Compliant File Sharing
Governance and Controls Compliance
The Federal Information Processing Standard (FIPS) Publication 140-2 (FIPS PUB 140-2), commonly referred as FIPS 140-2, is a US government computer security standard used to validate cryptographic modules. FIPS 140-2 was created by the NIST and, per the FISMA, is mandatory for US and Canadian government procurements. Many global organizations are also mandated to meet this standard. FIPS 140-2 compliance has been widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and realistic best practice.
Torozo was tested and validated against the rigorous FIPS 140-2 encryption compliance standard.
ISO 27001 certification demonstrates that your organization has invested in the people, processes, and technology (e.g. tools and systems) to protect your organization’s data and provides. an independent, expert assessment of whether your data is sufficiently protected. The company expect to complete its ISO 27001 Certification by mid 2022.
ISO/IEC 27018:2019 is an information security code of practise for cloud service providers who process personally identifiable information for their customers. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls. It details privacy requirements and security control enhancements for privacy to be implemented by cloud service providers.
It is complementary to ISO 27017:2015, Security Control for Cloud Services, and to ISO 27701:2019, Privacy Information Management, both of which also extend ISO 27001:2013.
As an extension to ISO 27001, ISO 27018 provides guidance on 16 ISO 27002 controls, as well as providing 25 new privacy and security controls:
The company expect to achieve 27018 compliance by mid 2022.
- The requirement to cooperate with PII controllers
- The maintenance of PII principals’ rights
- Compliance with fundamental privacy requirements, such as data minimisation and accuracy
- The principles of transparency and accountability
- Additional security controls
- Requirements for sub-contracted processing
The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.
This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002, and provides additional controls to address cloud-specific information security threats and risks referring to clauses 5-18 in ISO/IEC 27002: 2013 for controls, implementation guidance, and other information. Specifically, this standard provides guidance on 37 controls in ISO/IEC 27002, and it also features seven new controls that are not duplicated in ISO/IEC 27002. These new controls address the following important areas:
The Company expects ISO 27017 certification by mid-year 2022.
- Shared roles and responsibilities within a cloud computing environment
- Removal and return of cloud service customer assets upon contract termination
- Protection and separation of a customer’s virtual environment from environments of other customers
- Virtual machine hardening requirements to meet business needs
- Procedures for administrative operations of a cloud computing environment
- Enabling customers to monitor relevant activities within a cloud computing environment
- Alignment of security management for virtual and physical networks
The Service Organization Control (SOC) 2 Type II examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities, and tested those controls to ensure that they are operating effectively.
SOC 2 is based on Policies, Communications, Procedures and Monitoring. The specific Trust Service Principles explained below must be met in order to successfully achieve certification.
Security: The system has controls in place to protect against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely and authorized.
Confidentiality: Information that is designated as “confidential” by a user is protected.
The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time.
Type II Certification consists of a thorough examination by a third party firm of an organization’s internal control policies and practices over a specified period of time. This independent review ensures that the organization meets the stringent requirements set forth by the AICPA and CICA. When trusting an application with highly sensitive and confidential information, such as passwords, documents and secure images, obtaining high level certification is imperative.
The Company has started its SOC 2 Type II certification process and expects certification by the end of Q3 2022
Data Privacy Compliance
Torozo follows all PIPEDA principles.
The Personal Information Protection and Electronics Documents Act (Canada). PIPEDA’s 10 fair information principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.
In addition to these principles, PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.
- Identifying purposes,
- Limiting collection,
- Limiting use, disclosure and retention,
- Individual access,
- Challenging compliance
The General Data Protection Regulation (GDPR) sets out seven principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.
The Personal Health Information Protection Act, (the Act) also known as PHIPA, is Ontario legislation established in November 2004.
PHIPA provides a set of rules for the collection, use and disclosure of personal health information by a “Health Information Custodian” (HIC), and includes the following provisions:
Consent is required for the collection, use and disclosure of personal health information, with few exceptions
HICs are required to treat all personal health information as confidential and maintain its security
Individuals have a right to access their personal health information, as well as the right to correct errors
Individuals have the right to instruct HICs not to share their personal health information with others
Rules are provided for the use of personal health information for fundraising or marketing purposes
Guidelines are set for the use and disclosure of personal health information for research purposes
Accountability is ensured by granting an individual the right to complain if they have identified an error in their personal health information
Remedies are established for breaches of the legislation.
Torozo methods and policies support all the requirements of PHIPA.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It modernized the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient’s authorized representatives without their consent. With limited exceptions, it does not restrict patients from receiving information about themselves. It does not prohibit patients from voluntarily sharing their health information however they choose, nor – if they disclose medical information to family members, friends, or other individuals not a part of a covered entity – legally require them to maintain confidentiality.
Toroza methods and procedures follow the requirements of HIPPA.