Memo: SOC vs NIST

NIST SP 800-30: Guide for Conducting Risk Assessments

NIST Special Publication 800-30 provides guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.

NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organization

Everyone interested in advancing design and planning of IT systems must become knowledgeable of the accomplishments of NIST by reading their Special Publication 800-series reports. The 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and collaborative activities with industry, government, and academic organizations. The NIST Special Publication 800-53 “Recommended Security Controls for Federal Information Systems and Organization” list pages of specific controls that would be considered in the preparation of a standardized list of IT system controls for the private sector.

NIST SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.

Special Publication 800-66 Revision 1, which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to:

  • Help to educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule.
  • Direct readers to helpful information in other NIST publications on individual topics addressed by the HIPAA Security Rule.
  • Aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.

Service Organization Controls (SOC)

The American Institute of Certified Public Accounts (AICPA) has developed and adopted a set of guidelines and regulations for CPA audits in response the requirements of the Gramm-Leach-Bliley Act entitled, Service Organization Controls (SOC).  SOC is divided into two general types of audits SOC 1 and SOC 2 that are described on this site in detail.  SOC  is very specific as to the types of assessments that are to be made for each type of audit. SOC guidelines and regulations do not define the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.

SOC 1 audits according to the requirements of SSAE No. 16 reports  ”On Controls at a Service Organization” that is processing private and nonpublic data that is personal for it’s customers. The controls obviously would vary differently in approach even though there would be some overlap.  Standardizing would require developing different categories of controls for each type of audit.

SOC 2 audits deal with five different concerns: security, availability, integrity, confidentiality, and privacy. There are specific controls that come into play for each of these areas include overlap of controls to prevent possible financial theft, timely transmission, intrusion/manipulation, limited access and nondisclosure.

Concluding Notes

SOC guidelines and regulations do not define the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.

Aligned Risk Management follows NIST SP 800-30, the framework for conducting risk assessments, and evaluates and reports on controls aligned to NIST SP 800-53 and NIST SP 800-66.

This article contains direct quotes and information from the National Institute of Standards and Technology (NIST), Integrated Accounting Services.

“SP 800-30: Guide for Conducting Risk Assessments”. National Institute of Standards and Technology. Retrieved September 4, 2018.

“SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”. National Institute of Standards and Technology. Retrieved September 4, 2018.

“NIST Special Publication 800-53”. National Institute of Standards of Technology. Retrieved September 4, 2018.

“Information Technology Laboratory”. Integrated Accounting Services. Retrieved September 4, 2018.

Published by Patrick Brenner, Analyst

Patrick Brenner: Privacy and Security Analyst Patrick was catapulted into protecting doctors, the privacy of patient data, and the protection of patients' civil rights. His knowledge of HIPAA and deep understanding of cybersecurity as it pertains to healthcare combined with his expertise in implementing NIST guidelines has primed him for helping healthcare practices in positioning themselves with better HIPAA compliance. Patrick invented the Aligned Risk Management risk assessment process in close collaboration with numerous clients and colleagues seeking a modern and innovative HIPAA compliance solution. He designed the Aligned Risk Management Information System (ARMIS) and continues to oversee its development.