top of page

CERTIFICATIONS

American Institute of Certified Public Accountants (AICPA SOC1)

The American Institute of Certified Public Accountants (AICPA) SOC 1 report is a crucial tool for organizations that rely on service providers to maintain the security, availability, and confidentiality of their sensitive information. The report provides an independent assessment of the service provider's controls and processes for protecting sensitive data, as well as an assurance that the controls are operating effectively. A SOC 1 report is an audit report on controls at a service organization relevant to user entities’ internal control over financial reporting. The purpose of a SOC 1 report is to provide assurance to user entities and their auditors about the effectiveness of the service provider's controls and processes related to financial reporting. The SOC 1 report is specifically designed for organizations that use service providers for financial reporting purposes, such as payroll processing, accounts payable, and other financial operations. The report provides a comprehensive evaluation of the service provider's systems and processes, including security, availability, and confidentiality controls. The SOC 1 report is performed by an independent certified public accountant (CPA) who is a member of the AICPA. The CPA evaluates the service provider's systems and processes, as well as the related control activities, to ensure that they are operating effectively. This involves a review of the provider's policies and procedures, as well as a review of the actual implementation of these policies and procedures. The CPA also evaluates the service provider's ability to maintain the confidentiality, availability, and security of the information processed, stored, or transmitted by the provider. This includes an assessment of the provider's security controls, such as access controls, physical and environmental security, and disaster recovery and business continuity planning. Once the evaluation is complete, the CPA provides a detailed report of their findings, including any deficiencies or areas for improvement. The report includes a description of the service provider's controls and processes, as well as an assessment of their effectiveness. The SOC 1 report is an important tool for organizations that rely on service providers for financial reporting purposes. The report provides an independent assessment of the provider's systems and processes, and helps to ensure that the provider is meeting the required standards for information security, availability, and confidentiality. In conclusion, the AICPA SOC 1 report is a crucial tool for organizations that rely on service providers for financial reporting purposes. The report provides an independent assessment of the provider's systems and processes, and helps to ensure that the provider is meeting the required standards for information security, availability, and confidentiality. Organizations can use the SOC 1 report to make informed decisions about the security and reliability of their service providers and to ensure that their sensitive information is being properly protected. The American Institute of Certified Public Accountants (AICPA) introduced the SOC 1 report to document the internal controls of a cloud service provider that may impact a customer's financial reporting. The report is beneficial for organizations that conduct financial statement audits. To keep up with international accounting standards, the AICPA's Auditing Standards Board created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) which aligns closely with the International Standard on Assurance Engagements 3402 (ISAE 3402). These standards are used to produce a report by an independent third party, attesting to the assertions made by an organization regarding its controls. The Service Organization Controls (SOC) framework is used to evaluate the control of financial information. NSPECT.IO uses Google Cloud Platform for its marketplace and other operations and undergoes regular third-party audits to certify their products against the SSAE 18 and ISAE 3402 standards.

A Service Organization Control 1 or SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer's financial statements.

Read More

American Institute of Certified Public Accountants (AICPA SOC2)

