,000 people from diverse backgrounds including academia, industry, and government to create a voluntary framework to address threats and support businesses as a way of protecting the economy and boosting national security.

Originally designed for U.S. private-sector owners and operators of critical infrastructure, the NIST Cybersecurity Framework has since evolved to include global communities and organizations as its stakeholders.

As of 2015, 30% of U.S. organizations use the NIST Cybersecurity Framework, and a Gartner report predicts that 50% will use it by 2020. Companies large and small have adopted the framework into the cybersecurity policies, including JP Morgan Chase, Boeing, Intel, Microsoft, Bank of England and Ontario Energy Board.

How the NIST Cybersecurity Framework Works

The Cybersecurity Framework acts as a guide for organizations to follow. Because all organizations face different challenges, the NIST stresses that the framework should be customized to meet particular risks or industry needs.

At the heart of the Cybersecurity Framework are three components:

• The Framework Core: Using easily understood language and guidance, the Framework Core lists cybersecurity activities and outcomes to help organizations mitigate risk while complementing existing policies and procedures.
• Implementation Tiers: The Implementation Tiers give organizations the information needed to determine how aggressively they should be pursuing their cybersecurity initiatives. It’s often used to initiate organizational conversations regarding budget, mission priority, and risk appetite.
• Profiles: The Framework Profiles provide a unique comparison of an organization’s objectives, requirements, risk appetite, and resources against the desired outcome of the Framework Core. By contrasting the two, organizations can use the Profiles to identify and prioritize opportunities for improving cybersecurity.

Benefits of the NIST Cybersecurity Framework

While not required, more organizations are adopting the cost-effective NIST Cybersecurity Framework with every passing year. By using the framework, organizations can better understand and mitigate the risks facing them every day by maximizing the amount of money spent on cybersecurity. By doing this, organizations can see what activities are most important to critical service delivery and ensure that they’re allocating proper resources to protect themselves. Organizations that have used the framework have reported stronger protections and enhanced cybersecurity policies.

A Solution for Any Organization

The NIST Cybersecurity Framework is easy to personalize, allowing it to provide scalable solutions for organizations of any size and industry. Because of its detailed creation and its ability to be easily personalized, the NIST Cybersecurity Framework provides scalable solutions for organizations of any size and industry. As it continues to face wide-scale adoption and recognition, the NIST Cybersecurity Framework will only continue to improve cybersecurity policies and procedures for organizations in the decade to come.

IT security is an ever-growing concern from consumers and businesses. The last few years of breaches resulting from insecure IT environments have changed the buying process and selection criteria for many organizations. Securing a business’s critical information is a top priority and with companies outsourcing more and more of their IT services to third parties, there is a greater focus on the security in place at Managed Service Providers (MSPs). MSPs provide various IT services such as network security, backups, infrastructure and software as a service.

In the past, MSPs were able to self-attest to how secure their environment was, but as more companies outsource their IT functions to MSPs, more scrutiny and focus is being placed on having an independent assessment performed to assess the security in place in the MSP’s environment. Many forward-looking MSPs have determined the easiest way to show an independent assurance is to provide their customers with a System and Organization Controls (SOC 2) compliance report – this report is issued by an independently certified compliance firm that issues a formal assessment on MSP’s security controls. Note that as an MSP, you may be familiar with the acronym “SOC” standing for Security Operations Center; in the world of compliance, “SOC” is abbreviated for System and Organization Controls.

What is a SOC 2 Compliance Report?

A SOC 2 compliance report can differentiate your business by providing your customers with assurance regarding the IT controls in place that protects the systems and data critical to operations, as well as their sensitive data. The SOC 2 examination is built on five Trust Services Principles (TSPs): Security, Availability, Confidentiality, Processing Integrity and Privacy – with Security being required in all reports. Depending upon the services provided and the level of access you have to your customers’ data, you can choose one or all five principles to test against, based on the level of security and controls in your environment.

