Compliance

Psy9 offers GDPR Certification, GDPR Compliance and Privacy Law Compliance as Leading Consultant.

• GDPR IMPLEMENTATION
  General Data Protection Regulation (GDPR) aims to protect European citizen personal information. We have a 6-phase Methodology to help you achieve successful compliance.
• What is GDPR?
  GDPR is aimed at protecting personal information, as an extension of an individual fundamental ‘right to privacy’.
• Violation
  Inability to comply with GDPR can result in serious implication that includes fines between Euro 10 Million to Euro 20 Million or 4% of the global annual sales. . Besides the penalty, just imagine the impact on your brand, image and reputation.
• Project Phases
  We have a structured phase wise approach to determine the scope of information in scope, and help you comply to the requirement.
  
• Phase I – Information flow assessment
  This phase involves identification of information sources, and is processing infrastructure that involves personnel, technology, physical infrastructure.
• Phase II – Gap Analysis
  This phase involves performing privacy impact assessment and security risk assessment to determine security and legal loopholes. Identified gaps are provided with detail recommendations.
• Phase III – Control Design and documentation
  This phase involves our methodology that involves distribution security responsibility to internal stakeholders, with controls policies and transactions that ensures that GDPR is well embedded in the organisation processes. This also includes nomination of a data protection officer and creating data protection office, for the organisation.
• Phase IV – Tracking
  This phase involves tracking the client risks, and documentation on a weekly basis till all internal controls are adequately implemented.
• Phase V – Performance Tracking
  This phase involves showcasing client with changes in a given period by providing change specific score of compliance between 0 -100% compliance.
• Phase VI – Internal Audit
  This phase involves verifying the governance system created for the organisation is well in place and ready to declare as GDPR compliant.

What do the following three terms have in common?

• • SSAE 16
• • SAS 70
• • SOC 1, SOC 2 and SOC 3 Reports

The simple answer is that all these terms are inter linked in some way and are assurances over outsourced operations. In other words a SAS 70 report, a SSAE16 auditor report etc give assurance to the user of the audit report that the internal controls at the service provider are effective if the report is unqualified.

With increased globalization, outsourcing seems to be the business mantra. Companies outsource systems, business processes and data processing. All outsourcing is done with an assumption that the operational risk at the service provider will be effectively managed and that the service provider is able to build a robust internal control framework.

In doing so, user organisation (the company that outsources the activities) needs to gain comfort that the data, processes, inputs and outputs at the service provider location are effectively handled and does not expose user organisation to any reputation or other risks.

Till recently, this was done using SAS 70 reports [Statement on Auditing Standards 70]. This gave organisation a broad comfort over the controls at service provider.

However, the biggest weakness of SAS 70 reporting was its main focus was on risks relating to internal control over financial reporting. But what about risks such as give below.
1. Systems are not available at service provide to process information
2. Data confidentially of client/customer information
3. What type of security is available so that information assets are protected.

Do service providers have adequate controls and policies in place to address controls that are beyond Financial reporting related controls ie operational controls.This main gap resulted in SAS 70 been replaced by another set of reports called SOC reports.

SOC Reports and their meaning

Need for a CPA review/audit

As per AICPA website, “A CPA may be engaged to examine and report on controls at a service organization related to various types of subject matter, for example, controls that affect user entities’ financial reporting or controls that affect the security, availability, and processing integrity of the systems or the confidentiality or privacy of the information processed for user entities’ customers.”

For this purpose and to address varying requirement of the engagement, AICPA has introduced SERIVICE ORGANISATION CONTROL (SOC)Reports.  There are three types of SOC reports and you guessed it right. SOC1,SOC2 and SOC3.

SSAE 16 has two types of reports.
1. A Type 1 report is one in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system and the design effectiveness of the controls. It is merely saying that the organisation has built in controls to manage and process information in manner that will ensure that the user organization does not have material misstatement of its financial statements.

An example can make it clear. Let us suppose the service provider is processing Accounts Payable invoices. Then an excel error at the outsourced service provider may result in the provider understating liability (AP balances) because the updated excel sheet was not used for reporting to User organisation and 100 invoices that were received, recorded but wrongly summarized and reported.

2. A type 2 report is one in which in which the service auditor reports on the fairness of the presentation of management’s description of the service organization’s system, opinion on the design effectiveness of the controls AND on the operating effectiveness of these controls. So, type 3 report can only be issued once the controls have been tested for their operating effectiveness.