The American Institute of Certified Public Accountants (AICPA) SOC2 is a widely recognized security and privacy assessment framework designed to help organizations evaluate and communicate the security and privacy controls in place to protect customer data and information. SOC2 provides a set of guidelines and standards that organizations can use to assess and manage the security and privacy of their systems and processes. In the increasingly connected world of business, the protection of sensitive information has become a top priority for organizations of all sizes. This is particularly true for companies that handle sensitive customer data, such as financial institutions, healthcare providers, and technology companies. AICPA SOC2 provides a comprehensive framework for evaluating the security and privacy of an organization's systems and processes, helping organizations to mitigate risk and build trust with their customers. A SOC2 assessment focuses on five key trust principles: security, availability, processing integrity, confidentiality, and privacy. The assessment process involves a thorough review of an organization's systems, processes, and policies, as well as an assessment of the controls in place to protect customer data and information. The assessment can be conducted either internally or by an independent third-party auditor, and the results of the assessment can be used to identify areas of improvement and to demonstrate to customers and other stakeholders that the organization takes security and privacy seriously. One of the benefits of a SOC2 assessment is that it provides a comprehensive and standardized framework for evaluating security and privacy controls. This helps organizations to ensure that their security and privacy controls are aligned with industry best practices, and to demonstrate to customers and other stakeholders that they are taking a proactive approach to managing security and privacy risks. In addition to helping organizations build trust with their customers, a SOC2 assessment can also help organizations to improve their security and privacy posture by identifying areas of risk and areas for improvement. By conducting regular assessments and making improvements to their systems and processes, organizations can stay ahead of the curve and better protect their customers' sensitive information. In conclusion, AICPA SOC2 provides a valuable tool for organizations looking to protect their customer data and information and build trust with their customers. By conducting a SOC2 assessment, organizations can evaluate their security and privacy posture, identify areas of risk, and demonstrate to customers and other stakeholders that they are taking security and privacy seriously. The American Institute of Certified Public Accountants (AICPA) SOC2 assessment is a critical evaluation of an organization's information systems, focusing on the key trust principles of security, availability, processing integrity, confidentiality, and privacy. The SOC 2 report is based on the Trust Services Criteria of the AICPA, and is in line with globally recognized international accounting standards such as SSAE 18 and ISAE 3402. These standards provide a rigorous framework for evaluating the control of financial information, and are verified by independent third-party audits. NSPECT.IO, which uses Google Cloud Platform for its operations, undergoes regular audits to ensure compliance with these standards and to demonstrate its commitment to security and privacy.

The AICPA's Service Organization Control 2 (SOC2) is an auditing standard that helps organizations and service providers protect customer data through a set of criteria based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. Organizations and service providers who meet this standard demonstrate that they have safeguarded customer data in a secure environment while maintaining the highest level of confidentiality.

Read More

American Institute of Certified Public Accountants (AICPA SOC3)

Similar to SOC 2, the SOC 3 report is based on the Trust Service Criteria (TSC) established by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). The SOC 3 is a public report that attests to an organization's internal controls over security, availability, processing integrity, and confidentiality. To keep up with international accounting standards, the AICPA introduced the Statement on Standards for Attestation Engagements No. 18 (SSAE 18), which closely aligns with the International Standard on Assurance Engagements 3402 (ISAE 3402). Both standards enable an objective third-party to report on an organization's controls based on assertions made by that organization. The SOC framework is used to measure the control of financial information. At NSPECT.IO, we use the Google Cloud Platform for our marketplace and other operations. This platform undergoes regular third-party audits to certify individual products against these standards. As a result, we can provide instant access to our SOC 3 reports for both Google Cloud Platform and Google Workspace.

The American Institute of Certified Public Accountants (AICPA) publishes its Service Organization Control 3 (SOC 3) report which is an assurance of reliability and security, providing publicly accessible proof of the design and operating effectiveness of a specific service provider's controls related to security, availability, processing integrity and confidentiality.

Read More

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a state-level privacy law that provides California residents with certain rights over their personal information. The law was enacted in 2018 and went into effect on January 1, 2020. It is considered one of the strongest privacy laws in the United States and has been referred to as the California equivalent of the European Union's General Data Protection Regulation (GDPR). The CCPA applies to any for-profit business that operates in California and meets one or more of the following criteria: Has annual gross revenues over $25 million; Buys, sells, or shares the personal information of 50,000 or more California residents, households, or devices; or Derives 50% or more of its annual revenues from selling California residents' personal information. Under the CCPA, California residents have the right to know what personal information is being collected about them, the right to request that their personal information be deleted, and the right to opt-out of the sale of their personal information. They also have the right to non-discrimination for exercising their privacy rights under the CCPA. Businesses are required to provide California residents with specific notices about their data collection and usage practices, including the categories of personal information collected, the purposes for which it will be used, and the third parties with whom it will be shared. They must also have a process in place for responding to requests from California residents to exercise their privacy rights. In addition, the CCPA requires businesses to implement reasonable security measures to protect the personal information they collect, maintain, and process. Businesses must also provide training to their employees on their obligations under the CCPA and implement processes to ensure that their data practices comply with the law. Failure to comply with the CCPA can result in significant fines and penalties, as well as damage to a company's reputation. It is important for businesses operating in California to understand the CCPA and implement the necessary measures to ensure compliance. NSPECT.IO uses Google Cloud for its operations and takes privacy and security very seriously. They have taken steps to ensure compliance with the CCPA and other privacy laws, including conducting regular assessments of their data practices and implementing security measures to protect the personal information they handle. The California Consumer Privacy Act (CCPA) is a piece of legislation that provides Californian consumers with certain privacy rights, such as the right to access, delete, and opt-out of the sale of their personal information. Businesses that collect personal information from California residents and meet certain criteria (such as revenue or data processing volume) are required to comply with the CCPA starting from January 1, 2020. The California Privacy Rights Act (CPRA), which expands upon the CCPA, is set to take effect on January 1, 2023. NSPECT.IO, which operates using Google's marketplace, is dedicated to assisting its customers in meeting their obligations under these privacy regulations. Google offers various tools and implements robust privacy and security measures in their services and contracts. For more information on business responsibilities under the CCPA, visit the California Office of the Attorney General's website.

