The AICPA SOC program provides independent third-party examination reports on the privacy and confidentiality of an organization's key compliance controls and objectives. Service Organization Controls (SOC) reports are "designed to help service organizations, and organizations that operate information systems in their service delivery processes and controls through a report by an independent Certified Public Accountant."

There are three types of SOC Reports:

  • SOC 1: “Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting” - These reports are prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16.
  • SOC 2: “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy”
  • SOC 3: “Trust Services Report for Service Organizations”- These reports are designed to meet the needs of users who need assurance about the confidentiality and privacy controls.

ISO 27001 Information Security Management Systems

ISO 27001 Information Security and data protection provides protection for data for global organisations. Certification to ISO 27001 is proof that you are monitoring and managing the security of data in your possession.

What ISO (International Organization for Standardization) says about this standard:

“Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.”

This certification helps large small, and medium organizations and businesses in any sector keep information assets secure. Like other ISO management system standards, certification to ISO/IEC 27001 is not obligatory.


The PCI Data Security Standard PCI DSS is the global data security standard utilized by the payment card industry for organizations that transmit, store, and process cardholder data. It is made up of common sense steps that showcases security best practices.

Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS)assists in alleviating unsecured transmission of cardholder data to service providers as well as paper-based storage systems.

“The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 12 requirements structure:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications Implement Strong Access Control Measures
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data Regularly Monitor and Test Networks
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes Maintain an Information Security Policy
  12. Maintain a policy that addresses information security for all personnel”

HIPAA (Health Insurance Portability and Accountability Act)

In response to the growing volume of sensitive patient information traversing public networks, governments and regulatory agencies are enacting stronger data privacy laws. Regulations mandate that communication containing patient or confidential data must be transmitted securely.

In 2013, the HIPAA Omnibus Rule “was put in place by HHS to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act concerning the responsibilities of business associates of covered entities.” The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.

HIPAA violations can prove quite costly for healthcare organizations. “First, the HIPAA Breach Notification Rule within the omnibus set of regulations requires covered entities and any affected business associates to notify patients following a data breach. In addition to the notification costs, healthcare organizations can encounter fines after HIPAA audits mandated by the HITECH Act and conducted by the Office for Civil Rights(OCR). Providers could also face criminal penalties stemming from violations of the HIPAA privacy and security rules.”

CSA (Compliance, Safety, Accountability)

Introduced in 2010, the program instituted a nationwide compliance system for motor carriers. The (FMCSA) initiative was designed to improve bus and large truck safety and reduce injuries, crashes and fatalities. It is set-up to allow FMCSA and its State Partners to contact a larger number of carriers earlier to prevent safety problems and issues.

CSA re-engineers a former compliance and enforcement process so there is in place clearer insight into how well large commercial motor vehicles operate. The new CSA regulations has three major components:

  • “Measurement - CSA measures safety performance, using inspection and crash results to identify carriers whose behaviors could reasonably lead to crashes.
  • Evaluation - CSA helps FMCSA and its State Partners correct high-risk behavior by contacting more carriers and drivers—with interventions tailored to their specific safety problems. In addition, FMCSA will propose new Safety Fitness Determination (SFD) regulations, which would replace the current three-tiered safety rating process with a single unfit determination.
  • Intervention - CSA covers the full spectrum of safety issues, from how data is collected, evaluated, and shared to how enforcement officials can intervene most effectively and efficiently to improve safety on our roads.”