The Compliance Review Program and Process. ⮉ Similar to the certification process, the compliance review program entails a rigorous process intended to ensure that EIEPs who receive electronic information from SSA are in full compliance with the Agency’s security requirements and standards. As a practice, SSA attempts to conduct compliance reviews following a two to five year periodic review schedule. However, as circumstances warrant, a review may take place at any time. Three prominent examples that would trigger an ad hoc review are: • a significant change in the outside EIEP’s computing platform • a violation of any of SSA’s systems security requirements • an unauthorized disclosure of SSA information by the EIEP The following is a high-level flow chart of the OIS Compliance Review Process: ⮉ Make risked-based selection of target Monitor findings Finalize review documentation Conduct compliance review Set review date Gather background information Determine method of review SSA may conduct onsite compliance reviews and include both the EIEP’s main facility and a field office. SSA may, also at its discretion, request that the EIEP participate in an onsite compliance review of their security infrastructure to confirm the implementation of SSA’s security requirements. The onsite review may address any or all of SSA’s security requirements and include, where appropriate: • a demonstration of the EIEP’s implementation of each requirement • random sampling of audit records and transactions submitted to SSA • a walkthrough of the EIEP’s data center to observe and document physical security safeguards • a demonstration of the EIEP’s implementation of online exchange of data with SSA • discussions with managers/supervisors • examination of management control procedures and reports (e.g. anomaly detection reports, etc.) • demonstration of technical tools pertaining to user access control and, if appropriate, browsing prevention: o If the design uses a permission module or similar design, or is transaction driven, the EIEP will demonstrate how the system triggers requests for information from SSA. o If the design uses a permission module, the EIEP will demonstrate the process used to request SSA-provided information and prevent the EIEP’s system from processing SSNs not present in the EIEP’s system. We can accomplish this by attempting to obtain information from SSA using at least one, randomly created, fictitious number not known to the EIEP’s system. SSA may, at its discretion, perform an onsite or remote review for reasons including, but not limited to the following: • the EIEP has experienced a security breach or incident involving SSA-provided information • the EIEP has unresolved non-compliancy issue(s) • to review an offsite contractor’s facility that processes SSA-provided information • the EIEP is a legacy organization that has not yet been through SSAs security certification and compliance review programs • the EIEP requested that SSA perform an IV & V (Independent Verification and Validation review) During the compliance review, SSA, or a certifier acting on its behalf, may request a demonstration of the system’s audit trail and retrieval capability. The certifier may request a demonstration of the system’s capability for tracking the activity of employees who view SSA- provided information within the EIEP’s system. The certifier may request EIEPs that have STCs that handle and audit transactions with SSA to demonstrate the process used to obtain audit information from the STC. If an STC handles and audits the EIEP’s transactions with SSA, we may require the EIEP to demonstrate both their in-house audit capabilities and the processes used to obtain audit information from the STC regarding the EIEP’s transactions with SSA. If the EIEP employs a contractor who will process, handle, or transmit the EIEP’s SSA-provided information offsite, SSA, at its discretion, may include in the onsite compliance review an onsite inspection of the contractor’s facility. The inspection may occur with or without a representative of the EIEP. The format of the review in routine circumstances (i.e., the compliance review is not being conducted to address a special circumstance, such as a disclosure violation) will generally consist of reviewing and updating the EIEP’s compliance with the systems security requirements described above in this document. At the conclusion of the review, SSA will issue a formal report to appropriate EIEP personnel. The Final Report will address findings and recommendations from SSA’s compliance review, which includes a plan for monitoring each issue until closure.
Appears in 3 contracts
Samples: eldorado.legistar.com, media.rivcocob.org, www.slocounty.ca.gov
The Compliance Review Program and Process. ⮉ Similar to the certification process, the compliance review program entails a rigorous process intended to ensure that EIEPs who receive electronic information from SSA are in full compliance with the Agency’s security requirements and standards. As a practice, SSA attempts to conduct compliance reviews following a two to five year periodic review schedule. However, as circumstances warrant, a review may take place at any time. Three prominent examples that would trigger an ad hoc review are: • a significant change in the outside EIEP’s computing platform • a violation of any of SSA’s systems security requirements • an unauthorized disclosure of SSA information by the EIEP The following is a high-level flow chart of the OIS Compliance Review Process: ⮉ Make risked-based selection of target Monitor findings Finalize review documentation Conduct compliance review Set review date Gather background information Determine method of review SSA may conduct onsite compliance reviews and include both the EIEP’s main facility and a field office. SSA may, also at its discretion, request that the EIEP participate in an onsite compliance review of their security infrastructure to confirm the implementation of SSA’s security requirements. The onsite review may address any or all of SSA’s security requirements and include, where appropriate: • a demonstration of the EIEP’s implementation of each requirement • random sampling of audit records and transactions submitted to SSA • a walkthrough of the EIEP’s data center to observe and document physical security safeguards • a demonstration of the EIEP’s implementation of online exchange of data with SSA • discussions with managers/supervisors • examination of management control procedures and reports (e.g. anomaly detection reports, etc.) • demonstration of technical tools pertaining to user access control and, if appropriate, browsing prevention: o If the design uses a permission module or similar design, or is transaction driven, the EIEP will demonstrate how the system triggers requests for information from SSA. o If the design uses a permission module, the EIEP will demonstrate the process used to request SSA-provided information and prevent the EIEP’s system from processing SSNs not present in the EIEP’s system. We can