As an MSP, your customers have confidence that their sensitive and critical information is secured, made available and protected from unauthorized access. Although the ultimate accountability of customer information remains with the customer, as part of their vendor risk management program they will request evidence that appropriate controls are in place to protect their data and can be easily shown in a SOC 2 report. Please also note that the SOC 2 framework and requirements will change for SOC 2 reports having a report period end date after December 15, 2018. As part of the changes, the terminology is changing from Trust Services Principles and Criteria to Trust Services Criteria (TSCs).

See More: Managed Service Providers: Understanding Which Compliance Audit is Right for You

MSP Benefits From a SOC 2 Compliance Report

A SOC 2 compliance report provides many benefits for an MSP, including the following:

Accelerated business and market growth

One of the greatest benefits of completing a SOC 2 examination is the opportunity to accelerate business and market growth. Showing that your organization is SOC 2 certified opens doors to new opportunities for larger customers and differentiates your business from your competition. MSPs we have spoken with are leveraging their SOC 2 report as a marketing tool – whether it is for new business or to demonstrate to existing customers their continued focus on securing their environment. Further, many prospects see their MSP as a commodity and are not able to differentiate one from the other. Having the SOC 2 logo on your website, your marketing materials and sales proposals sets you apart.

Continuous improvement of your security program

Conducting a SOC 2 compliance report provides an independent assessment of how secure your environment is. The SOC 2 framework is thorough in its security requirements, from assessing overall governance to reviewing the system security controls.
Going through a SOC 2 examination helps formally establish the baseline internal controls in place that secure your environment as well as give you the ability to reassess how well those controls operate year over year.

Increased valuation of your MSP

The SOC 2 compliance report can lead to increased growth and sales. In certain instances, MSPs are acquired only to gain access to valuable customer listings. The SOC 2 assessment can be a major asset for your MSP – and can also be a major contributor to customer success and satisfaction.

Getting Started With a SOC 2 From A-LIGN

As customers begin to enhance their vendor management practices to secure their information, requests for compliance reports such as a SOC 2 report will become more and more frequent. Working with a compliance service provider like A-LIGN, who has certified compliance professionals with extensive experience performing SOC 2 examinations, can set you on the right path in building credibility and trust with your customers. Moreover, A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC, PCI, ISO, GDPR, FISMA and NIST to help you meet all compliance needs.

The Death Master File (DMF) is a protected file that includes information regarding the deceased such as:

• Name
• Date of Birth
• Date of Death
• Social Security Number

Since November 28, 2016, organizations have faced a stricter certification process to be granted access to the DMF. In that time, A-LIGN has served as an Accredited Conformity Assessment Body (ACAB) that has submitted written attestation to validate that the appropriate controls are in place to maintain the confidentiality and security of DMF information. Senior Manager, Sue Wells, took the time to discuss the challenges that organizations face when seeking DMF certification and how A-LIGN can help.

Death Master File FAQ

What lessons have we learned from our DMF successes, as assessors, that we can utilize to help future clients that require DMF access?

Some of our DMF clients have never had any type of audit before, so there is a learning curve for those organizations to understand the process, such as document requests. For organizations that have never been certified before, they need to understand the steps to achieve certification:

1. A-LIGN conducts testing against the approved standard.
2. Once testing is complete, organizations must go to the National Technical Information Service (NTIS) website to pay the required fees. Organizations pay $1,575 annually for certification to NTIS, and an additional $525 every 3 years when 3^rd party certification must be completed again. These fees are separate from those paid to the ACAB for attestation, as they are paid directly to NTIS. Once fees are paid, the organization will be provided a processing number.
3. From there, organizations must obtain the attestation form from the NTIS website and provide A-LIGN with the processing number to complete the attestation.
4. A-LIGN files the attestation documentation.

What information do companies seeking DMF certification need to know regarding their vendors and how they may impact their ability to be certified?

If significant technical safeguards used to protect the DMF are provided by a third-party, they may have to obtain information directly from that third party to provide to A-LIGN, as the DMF attestation form does not provide for the ability to carve-out other organizations. In this event, the technical safeguards would need to be verified.

What standards can organizations certify against?

Since 2015, A-LIGN has successfully helped several organizations achieve certification by certifying against standards such as SOC 2, PCI DSS, and NIST 800-53.

