Recently we shared the first half of our interview with Briana Attinger, Orange Logic's Compliance Manager, where we discussed data privacy and security in relation to digital asset management. For the second post, we're getting into Briana's favorite topic: compliance.
BRIANA: Compliance is the requirements that we need to meet, whereas security is ensuring that we have the controls in place to meet those requirements. So the auditors are essentially ensuring that our digital asset management system is in compliance with regulations. So what they do is go in and review the controls that we have in place and the documentation provided to demonstrate those controls.
BRIANA: Orange Logic holds the certification for ISO 27001. We hold a certification in PCI DSS, which is the Payment Card Industry Data Security Standard, as well. We also comply with HIPAA and GDPR.
BRIANA: We have an in-house security and compliance team. Many other DAMs do not have those in-house teams. Our compliance and security teams are always working to ensure that our product is secure and that we're complying with our requirements.
BRIANA: ISO 27001 is an international industry standard security framework. It’s made up of different controls that organizations must comply with. Some of those controls include access control, asset management, communications, security, business continuity and disaster recovery, incident management, and so on.
BRIANA: So the reason that we want ISO 27001 over other industry standards like SOC2 is it's an international industry standard, and we have customers across the globe. Also, ISO 27001 applies to the broader information security management system — to the entire security and compliance program within an organization. SOC2 is just applicable to certain controls. To put it more simply, it boils down to ISO 27001 standards offering customers more security.
BRIANA: PCI DSS is an international standard known as the Payment Card Industry Data Security Standard. It is applicable to securing cardholder data. Now, at Orange Logic, we do not process or store cardholder data. However, our DAM can process payments using secure third-party payment processors.
BRIANA: HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that applies to healthcare entities and ensures the protection of patient health information or protected health information, also known as PHI.
BRIANA: Every year, our digital asset management system undergoes a HIPAA risk assessment, which is performed by a third party. They're an independent assessor, and they review our HIPAA-compliant environment, which is our DAM environment that is constructed with configurations to comply with HIPAA. So a third-party assessor goes in, and they review all of our controls, our documentation to ensure that we are complying with the regulations.
BRIANA: We recently just completed our 2022 HIPAA Risk Assessment, and there were zero findings and even zero recommendations. Now, this is the first time that the project manager who handled our account has had an account that has had zero recommendations or findings.
BRIANA: The Financial Industry Regulatory Authority, FINRA Rule 511, requires its members within the financial industry to preserve books and records for a specific amount of time. And this complies with the security exchange Commission, SEC Rule 1784. So Cortex has a Write Once Read Many or WORM storage feature that is compliant with these rules. This ensures that our digital asset management customers in the financial industry are able to meet their record-preservation requirements.
BRIANA: GDPR, of course. GDPR is the European Union's General Data Protection Regulation. It is applicable to individuals in the EU and ensures their personal data is protected.
Our DAM also includes accessibility features that can be configured that comply with a number of accessibility compliance regulations and standards. This includes the American Disabilities Act, Web Content Accessibility Guidelines, and Section 508 of the US Rehabilitation Act.
BRIANA: An accessible DAM has features that ensure that end users with visual or hearing impairment or mobility issues are able to use the DAM to its fullest extent.
BRIANA: I think that it's extremely important that we communicate our security and compliance programs to our customers and prospective customers so they know just how passionate we are about securing our data and theirs.
As someone whose personal information has been breached, I understand how important it is to secure information. And that's why I'm so passionate about security and compliance within our DAM.
To learn more about how Orange Logic can help you with your DAM compliance needs, schedule a call today!