AODocs is an enterprise document management solution that has grown rapidly over the past few years; our solution now solves business challenges for over 500 enterprise Google Apps customers, ranging from small startups to Fortune 500 companies. Recently, AODocs received their SOC 2 certification with the help of KirkpatrickPrice, and we are proud to be the only enterprise document management solution on Google Drive with a SOC 2 certification.

We grew nearly tenfold in the last two years and we were grateful for the guidance of KirkpatrickPrice who taught us best practices during that time. Working with the KirkpatrickPrice auditors not only helped us validate the robustness of our architecture, but also gave us a framework to set up processes that our organization needed in order to mature.

Why did we pursue SOC 2 Certification?

Security has always been paramount to us, even before undergoing the SOC 2 certification audit. We knew that it would be beneficial for our customers to have an independent verification of our security practices, both for their peace of mind and their own compliance strategy.

The Service Organization Control 2 (SOC 2) is an auditing standard that not only verifies controls and processes, but also includes a written attestation by a CPA regarding the design and operating effectiveness of the controls being reviewed. KirkpatrickPrice audited our internal policies and processes, and validated our compliance with the SOC 2 Trust Services Principles.  The audit included a full assessment of AODocs software, people, procedures, and infrastructure (AODocs runs on Google Cloud Platform, which is also SOC 2 certified).

The resulting SOC 2 report is one of the gold standards of security for cloud technologies. In fact, organizations faced with compliance requirements around sensitive data can leverage AODocs’ SOC 2 certification as part of their compliance strategy. AODocs helps many organizations comply with regulations and standards such as ISO 9001, ISO 14001, OHSMS, OHSAS, and others. Now, with our SOC 2 certification, customers have one more reason to trust AODocs with their business critical documents.

Getting a SOC 2 certification was a lengthy process, but completely worth it. Of course using AODocs makes going through audits much easier, which also contributed to making this a positive experience for us.

Why Should Customers Care that SaaS Companies Have a SOC 2 Certification?

Companies moving their documents to the cloud often have legitimate concerns about the security of their sensitive information. Certifications like SOC 2 provide them with an independent assurance that the platform they are choosing offers the level of confidentiality they require for their business, as mentioned here. We, at AODocs, have found this to be true.

3 Things to Know About Protecting ePHI

This session gives an overview of the Security Rule, which is one of the most familiar aspects of HIPAA Compliance. The goal of the Security Rule is to create security for electronic Protected Health Information (ePHI) by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. When learning the basics of this regulation, it’s vital to learn about scope, the flexibility of approach, and the three types of safeguards.

Scope

The Security Rule only applies to ePHI. Paper PHI is not within the scope of the Security Rule. This doesn’t narrow the scope, but instead tailors it to specific issues, vulnerabilities, costs, and approaches related to the integrity and security of ePHI.

Flexibility of Approach

All the requirements are the same, but the way that an entity complies with those requirements is different depending on the entity-specific considerations. There’s some flexibility when considering required versus addressable implementation specifications under each of the three types of safeguards. The Security Rule says there are some implementation specifications that you must comply with and there is no alternative method. There are also some addressable implementation specifications that allow an entity to choose an alternative or equivalent compensating control.

Safeguards

There are three types of required safeguards to protect ePHI: administrative, technical, and physical. Administrative safeguards cover personnel, training, access and process. Technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover access, workstations, and devices.

To learn more about the HIPAA Security Rule, contact us today and speak to an expert.

What is ISO 27001?

ISO 27001 is the only information security standard that is recognized across the globe. ISO/IEC 27001 deals with information security management and its purpose is to provide requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. ISO is an independent, non-governmental international organization with a membership of 161 national standards bodies. It brings together experts to share knowledge and develop voluntary, consensus-based, market relevant international standards that support innovation and provide solutions to global challenges.

Why is ISO 27001 important?

It’s the gold standard for information security management and can be used in any vertical. It’s not a one-size-fits-all approach, either. Its implementation is customized for each organization to treat their particular risks. It also provides a governance framework so that client can manage both their security and compliance risk. It also opens the door for business with organizations that recognize this standard, particularly international organizations and transnationals.

What is the Structure of the Standard?

We want to take you through each individual section and discuss how you can apply it to your organization.

