Tampa, FL, April 3, 2019 - Schellman & Company, LLC (Schellman), a leading provider of attestation and compliance services, announced today that it has been officially certified as a Great Place to Work™. Great Place to Work is the global authority on workplace culture, employee experience and the leadership behaviors proven to deliver market-leading revenue and increased innovation.

If your organization is a current or aspiring Microsoft vendor, you’re probably familiar with the Microsoft Supplier Security and Privacy Assurance Program (SSPA) program (previously called the Vendor Privacy Assurance Program). Vendors providing services with a high business impact may be required to provide a letter of attestation from a qualified independent assessor such as Schellman. You might be wondering what this requirement means for your business and what to expect during the attestation process.

The fight against cyber threats is one that requires much more preparation than it may have in the past. Today, threats and attacks are disrupting business operations and unnerving boards of directors, managers, customers, investors, and other stakeholders in organizations of all sizes, both public and private. The first rule in a fight is to protect yourself at all times, and the AICPA's SOC for Cybersecurity reporting framework can help.

What keeps security professionals up at night isn’t the idea of outsider threats attacking their companies—it’s their employees. Nearly 61 percent of security leaders surveyed said their biggest issue is worrying about negligent or malicious employees, which they claim are responsible for over half of their organization’s data breaches or security incidents.

Determining the scope of an assessment against the HITRUST Common Security Framework (CSF) is one of the first and most important tasks of the entire HITRUST assessment process. The assessment scope is a major factor in the level of effort required to complete an assessment, and is important to relying entities in determining if the services they use are assessed against the HITRUST CSF. However, for organizations with large or complex IT environments, the task of determining the scope of their HITRUST assessment(s) may seem daunting.

HITRUST Basics The HITRUST set of security controls and safeguards (referred to as the ‘CSF’ or ‘Common Security Framework’) was developed using a risk-based approach to address the multitude of security, privacy, and regulatory challenges facing healthcare organizations. It includes control points derived from the HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT frameworks, as well as federal and state privacy laws.

Effective compliance and risk management goes far beyond a set of policies. To be effective, a company’s compliance and risk management program must be embedded in its culture. All too often, companies see compliance as a separate activity that does not need to be integrated into the day-to-day business operations. All employees should share responsibility, and an intelligent risk framework should be created that brings compliance out in the open — letting employees know the importance of compliance while allowing them to communicate. But that’s often easier said than done.

Policies and procedures help create an internal control framework within an organization. Management uses this internal control framework to rely upon and ensure that the organization's objectives are being met.