accomplish this by attempting to obtain information from SSA using at least one, randomly created, fictitious number not known to the EIEP’s system. SSA may, at its discretion, perform an onsite or remote review for reasons including, but not limited to the following: • the EIEP has experienced a security breach or incident involving SSA-provided information • the EIEP has unresolved non-compliancy issue(s) • to review an offsite contractor’s facility that processes SSA-provided information • the EIEP is a legacy organization that has not yet been through SSAs security certification and compliance review programs • the EIEP requested that SSA perform an IV & V (Independent Verification and Validation review) During the compliance review, SSA, or a certifier acting on its behalf, may request a demonstration of the system’s audit trail and retrieval capability. The certifier may request a demonstration of the system’s capability for tracking the activity of employees who view SSA- provided information within the EIEP’s system. The certifier may request EIEPs that have STCs that handle and audit transactions with SSA to demonstrate the process used to obtain audit information from the STC. If an STC handles and audits the EIEP’s transactions with SSA, we may require the EIEP to demonstrate both their in-house audit capabilities and the processes used to obtain audit information from the STC regarding the EIEP’s transactions with SSA. If the EIEP employs a contractor who will process, handle, or transmit the EIEP’s SSA-provided information offsite, SSA, at its discretion, may include in the onsite compliance review an onsite inspection of the contractor’s facility. The inspection may occur with or without a representative of the EIEP. The format of the review in routine circumstances (i.e., the compliance review is not being conducted to address a special circumstance, such as a disclosure violation) will generally consist of reviewing and updating the EIEP’s compliance with the systems security requirements described above in this document. At the conclusion of the review, SSA will issue a formal report to appropriate EIEP personnel. The Final Report will address findings and recommendations from SSA’s compliance review, which includes a plan for monitoring each issue until closure.
Appears in 2 contracts
Samples: web2.co.merced.ca.us, www.slocounty.ca.gov
The Compliance Review Program and Process. ⮉ Similar to the certification process, the compliance review program entails a rigorous process intended to ensure that EIEPs who receive electronic information from SSA are in full compliance with the Agency’s security requirements and standards. As a practice, SSA attempts to conduct compliance reviews following a two to five year periodic review schedule. However, as circumstances warrant, a review may take place at any time. Three prominent examples that would trigger an ad hoc review are: • a significant change in the outside EIEP’s computing platform • a violation of any of SSA’s systems security requirements • an unauthorized disclosure of SSA information by the EIEP The following is a high-level flow chart of the OIS Compliance Review Process: ⮉ Make risked-based selection of target Monitor findings Finalize review documentation Conduct compliance review Set review date Gather background information Determine method of review SSA may conduct onsite compliance reviews and include both the EIEP’s main facility and a field office. SSA may, also at its discretion, request that the EIEP participate in an onsite compliance review of their security infrastructure to confirm the implementation of SSA’s security requirements. The onsite review may address any or all of SSA’s security requirements and include, where appropriate: • a demonstration of the EIEP’s implementation of each requirement • random sampling of audit records and transactions submitted to SSA • a walkthrough of the EIEP’s data center to observe and document physical security safeguards • a demonstration of the EIEP’s implementation of online exchange of data with SSA • discussions with managers/supervisors • examination of management control procedures and reports (e.g. anomaly detection reports, etc.) • demonstration of technical tools pertaining to user access control and, if appropriate, browsing prevention: o If the design uses a permission module or similar design, or is transaction driven, the EIEP will demonstrate how the system triggers requests for information from SSA. o If the design uses a permission module, the EIEP will demonstrate the process used to request SSA-provided information and prevent the EIEP’s system from processing SSNs not present in the EIEP’s system. We can accomplish this by attempting to obtain information from SSA using at least one, randomly created, fictitious number not known to the EIEP’s system. SSA may, at its discretion, perform an onsite or remote review for reasons including, but not limited to the following: • the EIEP has experienced a security breach or incident involving SSA-provided information • the EIEP has unresolved non-compliancy issue(s) • to review an offsite contractor’s facility that processes SSA-provided information • the EIEP is a legacy organization that has not yet been through SSAs security certification and compliance review programs • the EIEP requested that SSA perform an IV & V (Independent Verification and Validation review) During the compliance review, SSA, or a certifier acting on its behalf, may request a demonstration of the system’s audit trail and retrieval capability. The certifier may request a demonstration of the system’s capability for tracking the activity of employees who view SSA- provided information within the EIEP’s system. The certifier may request EIEPs that have STCs that handle and audit transactions with SSA to demonstrate the process used to obtain audit information from the STC. If an STC handles and audits the EIEP’s transactions with SSA, we may require the EIEP to demonstrate both their in-house audit capabilities and the processes used to obtain audit information from the STC regarding the EIEP’s transactions with SSA. If the EIEP employs a contractor who will process, handle, or transmit the EIEP’s SSA-provided information offsite, SSA, at its discretion, may include in the onsite compliance review an onsite inspection of the contractor’s facility. The inspection may occur with or without a representative of the EIEP. The format of the review in routine circumstances (i.e., the compliance review is not being conducted to address a special circumstance, such as a disclosure violation) will generally consist of reviewing and updating the EIEP’s compliance with the systems security requirements described above in this document. At the conclusion of the review, SSA will issue a formal report to appropriate EIEP personnel. The Final Report will address findings and recommendations from SSA’s compliance review, which includes a plan for monitoring each issue until closure.
Appears in 1 contract
Samples: web2.co.merced.ca.us