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

Read More

Cloud Computing Compliance Criteria Catalogue (C5:2020)

The Cloud Computing Compliance Criteria Catalogue, also referred to as C5:2020, was developed by the German Federal Office for Information Security (BSI) as a way to assess the information security of cloud services that leverage internationally recognized security standards like ISO/IEC 27001 to set a consistent audit baseline that helps establish a framework of trust between cloud providers and their customers. Google previously received an attestation for the BSI’s Cloud Computing Compliance Controls Catalog (“C5”). The BSI revised the guidance as C5:2020 in 2020. The C5:2020 expands the scope of C5 and addresses new requirements, including a section on product safety and security. C5:2020 is based on established standards, including ISO/IEC 27001, Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), AICPA Trust Services Principles and Criteria, BSI IT-Grundschutz Catalogue, and others. However, C5:2020 adds additional transparency controls to provide information on data location, provision of services, place of jurisdiction, existing certifications, and information disclosure obligations towards government agencies. This emphasis on transparency helps potential cloud customers decide whether the cloud services meet their compliance with legal requirements like data protection, company policies, or the ability to address the threat of industrial espionage. NSPECT.IO Uses Google for marketplace and other operations which has achieved an attestation against the C5:2020 requirements. Current and potential customers can use the C5:2020 attestation as verification of compliance and as part of their assessment for using Google Cloud services.

In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Criteria Catalogue (C5) as an auditing standard. It is intended for cloud service providers (CSPs), their auditors, and customers of the CSPs. C5 established a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. C5 is also being increasingly adopted by the private sector.

