Public Records Resources

Security Triangle for Government Compliance

By December 17, 2019 February 28th, 2020 No Comments

Government 3rd Party Authorization & Compliance Explained – Security Triangle

GovQA Security Triangle 3rd Party Compliance
All Security Controls Documented & Tested (Audit Required)
Criminal Justice Controls Documented & Tested (Audit Required)
Health Information Controls Documented (Audit Required)
Controls Tested, Voluntary (Audit Required)
Controls Documented, Voluntary
Financial Controls, voluntary

Security

Key considerations for best-in-class security for hosting, application, and personnel.

Several key government organizations set the standards for properly executing software solutions in the best interest of the public. When a software solution complies with these standards, the purchasing group can have confidence that the product has been vetted.

But GovQA goes further.

Our compliance is not a one-time event and certification. We don’t “map” our software to the standards and call it a day. We are committed to on-going, strict compliance day to day, month to month, year to year. This is proven with annual (and more frequent) 3rd party audits of our platform.

…And we go further still.

GovQA’s employees, building, and company systems and procedures are also compliant. We have extensive SETA (Security Education Training Awareness) programs in place, state-of-the-art building security, and strictly enforce CJIS and HIPAA staff training, certification, and annual re-certification. Security at GovQA is not just a box to check, it is truly ingrained in our culture.

GovQA can provide Letters of Attestation to confirm we have met all compliance requirements.

Learn more about GovQA security here.

CJIS

Compliance with the Criminal Justice Information Services (CJIS) Security Policy is ongoing. This includes GovQA data infrastructure and maintenance, product development, and relevant employee background checks.  GovQA is audited and attested annually by 3rd party auditor as fully compliant.

SOC

SOC (Service and Organizational Controls) audits are based on CPA requirements and are performed by accounting firms.  SOC 1 are primarily financial audits. SOC 2 audits are also largely financial with some data security controls as they relate to Security, Availability, Processing, Confidentiality, and Privacy.  These focus on how client data is stored and protected.

  • SOC 1: a financial audit for potential investors
  • SOC 2 Type 1: controls verified to be in place at a single point in time
  • SOC 2 Type 2: mature, comprehensive auditing over time

GovQA only utilizes fully SOC compliant/audited/attested data centers and hosting providers with compliance and gap letters on file.

NIST/FISMA

FISMA (the Federal Information Systems Act) requires government agencies to effectively manage risk; and NIST (National Institute of Standards and Technology) issues specific guidance for complying with FISMA.  The goal is to protect information systems from unauthorized access, use, disclosure, disruption, modification or destruction to ensure the integrity, confidentiality, and availability of sensitive information.  FISMA requirements include categorization according to risk level, maintenance of a system security plan, security controls implementation, risk assessments, certification and accreditation and continuous monitoring.

HIPAA

The HIPAA Security Rule establishes national standards requiring appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Our compliance means we adhere to all HIPAA Rules relevant to our business including Privacy, Security, Enforcement, and Breach Notification. ​​GovQA is audited and attested annually by a 3rd party auditor as fully compliant.