What’s On the Top of Your List? Security and Data Protection Are at the Top of Ours!

 In Security & Privacy

“How will you secure and protect our employees’ data?” This is a key question many employers want to know as they seek healthcare benefits for their employees. We know firsthand just how important it is to secure and protect data, which is why NASCO’s security profile is independently audited on an annual basis to provide assurance to our existing and potential health plan customers, as well as to their customers, that we have the proper controls in place to protect their members’ data.

NASCO has once again received our SOC1, SOC2 and SOC3 certification reports, which demonstrate NASCO’s operational alignment with industry standards and validate that the design and execution of NASCO’s internal controls are operated effectively across four trust principles: system availability, confidentiality, processing integrity and security. NASCO’s internal controls cover everything from enterprise-level security to the hiring, screening and training practices for our employees, from how we store data and manage changes in our systems to how we react to issues that arise.

In 2018, NASCO expanded the SOC reports to include more NASCO products and, therefore, more product-specific internal controls. At the same time, SOC report requirements were also evolving, adding requirements and making control objectives more specific. In 2019, NASCO SOC reports began to stabilize, and NASCO earned its first clean report with zero control findings. In 2020, NASCO repeated this accomplishment by earning clean SOC reports with zero control findings for a second year in a row.

“It is truly a total team effort to complete these reports,” said Chris Risley, Executive Director of Enterprise Risk Management for NASCO. “Earning zero findings for a second year in row is a testament to the teamwork of all of the NASCO product teams and business units that provide the data to demonstrate internal control functionality to our external auditors.”

In addition to our SOC compliance, NASCO also re-earned HITRUST certification against version 9.1 of the common security framework, which covers 525 control requirements in 19 unique security domains. NASCO’s HITRUST scope covers all of our key products as well as NASCO’s corporate system.

While our SOC certifications ensure that our internal controls are in place, HITRUST ensures that our external-facing controls are also in place. The two different perspectives of these security certifications complement each other nicely for NASCO.