Read More

Cloud Security Alliance: Protecting Cloud

Cloud computing has become ubiquitous in the modern IT landscape, providing businesses with a flexible and scalable way to store, process, and access data and applications. However, with the convenience of cloud computing comes an inherent risk of data breaches, cyber attacks, and other security incidents. This is where the Cloud Security Alliance (CSA) comes in, providing guidance and best practices for securing cloud computing environments. What is the Cloud Security Alliance? The Cloud Security Alliance (CSA) is a non-profit organization that was founded in 2008 with the mission of promoting best practices for security assurance within cloud computing, and providing education on the uses of cloud computing to help secure all other forms of computing. The CSA is a global organization with over 90,000 individual members and over 300 corporate members, and has chapters in more than 100 countries. The CSA is committed to developing and promoting best practices for cloud security, and has developed a number of initiatives and certifications to help businesses and organizations improve their cloud security posture. CSA Initiatives and Certifications Security, Trust & Assurance Registry Program (CSA STAR) The CSA's Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a cloud service provider through a three-step program of self-assessment, third-party audit, and continuous monitoring. The CSA STAR program provides customers with a way to understand the security posture of cloud service providers, and enables cloud service providers to showcase their security capabilities and commitment to best practices. The CSA STAR program offers three levels of certification: self-assessment, third-party certification, and continuous monitoring. The self-assessment level allows cloud service providers to complete a questionnaire that assesses their security controls against the CSA's Cloud Controls Matrix (CCM). The third-party certification level involves an audit by an accredited third-party assessor against the CCM. The continuous monitoring level involves ongoing monitoring and reporting of the cloud service provider's security posture. Cloud Controls Matrix (CCM) The Cloud Controls Matrix (CCM) is a set of security controls that are designed to help organizations assess the security posture of cloud service providers. The CCM is based on the CSA's Cloud Security Guidance, and provides a framework for assessing the security capabilities of cloud service providers. The CCM is divided into 16 control domains, which cover areas such as compliance, data security, and incident management. Each control domain includes a set of security controls that are designed to help organizations evaluate the security capabilities of cloud service providers. Cloud Audit The Cloud Audit project is a set of initiatives that are designed to provide a framework for auditing cloud computing environments. The Cloud Audit project includes a set of audit guidelines, a set of audit tools, and a set of cloud audit specifications. The Cloud Audit project is designed to help organizations evaluate the security and compliance posture of cloud service providers, and to help cloud service providers demonstrate their compliance with industry standards and regulations. Cloud Access Security Broker (CASB) The Cloud Access Security Broker (CASB) initiative is designed to provide guidance and best practices for securing cloud-based applications and services. CASBs are designed to provide visibility and control over cloud services, and to help organizations enforce security policies and compliance requirements. CASBs can be deployed as a standalone solution or integrated with existing security solutions. CASBs provide a range of security capabilities, including visibility and control over cloud applications, data protection, threat protection, and compliance monitoring. Cloud Incident Response The Cloud Incident Response project is a set of initiatives that are designed to provide guidance and best practices for responding to security incidents in cloud computing environments. The Cloud Incident Response project includes. In addition to the CSA STAR program, the Cloud Security Alliance has also developed a number of other resources and initiatives to support the secure adoption of cloud computing. The CSA Cloud Controls Matrix (CCM) is a set of security controls that are aligned with industry standards and best practices, and can be used by organizations to assess the security of their cloud providers. The CSA also provides guidance on cloud security through a variety of publications, including the Cloud Security Guidance and the Security Guidance for Critical Areas of Focus in Cloud Computing. The Cloud Security Alliance is also active in promoting industry collaboration and advancing research in cloud security. The organization hosts a number of events and conferences throughout the year, including the annual CSA Summit, which brings together leading experts in cloud security to share knowledge and best practices. The CSA also works with a number of industry partners, including major cloud providers and security vendors, to develop standards and best practices for cloud security. Overall, the Cloud Security Alliance plays a critical role in promoting the adoption of secure cloud computing practices, and provides valuable resources and support to organizations looking to secure their cloud environments. By working with trusted cloud providers like Google Cloud, and leveraging resources like the CSA STAR program, organizations can have confidence in the security and compliance of their cloud environments, and focus on using the cloud to drive innovation and business growth.

Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing."

Read More

Federal Risk and Authorization Management Program (FedRAMP)

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions. FedRAMP consists of two primary entities: the Joint Authorization Board (JAB) and the Program Management Office (PMO). Members of the JAB include the chief information officers (CIOs) from the Department of Defense, Department of Homeland Security, and General Services Administration. The JAB serves as the primary governance and decision-making body for FedRAMP. The FedRAMP PMO resides within GSA and supports agencies and cloud service providers through the FedRAMP authorization process and maintains a secure repository of FedRAMP authorizations to enable reuse of security packages. NSPECT.IO, using Google Cloud for its operations, has undergone the FedRAMP authorization process and is authorized to provide cloud services to federal agencies. Trust NSPECT.IO for secure and compliant cloud services for your federal agency. The Federal Risk and Authorization Management Program (FedRAMP) is a crucial initiative established by the U.S. Federal Government to ensure the security of cloud products and services used by federal agencies. This program provides a standardized approach for security assessment, authorization, and ongoing monitoring to guarantee the protection of sensitive information stored in the cloud. All cloud deployments and service models used by Federal agencies, excluding certain private cloud installations, must comply with FedRAMP security standards at the designated risk impact level (Low, Moderate, or High). NSPECT.IO operates using Google Cloud Platform for its marketplace and other operations. Google has undergone the FedRAMP authorization process and its status is available on the FedRAMP Marketplace website, a resource maintained by the government.

FedRAMP is a government-wide program that provides a standardized approach to security assessment and authorization of cloud products and services for use by U.S. federal agencies. The program brings together uniform requirements for risk management and puts into place consistent levels of security for data stored in the cloud and other IT systems used by federal organizations. FedRAMP ensures that federal data is securely managed and protected against unauthorized access, with rigorous security measures taken to ensure its safety.

