Thursday, November 1, 2012
Generally Accepted Privacy Principles - Part 4
Each of the 10 Generally Accepted Privacy Principles has sets of criteria organized into sub-categories with sub-sub categories below most. Here are the top sub categories for the third and fourth of the 10 generally accepted privacy principles (choice and consent, and collection):
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
3.1 Policies and Communications
3.1.0 Privacy Policies
3.1.1 Communication to Individuals
3.1.2 Consequences of Denying or Withdrawing Consent
3.2 Procedures and Controls
3.2.1 Implicit or Explicit Consent
3.2.2 Consent for New Purposes and Uses
3.2.3 Explicit Consent for Sensitive Information
3.2.4 Consent for Online Data Transfers To or From an Individual's Computer or Other Similar Eletronic Devices
4. Collection. The entity collects personal information only for the purposes identified in the notice.
4.1 Policies and Communications
4.1.0 Privacy Policies
4.1.1 Communication to Individuals
4.1.2 Types of Personal Information Collected and Methods of Collection
4.2 Procedures and Controls
4.2.1 Collection Limited to Identified Purpose
4.2.2 Collection by Fair and Lawful Means
4.2.3 Collection from Third Parties
4.2.4 Information Developed about Individuals
A link to a detailed table of these criteria along with illustrative controls and procedures (and additional information) is available on our website at www.socauditing.com
End of Part 4
- Mark Gleason
www.socauditing.com
Saturday, October 27, 2012
Generally Accepted Privacy Principles - Part 3 - Drilling Down
Each of the 10 Generally Accepted Privacy Principles has sets of criteria organized into sub-categories with sub-sub categories below most. Here are the top sub categories for the first two of the 10 generally accepted privacy principles:
1.1.0 Privacy Policies
1.1.1 Communication to Internal Personnel
1.1.2 Responsibility and Accountability for Policies
1.2 Procedures and Controls
1.2.1 Review and Approval
1.2.2 Consistency of Privacy Policies and Procedures With Laws and Regulations
1.2.3 Personal Information Identification and Classification
1.2.4 Risk Assessment
1.2.5 Consistency of Commitments With Privacy Policies and Procedures
1.2.6 Infrastructure and Systems Management
1.2.7 Privacy Incident and Breach Management
1.2.8 Supporting Resources
1.2.9 Qualifications of Internal Personnel
1.2.10 Privacy Awareness and Training
1.2.11 Changes in Regulatory and Business Requirements
1.1.0 Privacy Policies
1.1.1 Communication to Individuals
2.2 Procedures and Controls
2.2.1 Provision of Notice
2.2.2 Entities and Activities Covered
2.2.3 Clear and Conspicuous
A link to a detailed table of these criteria along with illustrative controls and procedures (and additional information) is available on our website at www.socauditing.com
End of Part 3
- Mark Gleason
www.socauditing.com
1. Management: The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.
1.1 Policies and Communications1.1.0 Privacy Policies
1.1.1 Communication to Internal Personnel
1.1.2 Responsibility and Accountability for Policies
1.2 Procedures and Controls
1.2.1 Review and Approval
1.2.2 Consistency of Privacy Policies and Procedures With Laws and Regulations
1.2.3 Personal Information Identification and Classification
1.2.4 Risk Assessment
1.2.5 Consistency of Commitments With Privacy Policies and Procedures
1.2.6 Infrastructure and Systems Management
1.2.7 Privacy Incident and Breach Management
1.2.8 Supporting Resources
1.2.9 Qualifications of Internal Personnel
1.2.10 Privacy Awareness and Training
1.2.11 Changes in Regulatory and Business Requirements
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
2.1 Policies and Communications1.1.0 Privacy Policies
1.1.1 Communication to Individuals
2.2 Procedures and Controls
2.2.1 Provision of Notice
2.2.2 Entities and Activities Covered
2.2.3 Clear and Conspicuous
A link to a detailed table of these criteria along with illustrative controls and procedures (and additional information) is available on our website at www.socauditing.com
End of Part 3
- Mark Gleason
www.socauditing.com
Wednesday, October 24, 2012
Generally Accepted Privacy Principles - Part 2
Here are the AICPA's Generally Accepted Privacy Principles:
1. Management. The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulation and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
9. Quality. The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
End of Part 2
www.socauditing.com
1. Management. The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulation and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
9. Quality. The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
End of Part 2
www.socauditing.com
Saturday, October 20, 2012
Our Website is Going Live!
The website for Christofferson & Gleason CPAs LLC is going live soon. I sent our webdeveloper the go ahead to go live Friday afternoon. It's Saturday PM and the website in construction page is still on our website. I think we'll up and running Monday.
www.socauditing.com
www.socauditing.com
Wednesday, September 5, 2012
Welcome to Our Blog
This is the official SOC Auditing Blog by Christofferson and Gleason CPAs LLC.
We will post information here about SOC Auditing.
What is SOC Auditing?
SOC stands for Service Organization Controls.
We perform SOC audits which involve issuing SOC reports.
SOC audits and SOC reports are relatively new.
They did not exist before June of 2011 when Statement on Standards for Attestation Engagements No. 16 (SSAE 16) issued by the American Institute of Certified Public Accountants (AICPA) became effective.
SSAE 16 effectively abolished SAS (Statement of Auditing Standards) No. 70, which has been replaced by the new regime of SOC audits.
If your company has in the past had a SAS 70 audit, you have probably by now learned about the new regime of SOC audits.
Unlike the old SAS 70 audits, SOC audits come in a variety of shapes and sizes:
We now have SOC1, SOC2, and SOC3 engagements, each of which comes in two sizes, Type 1 and Type 2.
- Mark S Gleason
September 5, 2012
www.socauditing.com
We will post information here about SOC Auditing.
What is SOC Auditing?
SOC stands for Service Organization Controls.
We perform SOC audits which involve issuing SOC reports.
SOC audits and SOC reports are relatively new.
They did not exist before June of 2011 when Statement on Standards for Attestation Engagements No. 16 (SSAE 16) issued by the American Institute of Certified Public Accountants (AICPA) became effective.
SSAE 16 effectively abolished SAS (Statement of Auditing Standards) No. 70, which has been replaced by the new regime of SOC audits.
If your company has in the past had a SAS 70 audit, you have probably by now learned about the new regime of SOC audits.
Unlike the old SAS 70 audits, SOC audits come in a variety of shapes and sizes:
We now have SOC1, SOC2, and SOC3 engagements, each of which comes in two sizes, Type 1 and Type 2.
- Mark S Gleason
September 5, 2012
www.socauditing.com
Subscribe to:
Posts (Atom)