SOC 2 Reporting

The purpose of the SOC 2 report is to provide an assurance or an opinion on the level of trust and assurance that user auditor and user organisation can derive from the system that the service organization has deployed that effectively mitigate operational and compliance risks.

SOC 2 report demonstrates an independent auditor’s review of a service organization’s application of criteria related to one or more of the Trust Services Principles, which are:

• • Security: The system is protected against unauthorized access (both physical and logical).
• • Availability: The system is available for operation and use as committed or agreed. for reducing assessment of control risk below maximum
• • Processing integrity: System processing is complete, accurate, timely, and authorized.
• • Confidentiality: Information designated as confidential is protected as committed or agreed.
• • Privacy: Personal information (i.e., information that is about or can be related to an identifiable individual) is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP)

The Health Insurance Portability and Accountability Act (HIPAA) is a law of US Department of Health and Human Services. HIPAA is a regulatory requirement which stands for use and disclosure of health information of individuals. HIPAA mainly focus on data privacy, security and controls for safe guard medical information. HIPAA Privacy Rule is to protect patients’ personal or protected health information (PHI). The Privacy Rule give guarantee to patients that the right to receive their own PHI, upon request, from healthcare providers covered by HIPAA.

The HIPAA Privacy Rule applies to organizations that are considered HIPAA-covered entities. It also requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the BA uses or discloses.

Failling to comply with HIPAA Privacy Rule, victim of healthcare data breach, failling to provide access to patients for their PHI, OCR can impose penalty or fine. Privacy rule penalties vary depending on the severity of the infraction.

Major amendments since 1996:

• The Security Rule Amendment of 2003
• Technical Safeguards
• Physical Safeguards
• Administrative Safeguards
• The Privacy Rule Amendment of 2003
• The Breach Notification Rule of 2009
• The Final Omnibus Rule of 2013

Roadmap for HIPAA Certification

GAP Assessment -> Documentation -> Training -> Internal Audit -> Certification Audit -> Certification

What is PCI (Payment Card Industry)

PCI is a family of data security standards that is intended to secure processing infrastructure of payment industry.

• PCI DSS applies to any entity that processes, stores or transmits cardholder data
• Consistent global standard applies to banks, merchants, service providers and gateways
• PCI DSS applies to CREDIT and DEBIT cards

Introduction to PCI DSS

• Joint effort of
• VISA International
• MasterCard Worldwide
• American Express
• Discover Financial Services
•  JCB
• Managed by the PCI SSC on behalf of the Card Brands (Visa, MasterCard, AMEX, Discover and JCB)
• Current version of standard is 3.1 (April 2015)
• Includes 12 security requirements (approx. 300+ sub-requirements)
• Grouped into six control objectives.
• The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.
• PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
• The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
• PCI DSS applies to all entities involved in payment card processing—including merchants, processors, financial institutions, and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

Who must comply with PCI standard?

• As a global standard, the PCI DSS applies to any entity worldwide that stores, processes or transmits credit cardholder data.
• This includes financial institutions, merchants and service providers in all payment channels.
• Financial institutions include banks, insurance companies, lending agencies, and brokerages.
• Merchants include restaurants, retailers (brick-and-mortar, mail/telephone order, e-commerce), transportation operators, and virtually any point-of- sale that processes credit cards across all industries.
• Service providers include transaction processors, payment gateways, customer service entities, (i.e. call centres), managed service providers, web hosting providers, data centres, and Independent Sales Organizations.

Gap Assessment

• PCI DSS gap assessment, depending on the scope and size of the organization will normally be conducted in 3 days of onsite assessment.
• The deliverables of Gap Assessments will include:
  • Detailed requirement wise gaps identified and
  • The assessor recommendations in line with PCI requirements.
• Time frame: 3 days onsite + 1 week of gap assessment report writing
• Resources : 1 QSA + 1 Technical Consultant onsite
• Consultant offsite for 4 / 5 days for report writing
• QSA 2 days offsite for checking the report before releasing it to the client
• In case of large organizations like banks, service providers, BPOS with multiple sites/ locations the time frame can vary and so will be the costing

PCI DSS Implementation Challenges

• Fully understand and document the processes and payment environment
• Tracking and monitoring of access to payments card systems and data
• Controlling logical access (authentication) to systems containing payment card data
• Security event monitoring across a disparate environment
• Limited security capabilities (authentication, monitoring, etc…) of legacy systems
• Remediation of controls across large (often legacy) distributed environments
• Encryption of payment card data
• Putting PCI contractual language in place for third party service providers Obtaining management support to perform remediation