Read More

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (EU) 2016/679 (GDPR) is European Union legislation that came into effect in May 25, 2018, replacing the previous 1995/46/EC Directive on Data Protection. It lays out specific rights for individuals whose data is being processed in the EU and sets certain requirements for companies processing such personal information. These include regulating how businesses can collect, use, and store personal data, increasing their accountability via documentation and reporting requirements, as well as authorizing hefty fines to organizations who fail to comply with its regulations. In accordance with The General Data Protection Regulation (EU) 2016/679 (GDPR), NSPECT.IO utilizes Google Cloud Platform and Wix to carry out various operations. Google Cloud prioritizes the security and privacy of users' personal data, and helps NSPECT.IO with their GDPR compliance through: 1. To ensure the protection of customer personal data, outlines that contracts need to include a commitment to comply. This applies to all Google Cloud Platform and Google Workspace services when processing any personal data. 2. The General Data Protection Regulation (EU) 2016/679 (GDPR) provides added measures of protection for the data most sensitive to individuals. These safeguards may help organizations to better protect their customers' personal information. 3. The General Data Protection Regulation (EU) 2016/679 (GDPR) provides individuals with the necessary documentation and resources to understand and evaluate the data privacy associated with our services. 4. The General Data Protection Regulation (EU) 2016/679 (GDPR) provides documentation and resources to help you evaluate the privacy aspects of our services. Wix.com is 100% committed to data protection Customer trust is Wix's absolute top priority. Wix has worked with a team of experts and have implemented the required adjustments to products, services, and documentation, to ensure compliance with the GDPR. This empowers Wix to get more control over personal data and gain the tools necessary to protect the information of visitors to Wix sites. Wix is dedicated to data protection and have effectively reinforced this over the past 10 years. Wix deploys and maintains a range of technical and organizational security measures to protect our customers’ data and assets. Wix security team leads the facilitation and development of procedures, processes and controls that govern the security and integrity of Wix and its users.

The General Data Protection Regulation (EU) 2016/679 (GDPR) is an EU regulation designed to strengthen the protection of individuals' personal data and ensure that their personal data is secure, both within and outside the European Union. The GDPR grants individuals more control over their personal data, as well as regulates the companies that process it. It also outlines procedures for transferring personal data outside of the EU area, in order to ensure that it remains secure. Ultimately, the GDPR ensures stricter security guidelines so companies are better able to protect individuals' privacy rights.