  • Introduction – Explain what ISO 27001 is designed to do
  • Scope – Establish scope
  • Normative References – The technical standard cannot be fully utilized with this section
  • Terms and Definitions – The technical standard cannot be fully utilized with this section
  • Context of Organization – Understanding the organization and its content
  • Leadership – Top management expresses commitment to and authority over ISMS and policies
  • Planning – Make sure you have the right process in place to address risk and opportunities
  • Support – Resources, competences, awareness, and communication for ISMS
  • Operation – Maintain documentation to show that plans have been carried out
  • Performance Evaluation – Monitoring, analysis, internal audit, management review
  • Improvement – Corrective action, continue cycle of improvement (plan, do, check, act)

Listen to the full webinar to see our roadmap to ISO 27001 compliance, to learn all our takeaways and gain some resources to determine if ISO Certification is right for your organization. Listening to the entire session will also teach you about Annex A, ISO as a whole, the history of ISO 27001, and the ISO 27000 family.

Changes You Should Know About in PCI DSS 3.2

In this webinar, our expert panelists will discuss the changes from PCI DSS 3.1 to PCI DSS 3.2, what they mean during a PCI assessment, what you can do to implement these changes, and how to minimize the impact of these changes. There are about 30 controls that we believe may had significant changes, and we try to cover as many as possible in this webinar.

In this webinar, we will discuss the following requirements from PCI DSS 3.2:

1.1.6 – Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

1.3.5 – Removed reference to stateful inspection and restated as “allow only established connections”.

1.4 – Install a personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee owned) that connect to the Internet when outside the network, and which are also used to access the cardholder data environment (CDE).

2.1 – Hardening of systems now include payment applications.

3.4.1 – Added note: this requirement applies in addition to all other PCI DSS encryption and key management requirements.

6.4.6 – Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

6.5 – Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.

8.1.5 – Manage IDs used by third parties to access, support, or maintain system components via remote access.

8.3.1 – Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

8.3.2 – Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.

9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

11.2.1 – Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high-risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.

12.6 – Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

12.8.1 – Maintain a list of service providers including a description of the service provided.

12.10.2 – Review and test the plan at least annually, including all elements listed in Requirement 12.10.1.

This webinar also covers requirement changes specifically for services providers. Note that the following requirements are considered best practice until January 31, 2018, after which they will become requirements:

3.5.1 – Maintain a documented description of the cryptographic architecture.

10.8 – Implement a process for timely detection and reporting of failures of critical security control systems.

10.8.1 – Respond to failures of any critical security controls in a timely manner.

11.3.4.1 –  If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

What is the Privacy Rule?

If you’ve been following along with our Road to HIPAA Compliance webinar series, congratulations – we’ve made it to the middle of the road! We are halfway to knowing all about HIPAA compliance. In this session, we’re covering the Privacy Rule, Notice of Privacy Practices, and handling consumer complaints.

The Privacy Rule exists so that patients know they have rights, and that those rights are respected. Patients have rights to know how an entity plans to use their PHI, rights regarding their own PHI, rights to ask questions, and they have rights to make complaints. The Privacy Rule is designed to govern the Uses and Disclosures of PHI, cover individual’s rights with respect to their own PHI, and lay out the responsibilities of entities to maintain PHI. Your organization needs to know what the Privacy Rule is to fully understand how the Notice of Privacy Practices fits in.

The Notice of Privacy Practices is the method used for communicating patient rights to patients. This document establishes the basis for a patient’s understanding of what will happen with their PHI. If we are to effectively communicate those rights, we need to understand that this notice is not an opportunity to get creative or have a lot of leeway. It is required to use plain language, boilerplate headings, and to include the required content and recommended formatting. In this webinar, we discuss the best practices for four areas of required content for Notice of Privacy Practices:

  1. Uses and Disclosures: describe the uses and disclosures of PHI for treatment, payment, and operational purposes, plus give an example for each purpose.
  2. Individual Rights: list their rights with respect to PHI, including their right to authorize uses and disclosures.
  3. Choices: inform patients about the choices they have about disclosing their PHI; for example: which family members do you give the right to disclose PHI to?
  4. Responsibilities: define the responsibilities of the entity with respect to the PHI; requirement by law to maintain privacy and security of patients’ PHI.

We also want to help you navigate how to acknowledge consumer complaints. Your organization needs to be fair, thorough, and consistent. You should give notice of how to submit a complaint and have channels for receiving, accepting, responding to, and documenting consumer complaints. There are also some things you absolutely cannot do. For example, you cannot discourage complaining in any way or retaliate against a patient for filing a complaint.

Listen to the full webinar to hear more about design, timeliness, limitations, and more for Notice of Privacy Practices. For help drafting your organization’s Notice of Privacy Practices, contact us today to speak to an expert.