In its simplest form, compliance is about setting rules and following them, every time. No wavering, no audible—everyone simply follows the rules—every time. Seems easy, but it’s not always.
There are many reasons rules are broken (e.g., not paying attention, not listening, forgetting there were rules, etc.). The reason isn’t really that important. What matters is what transpires when the rules aren’t followed—compliance is directly impacted. After all, compliance is all about executing on processes, training, documenting and continuous inspection/improvement–every single touch or transaction!
To verify our company is following the rules, we invite third-party vendors to audit our processes annually.
These audits* include HIPAA and HITECH examinations; ISO/IEC 27001:2013 certification; SSAE 18 examinations; and PCI DSS validation. In addition, the Security and Compliance team continuously monitors for new regulations and creates process to comply with them (e.g., GDPR, California Privacy Act, etc.) and performs client-specific audits, such as the NIST SP 800-171.
Every audit is critical and serves a specific niche or need. They include a breadth of frameworks and wide-range of industries and geography. And, there’s often a great degree of overlap with industry-specific audits that our clients must demonstrate compliance with. Therefore, once we scrutinize the scope of the third-party audits we submit to and the scope of the client’s audit requirements, we often find our audits completely fulfill the industry-specific obligations.
For example, in a recent conversation, a potential client in the mortgage/banking industry referenced needing a partner that could demonstrate FDIC compliance. While OneNeck doesn’t specifically undertake FDIC compliance auditing, while reviewing the FDIC requirements, we demonstrated how our SOC1 and SOC2 attestations (available with an NDA) and ISO/IEC 27001:2013 certification fully meet—and in some cases, exceeded—controls outlined by the FDIC adherence guidelines.
In other situations, clients need audit-verification of technical, physical management, administrative controls, including background checks and annual training. We’re able to validate we meet these requirements based on the annual audits we already participate in
In addition, for clients that leverage us for hosted and managed services or colocation, the compliance and audits directly apply to their IT environment. With these solutions, our experienced professionals will also help address all the technical measures our clients must comply with.
*Upon request, OneNeck can provide these with NDA
Topic: NIST framework cybersecurity