Helping You Achieve DMF Certification

NTIS can conduct both scheduled and unscheduled compliance audits, and organizations that fail to comply with the set provisions may be subject to fines of up to $250,000 per year. As an ACAB, A-LIGN can attest to your organization’s ability to protect DMF information. We have extensive experience in testing the required controls and can guide your organization through the certification process with ease.

Malware is ‘malicious software’ intended to damage, disable, or exploit computers or computer systems. It is a term most have become familiar with in the digital age because of its high presence and problematic consequences.

Furthermore, the use of malware continues to dramatically increase and evolve each year. G DATA Security reported that in 2016, about 127 million new malware emerged, which is approximately 1 per every 4.2 seconds. More recently, different types of malware have been specifically programmed with a specific function to generate profit for their creators through the theft of sensitive information, forced advertisements, extortion of money, and email spam. Due to the variety of malware, it is important to understand and recognize the different types of malware that your organization could come across.

Read more: The Ultimate Cybersecurity Guide

Spyware

Spyware is exactly what you would guess – malware designed to spy on and gather information about the user. It can be used to track and monitor Internet activity, discover and extract sensitive information, and log keystrokes.

If your system becomes infected with spyware, the hacker can access company information, payment card information, and the consumer profile of users. This stolen activity and information can be sold or used to harm the infected user.

Prevention tip: Don’t click embedded links within pop-up windows

Pop-up windows can include spyware just by clicking the link or window, accidentally installing spyware to the computer. Avoiding these links can prevent an accidental download.

Adware

Adware is a type of malware that automatically delivers advertisements to a user to generate revenue for its creator. This can be done through pop-up internet ads or ads embedded in the interface of a program. Adware is popularly used in conjunction with spyware.

Once personal information has been collected through spyware, advertisements can be catered to the user. This invades the privacy of users and causes disruption of computer functionality and productivity.

Prevention tip: Only download from known, credible websites

Unknown websites are common grounds for adware, therefore users should be vigilant about the locations from where they are downloading items.

Ransomware

Ransomware is a type of malware that can restrict users from accessing a system or data, and even delete or publish data if a ransom is not paid. It can restrict a user from access to files through encryption. There is still no guarantee that paying the desired ransom will restore systems or data.

Most ransomware today falls under two categories:

1. Locker ransomware: restricts access to the computer or infected device
2. Crypto ransomware: restricts access to files and stored data

Although malware is continually evolving, there are common strains of ransomware that have been discovered and identified including Cerber, CTB- Locker, TeslaCrypt, and CryptoWall.

Prevention tip: Back-up data offline daily

An infected system cannot compromise data that has been backed up offline. Thus, users who experience a ransomware attack will have a complete untouched backup of their files, and will not be forced to pay the ransom to receive access to their data.

Trojan Horse

The most common form of malware is a Trojan Horse. Attackers disguise this malware as something desirable such as a special offer or gift, to infiltrate a computer system they otherwise would not have access to. A Trojan Horse can often share the same competencies as other malware including, spyware and adware causing enormous problems for the user.

Once granted access, this malware can:

• Steal sensitive data
• Crash devices
• Block anti-virus software
• Control the system remotely
• Spy on users
• Take payment card information
• Delete or modify user data
• Use the computer as a proxy
• Spread itself across networks

Prevention tip: Carefully read licensing agreements before downloading

A Trojan Horse can only access a system if given permission by the user, therefore it uses deceptive communications in downloads during the agreement section. Use caution to avoid accidentally downloading something that could cause harm to your computer.

Virus

One of the most widely discussed types of malware is the virus. A virus is a malicious computer program used to alter the way the computer operates and is capable of replicating itself and spreading to other devices. These can infect documents, script files, web applications, and other various programs.

The consequences of a computer virus can vary widely from annoying and benign to severely damaging. The most common side effects include a drastic decrease in computer speed, modification of data files, and compromising software such as a firewall. Once infected, viruses can install ransomware and spyware leading to further damage. Viruses can reduce computer performance and permanently crash or disable computer systems. Some viruses can even remain dormant after being acquired, waiting for a specific trigger such as a date or the presence of another file to execute.