Read More

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes data privacy and security requirements for organizations that are charged with safeguarding individuals' protected health information (PHI). These organizations meet the definition of “covered entities” or “business associates” under HIPAA. Customers that are subject to HIPAA and want to utilize any Google Cloud products in connection with PHI must review and accept Google's Business Associate Agreement (BAA). Google ensures that the Google products covered under the BAA meet the requirements under HIPAA and align with our ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 report. NSPECT.IO Uses Google Cloud Platform for marketplace and other operations .The Google Cloud Platform BAA covers GCP’s entire infrastructure . The Health Insurance Portability and Accountability Act of 996 (HIPAA) is a regulation designed to make it easier for American employees to maintain their health insurance coverage when they change or lose their jobs. This regulation also encourages the use of electronic health records to improve the efficiency and quality of the US healthcare system through enhanced information sharing. HIPAA includes provisions that increase the use of electronic medical records as well as ensure the security and confidentiality of protected health information (PHI). PHI includes comprehensive personal health information and health-related data, including insurance and billing information, diagnostic data, clinical care data, and laboratory results such as images and test results. HIPAA rules apply to covered organizations, including hospitals, medical service providers, employer-sponsored health plans, research facilities, and insurance companies that deal directly with patients and patient data. The HIPAA requirement that provides PHI protection also applies to partners. The Health Information Technology for Economic and Clinical Health Act (HITECH) expanded HIPAA guidelines in 2009. Together, HIPAA and HITECH set a set of federal standards to protect PHI's security and privacy. These provisions are contained in what are known as "Management Simplification" rules. HIPAA and HITECH impose requirements regarding the use and disclosure of PHI, appropriate safeguards to protect PHI, personal rights and administrative responsibilities. For more information on how health information is protected by HIPAA and HITECH, see the US What is HIPAA and what does it cover? The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that governs the privacy and security of medical information. It helps to ensure that all healthcare providers, from hospitals to doctor's offices, securely protect patients' health data from unauthorized access. HIPAA acts as the nation's first officially recognized set of guidelines for protecting confidential patient information. 1) Protect the privacy of PHI (Health Information) by limiting access only to those who need it for treatment or care, and; 2). Ensuring PHI security By following appropriate procedures when an individual's healthrelated information is disclosed or accessible from outside the organization. To comply with this law, you must have appropriate safety precautions. You can use encryption codes in your electronic data and prevent third parties from accessing patient information. Regulatory bodies such as the Federal Trade Commission (FTC) also look at compliance with HIPAA. Are You Unsure of What The Health Insurance Portability and Accountability Act (HIPAA) Entails? HIPAA is a law that ensures the privacy and confidentiality of patients' health information. It also gives businesses the ability to securely share data with their customers. Understanding how HIPAA works and its compliance requirements can be tricky. In this article, we'll discuss some of the basics of HIPAA so you can make sure your business is compliant with its regulations. This includes protecting sensitive medical records from any outsiders, as well as ensuring non-employees do not use this information to receive healthcare plans or benefits without your permission. How to protect your business data? HIPAA – or the Health Insurance Portability and Accountability Act – is a set of laws established to protect the privacy of personal information for individuals, businesses, and third-parties. These regulations dictate how this private data is shared and accessed, as well as rules for anonymization in some cases. Any company that collects customer data must ensure they are in compliance with HIPAA regulations, verifying whether customers are “qualified individuals” before releasing their personal health information (PHI). Qualified individuals include minors. If a third party needs access to your company's PHI, you must agree in writing what rules apply (and why) for that person to gain access from your company. How to comply with HIPAA regulations? The Health Insurance Portability and Accountability Act (HIPAA) maintains the privacy of individuals' personal information by setting guidelines for organizations that process or store such data. This includes healthcare providers, health plans, and healthcare clearinghouses. HIPAA compliance is important to understand, as it outlines the difference between covered entities and their corresponding business associates who may also be subject to these regulations. To protect the rights of consumers, it is critical to know how each category of business must adhere to HIPAA's rules. Ultimately, all companies subject to this law share one purpose: guaranteeing the safe sharing of personal data with trusted third parties when necessary. Eligibility requirements for healthcare facilities, HIPAA is a set of laws that ensures the privacy and security of sensitive health information. HIPAA mandates that any healthcare facility or organization, including IT providers, should take measures to ensure health information is kept confidential and secure. Covered organizations must meet certain standards set by the Department of Health and Human Services (HHS) in order to adhere to HIPAA regulations. Understanding what constitutes as a "covered entity" for HIPAA purposes, as well as important elements outlined by the HHS are essential for any healthcare facility or organization to remain compliant with HIPAA requirements. Compliance requirements for mental health services Mental health services are often covered by government-sponsored insurance plans. Ultimately, mental health is one area where businesses can make money through HIPAA compliance.The first thing you should know about HIPAA is that it is an act of Congress aimed at protecting consumer privacy and security. Compliance requirements for research organizations The Health Insurance Portability and Accountability Act (HIPAA) is a law that provides guidelines for healthcare organizations, like hospitals and doctors, on how to properly store and handle patient information. It's important to comply with HIPAA regulations when it comes to sharing sensitive health information with others, whether it be for research or marketing purposes. To ensure compliance, organizations must clearly define what data they are sharing and properly inform their patients of who the data is going to and how it will be used. It is crucial that patients can trust their data is being handled responsibly.

The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that requires healthcare businesses to protect their clients' and patients' personal information. This policy, enforced by the U.S. Department of Health and Human Services (HHS), safeguards sensitive health data from being shared without consent or knowledge of the patient. By adhering to HIPAA guidelines, healthcare organizations are able to keep their practices compliant with this federal law.

