Information Security Compliance
When a Company shares their sensitive information with a vendor, they need to make sure it is being handled and protected appropriately. More than ever before, vendor management teams are looking for third party independent validation that their vendors and potential vendors have controls in place sufficient to protect their sensitive data.
We know that nobody enjoys going through an “audit,” but our team at DDS has spent countless hours putting together programs that demystifies the control frameworks and automates much of the evidence gathering required for us to be able to issue our independent third-party opinion. We leverage technology to make this process as painless as possible, while adding value. You are left with a strengthened security posture, and a thorough, professionally written report that can pay countless dividends in your sales and client retention efforts.
These reports are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
SOC 2 reports are the gold standard in demonstrating to your clients and prospects that you have sufficient controls in place, that are operating effectively, to meet relevant control objectives. A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
Boiling it down, the SOC 2 framework help you answer, and give independent third-party verification, to the following question: “How can we trust that you will protect our sensitive data and meet the service commitments you are promising to us?”
These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.
SOC for Cybersecurity
Similar to a SOC 2 examination, SOC for Cybersecurity focuses on an organization’s cybersecurity risk management program. SOC for Cybersecurity is different from SOC 2 in that it is intended for any type of enterprise, not just service organizations. SOC for Cybersecurity affords a company the opportunity to provide their partners (i.e., customers, stakeholders) assurance that they are committed to cybersecurity best practices.
ISO 27001 Internal Audit
For organizations seeking to implement an ISMS in hopes of becoming ISO 27001 certified, DDS can help! Clause 9 of the ISO 27001 standard requires an organization to have an internal audit of its ISMS performed at least annually. The standard requires the organization to select auditors and conduct audits that ensure objectivity and impartiality of the audit process, meaning it should not be performed by someone internal to the organization who is involved in designing, implementing, and maintaining the ISMS. This is difficult for most small to medium sized organizations that do not have a distinct internal audit department. DDS can cost-effectively perform the internal audit function to prepare your organization for your ISO 27001 certification audit and to meet the annual internal audit requirements described in Clause 9. During the internal audit DDS focuses on evaluating your organization’s current ISMS against the ISO 27001 requirements. Our internal audit process aims to be as minimally invasive as possible, while still achieving a value-add list of recommendations that will satisfy the needs of your certifying auditors. We provide a detailed assessment of your compliance, including any gaps, possible nonconformities, as well as opportunities for improvement. DDS has consulted with various certifying auditors to ensure that our internal audit program and reporting methodology are aligned with expectations and give your organization the intended result.
For organizations operating in the healthcare industry, demonstrable HIPAA compliance is becoming table stakes. Other than attesting to compliance yourself, there are a couple of ways we can help you demonstrate your compliance to interested parties.
A SOC 2+ goes beyond a traditional SOC 2 examination and includes additional criteria, such as those related to HIPAA compliance. The AICPA’s Trust Services Criteria share a lot of parallels with the requirements set forth by the HIPAA Security and Breach Notification Rules. The benefit of combining SOC 2 and HIPAA is that auditing both together will result in a more efficient and cost-effective use of resources. By conducting a SOC 2+, an organization can avoid redundant assessments, reduce audit fatigue among employees, and minimize audit-related disruptions to business operations. The final result will be a comprehensive SOC 2 report that also demonstrates your compliance with HIPAA.
HIPAA Compliance Examination
A HIPAA compliance examination is similar in process to a SOC 2+. However, the criteria used to evaluate your system of control is limited to the requirements set forth by the relevant HIPAA rules and not the AICPA Trust Services Criteria. Also, the deliverable is a much simpler report, usually consisting of only a few pages.
A GDPR (General Data Protection Regulation) compliance audit is an independent assessment of an organization’s compliance with GDPR.
The purpose of a GDPR compliance audit is to help organizations ensure that they are meeting their obligations under GDPR and to identify areas where they may need to make improvements.
NIST Cybersecurity Framework (CSF)
NIST CSF collects best practices from other standards and guidelines, allowing an organization to choose the best for them based on risk. NIST CSF can be utilized for any size organization within any sector.
See what our clients are saying.
Josh HolatCube Software
Gil Bar-OrFull Circle Insights
Dave JohnsonPoint Predictive
Luke BaumannGreen Project