Prevention tip: Only join secure networks

Using an open Wi-Fi connection puts a system at risk of a virus by allowing unauthorized users and systems to access files. Only use secure networks or VPNs when in public locations.

Worm

A worm is like a virus in the way it can replicate itself to infect other computer systems. However, unlike a virus, a worm doesn’t need to be attached to an existing program or be prompted to execute. A virus requires human intervention to become attached to a file, attachment, or website link while a worm can attach itself and self-propagate.

A worm can slow bandwidth, install backdoor programs, and even “eat” data files and operating systems until the drive is empty. Because worms don’t require any action by the user to be released or spread, these are particularly tricky to defend against and rid of computer systems.

Prevention tip: Use the appropriate firewall

By implementing a firewall, a user can limit or restrict network traffic, especially unauthorized users.

Conclusion

Without protective and proactive measures, organizations can experience the costly and damaging effects of malware. According to Forbes, cybercrime costs are projected to reach $2 trillion by 2019. Amongst the increasing cybercrime landscape, organizations should be preparing for any potential danger including cyber-attacks. To mitigate the increased risks, A-LIGN can help you with the right strategy to prevent your organization from becoming another victim of malware attacks.

Operating in an environment that continually transforms can be challenging and sometimes system failure is inevitable. Although having proactive prevention programs is necessary, it is equally as important to have reactive disaster strategies.

Potential causes of downtime include:

• Natural risks: Hurricane, fire, earthquake, etc.
• Human-caused risks: Terrorism, crime, manmade structure failure, etc.
• Civil risk: Riots, labor disputes, local political instability, etc.
• Supplier risk: Power supplier failure, transportation vendor failure, etc.

Implementing a proper plan could mean the difference between your business surviving a disaster or going completely under. Business executives recognize that not all plans are created equal and that developing the right strategy depends on the organization and its distinct needs.

Strategizing for Your Plan

For the most effective design, the strategy should have two major sections:

1. Business continuity management (BCM) plan
2. Disaster recovery plan (DRP)

Since these two elements considerably overlap, it’s imperative that they are incorporated into a holistic approach.

Business Continuity Management

When a disaster strikes, businesses are tested in their ability to restore their operations in the most efficient and effective manner. To ensure that their infrastructure can endure and counteract various problems, executives develop, plan and test their organizational foundation using a BCM plan.

This process helps define the mission-critical processes, the duration to restore processes, the key personnel involvement, the notification workflows, and the logistics of continuing operations.

Based on several recommended and mandatory BCM procedures, there are specific steps that should be considered while developing a plan:

Due to the potential and considerable damages associated with disruptive events, BCM plans are a necessity for any business. Research indicates that only 13 percent of businesses with no BCM framework in place could recover all mission-critical processes per predefined recovery objectives.

Disruptions come in all shapes and sizes, from minor events with an average duration of 19 minutes, to substantial events lasting over 7 hours. Based on the duration and category, a disruptive event can cost a business between $32,000 to $53,000 per minute.

However, establishing a BCM plan isn’t enough; for the most effective outcomes, businesses should continue to develop their plan each year as the business grows. One of the largest success factors is the maturity of a business’s program. By 2019, Gartner predicts that 35 percent of organizations with BCM programs that lack maturity will endure major problems recovering one or more mission-critical business processes. 

Disaster Recovery Plan

Another critical element to include is a DRP. The DRP is the process a business uses to support the infrastructure and regain access to resources that are needed to resume normal, critical business functions, either through maintaining a vital workforce or by recovering critical services and applications such as email, trading, voice, file server, accounting, and mobility.

Due to the variety of disruptive events that can impact businesses, it’s significant that DRPs are designed with versatility and adaptivity. Key elements of a DRP include:

1. Policy statement and objective
2. Authentication tools (passwords)
3. Geographical risks and factors
4. Tips for dealing with media
5. Financial and legal information and steps
6. Plan’s history

Currently, only 30 percent of businesses reported having a fully documented disaster recovery strategy. Among those, approximately 33 percent revealed that their disaster recovery plan proved inadequate during a critical response to an outage.