Read More

Information Security Management System (ISO/IEC 27701)

Information Security Management System (ISO/IEC 27701) is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving information security management in an organization. The standard provides a comprehensive framework for protecting the confidentiality, integrity, and availability of information. ISO/IEC 27701 is designed to complement the existing ISO/IEC 27001 standard, which provides guidelines for the implementation of an information security management system (ISMS). While ISO/IEC 27001 focuses on the implementation of information security controls, ISO/IEC 27701 extends these guidelines to include privacy considerations and the protection of personal data. The standard defines the information security management system as a systematic approach to managing sensitive information, including personal data, and protecting it from unauthorized access, use, disclosure, disruption, modification, or destruction. The standard outlines a risk management process that organizations must follow to identify and evaluate privacy risks, implement appropriate controls, and monitor the effectiveness of these controls. The standard defines the key components of an information security management system, including: Policies: Organizations must establish policies and procedures to guide the implementation and management of the ISMS. Organization of information security: Organizations must appoint a person or group responsible for managing information security and ensure that they have the necessary resources and authority to carry out their responsibilities. Asset management: Organizations must identify and categorize their information assets and determine the level of protection required for each asset. Human resources security: Organizations must ensure that all personnel involved in the processing of sensitive information are aware of their responsibilities and have received the necessary training. Physical and environmental security: Organizations must implement appropriate measures to protect their physical facilities and equipment from unauthorized access, damage, and destruction. Communications and operations management: Organizations must establish secure communications and operations management practices, including disaster recovery and business continuity procedures. Access control: Organizations must implement access controls to ensure that sensitive information is only accessible to authorized personnel. System acquisition, development, and maintenance: Organizations must ensure that the information systems they acquire, develop, or maintain are secure and that any changes to these systems do not compromise the security of sensitive information. Supplier relationships: Organizations must ensure that their suppliers and contractors comply with the information security requirements outlined in the ISMS. The standard also outlines the requirements for continual improvement of the ISMS, including the implementation of a review process, regular risk assessments, and the implementation of any necessary corrective actions. In conclusion, ISO/IEC 27701 provides a comprehensive framework for managing and protecting sensitive information, including personal data, in an organization. The standard helps organizations to meet their legal and regulatory obligations and to build trust with their customers and other stakeholders by demonstrating their commitment to information security and privacy. NSPECT.IO, which uses Google Cloud for its operations, has undergone the ISO/IEC 27701 certification process to demonstrate its commitment to the protection of sensitive information. The Information Security Management System (ISO/IEC 27701) is a global privacy standard established by the International Organization for Standardization (ISO), a non-government organization comprised of 163 national standards bodies. The standard focuses on the collection and processing of personally identifiable information (PII) and is designed to help organizations comply with international privacy laws and frameworks. ISO/IEC 27701 extends the requirements of ISO/IEC 27001 and ISO/IEC 27002 to include data privacy and provides a framework for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS). The standard includes requirements and guidance for organizations acting as PII controllers and PII processors. NSPECT.IO operates using the Google Cloud Platform for its marketplace operations. The platform has received an accredited ISO/IEC 27701 certification as a PII processor, following an audit by an independent third party.

ISO/IEC 27701:2019 (formerly known as ISO/IEC 27552 during the drafting period) is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).[1] The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

Read More

Information Security Management System (ISO/IEC 27001)

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure.A European update of the standard was published in 2017.Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a recent large-scale study. NSPECt.IO Customer payment platform runs on WIX that Wix has been audited and certified as ISO 27001 compliant. The ISO 27001 certification outlines industry best practices for managing security risks.

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family.

Read More

Information Security Management System (ISO/IEC 27017)

The International Organization for Standardization (ISO) is an independent, non-governmental organization with an international membership of 163 national standards bodies. The ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing: • Additional implementation guidance for relevant controls specified in ISO/IEC 27002 • Additional controls with implementation guidance that specifically relate to cloud services This standard provides controls and implementation guidance for both cloud service providers like Google and our cloud service customers. ISO/IEC 27017 provides cloud-based guidance on 37 ISO/IEC 27002 controls, along with seven new cloud controls that address: • Who is responsible for what between the cloud service provider and the cloud customer • The removal/return of assets when a contract is terminated • Protection and separation of the customer’s virtual environment • Virtual machine configuration • Administrative operations and procedures associated with the cloud environment • Customer monitoring of activity within the cloud • Virtual and cloud network environment alignment NSPECT.IO Uses Google for marketplace and other operations where Google Cloud Platform, Google Workspace, Chrome, and Apigee are certified as ISO/IEC 27017 compliant.

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management.

Read More
bottom of page