Recovering for Disaster

Businesses continue to evolve, implementing new and improved strategies to help manage the risks that disasters provide. A-LIGN offers the following services to organizations seeking business continuity and disaster recovery services:

• Business Continuity and Disaster Recovery Services

A business’s success can heavily rely on strategic planning, therefore when it comes to mitigating the risks of a disruptive event, proactive and reactive plans are critical. Don’t just survive in the event of a disaster, plan to weather the storm and fortify your business. Take the first step towards establishing an indestructible plan for your business today.

What is the Limited Access Death Master File (LADMF)?

The LADMF, or Limited Access Death Master File, contains sensitive information that cannot be disclosed during the three-year period following an individual’s death, including:

• Social Security Number
• Name
• Date of Birth
• Date of Death

Effective November 28, 2016, organizations face a more stringent certification process to be granted access to the DMF. To access the DMF, an individual or entity must:

• Have a legitimate fraud prevention interest; or
• Have a legitimate business purpose to a law, government rule, regulation, or fiduciary duty

The main changes that organizations need to be prepared for are:

• Annual recertification by the organization seeking access
• Third-party conformity attestation every three years
• Agreement to schedule and unscheduled audits, conducted by National Technical Information Service (NTIS) or the Accredited Conformity Assessment Body (ACAB) at the request of NTIS
• Fines up to $250,000 per year for noncompliance

The entity wishing to access the DMF must submit written attestation from an ACAB to prove that the appropriate systems, facilities and procedures are in place to safeguard information and maintain the confidentiality, security, and appropriate use of the information.

To better understand the requirement, organizations can find the sample certification forms here:

• Subscriber Certification Form – Sample
• Accredited Conformity Assessment Body Systems Safeguards Attestation Form – Sample
• State or Local Government Auditor General or Inspector General Systems Safeguards Attestation Form – Sample

Subscriber Certification must be completed annually. The LADMF Systems Safeguards Attestation Form must be completed every three years.

The U.S. Department of Commerce’s National Technical Information Service (NTIS), the governing body behind the DMF, can conduct both scheduled and unscheduled compliance audits and fine organizations up to $250,000 for noncompliance, with even higher penalties for willful violations. Due to the potential for substantial fines, it is important that entities be able to implement the appropriate systems facilities and procedures to safeguard the information.

How A-LIGN Can Help

A-LIGN is an ACAB that can attest to organizations’ systems and procedures in place. A-LIGN utilizes various published information security standards, including the AICPA SOC 2 and ISO 27001 to satisfy the rule’s audit requirements.

Since 2015, A-LIGN has been working to help our clients meet their DMF audit requirements, and has successfully submitted the appropriate attestation forms to NTIS, resulting in certification for our clients. We have extensive experience testing the controls required by LADMF and understand the certification process and requirements.

ISO 27000 Family – Information Security Management Systems

The ISO 27000 family of standards is related to an organization’s information security management systems, or ISMS. This international standard helps organizations by providing a clear set of requirements that can be used to manage the security of the business’ assets. An ISMS is a systematic approach used to manage the overall information security program to ensure that it remains effective.

One of the benefits of ISO 27001 certification is that it assesses the entire scope of information security, including the technical controls as well as management’s oversight of information security. This all-encompassing approach secures people, processes, and technologies to minimize risk.

Read more: ISO 27001: The Four Most Common Post-Certification Pitfalls

ISO 27001

Organizations can achieve certification against ISO 27001 to demonstrate the maturity of the company’s information security environment. This standard provides a methodology for the establishment, implementation, operation, management, and maintenance of information security within an organization.

There are seven mandatory clauses including objectives for organizations seeking conformance to the ISO 27001 standard:

• Context of the organization
• Leadership
• Planning
• Support
• Operation
• Performance Evaluation
• Improvement

Additionally, there are 14 discretionary controls defined in the Annex:

• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

Benefits of ISO 27001 Certification

ISO 27001 can help organizations reduce risk, optimize operations within an organization due to clearly defined responsibilities and business processes, and build a culture of information security. The framework also helps organizations in reducing security incidents and meeting additional compliance requirements.

In addition, the standard helps organizations implement controls that are relevant to their unique risks and assets, instead of providing generalized guidance that isn’t applicable to the organization. This holistic, tailored approach makes the ISO 27001 standard functional for organizations of any size, in any industry.

How to Achieve ISO 27001 Certification

Certification should be conducted by an ISO 27001 accredited certification body. Certification will include the following audit activities:

• Pre-Assessment: Although not required to achieve certification, for organizations who have not undergone the ISO 27001 process before, the pre-assessment is conducted for organizations who need additional assistance in becoming ISO 27001 compliant. A-LIGN simulates the certification process by performing a review of the company’s scope, policies, procedures, and processes to identify any gaps that may need remediation prior to certification.
• Stage 1 Audit: A-LIGN reviews the organization’s scope, policies, procedures, and processes to confirm conformance with the documentation requirements of ISO 27001.
• Stage 2 Audit: Once organizations have completed stage 1, the stage 2 tests the conformance of the information security management system with ISO 27001 and the company’s internal policies and procedures. This includes interviews, inspections of documented evidence, and observations of organizational processes.
• Surveillance Audit: To ensure that the organization’s ISMS continues to conform to ISO 27001 standards, surveillance audits are performed for two years following certification.

ISO 27001 certifications are valid for three years.

ISO 27017

ISO 27017, or Code of Practice for Information Security Controls Based on ISO/IEC 27001 for Cloud Services, provides guidance based upon ISO 27002 for the cloud services industry.

The standard provides guidance specific to cloud-service providers on 37 of the controls in ISO 27002, but also features seven new controls:

• Shared roles and responsibilities within a cloud computing environment
• Removal of cloud service customer assets
• Segregation in virtual computing environments
• Virtual machine hardening
• Administrator’s operation security
• Monitoring of cloud services
• Alignment of security management for virtual and physical networks

This standard is relevant to organizations that provide cloud-based services, and for any organization that stores information in the cloud.

Benefits of ISO 27017

Any cloud provider that is entrusted with sensitive customer data could potentially benefit from ISO 27017. The standard assists organizations by providing guidance unique to the cloud environment, and addresses pain points for many cloud providers such as the delineation of roles and responsibilities within a cloud computing environment.

This standard can help organizations enhance their information security management system to the specific needs of their environment. Additionally, utilizing the ISO 27017 standard allows for organizations to reduce the risk inherent to cloud-service organizations, and the potential cost of a breach.

How to leverage certification for ISO 27017

Because ISO 27017 is not a management standard, organizations cannot be certified strictly against the ISO 27017 controls. However, A-LIGN can assist organizations by adding the additional ISO 27017 controls to the scope of an ISO 27001 certification audit to ensure that companies can demonstrate conformance to the ISO 27017 standard.

Read more: Strengthening the Cloud: ISO 27017 and ISO 27018

ISO 27018

ISO 27018, or Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting is PII Processors, is a standard designed for cloud computing organizations who are responsible for handling personally identifiable information.

ISO 27018 provides the following controls to supplement those set within ISO 27001 and ISO 27002:

• Customer and end-user control rights
• Restriction on disclosure to or access of third parties to PII
• Treatment of media containing PII

Benefits of ISO 27018

There is a need for organizations that handle PII to ensure this information is secured. This standard creates an additional level of customer confidence in ensuring that standards are in place to protect the information, allowing both the customer and end-user to be assured that their information is safe.

This standard can help organizations enhance their information security management system to the specific needs of their environment. Additionally, utilizing the ISO 27018 standard allows for organizations to minimize the risk inherent to cloud-service organizations, and the potential cost of a breach.

How to leverage certification for ISO 27018

Again, because ISO 27018 is not a management standard, organizations cannot be certified strictly against the ISO 27018 controls. However, A-LIGN can assist organizations by adding the additional ISO 27018 controls to the scope of an ISO 27001 certification audit to ensure companies can demonstrate conformance to the ISO 27018 standard.

Choosing the Right ISO Standard

The ISO 27000 family of standards provides options for organizations to implement the controls that are relevant to their business needs, their customer needs, and their end-user needs.  As an accredited certification body, A-LIGN can conduct the certification audits to demonstrate conformance with ISO 27001, ISO 27017 and ISO 27018.