FlowTrack may be requested occasionally to share additional details regarding its compliance, privacy and security program by an external entity such as a customer, media, legal or law enforcement. Such external communication, beyond what is already publicly published, needs to comply with the following policies and procedures.
FlowTrack policy requires that:
(a) FlowTrack operations must comply with all applicable laws, regulations, security standards and frameworks. Internal or External audits shall be conducted accordingly to each applicable compliance requirement.
HIPAA/HITECH. FlowTrack must comply with all requirements listed in the HIPAA (Health Insurance Portability and Accountability Act of 1996) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
GDPR. FlowTrack must protect the personal data and privacy of EU citizens according to the regulatory requirements set forth in the European Union General Data Protection Regulation (GDPR).
NIST. FlowTrack security shall implement the applicable functions and categories outlined in NIST CSF 1.1.
PCI. FlowTrack must protect the payment card data processed and/or stored according to the requirements in the latest Payment Card Industry Data Security Standard (PCI DSS).
(b) All external communications related to compliance and customer/employee privacy must follow pre-established procedures and handled by approved personnel. This includes but is not limited to distribution of audit reports, assessment results, incidents and breach notification.
(c) Audit and compliance reports may be shared with an external party only when under signed NDA and approved by FlowTrack Security and/or Privacy Officer.
FlowTrack management and security/compliance team has identified and regularly reviews all relevant statutory, regulatory, and contractual requirements.
FlowTrack's compliance policy includes requirements to meet any and all applicable compliance requirements.
Additionally, the Vendor Risk Management policies and procedures specify the details related to contractual agreements with clients, partners and vendors, as well as requirements and process related to intellectual property rights and the use of proprietary software products.
FlowTrack, at its sole discretion, shares audit reports, including any Corrective Action Plans (CAPs) and exceptions, with customers on a case by case basis. All audit reports are shared under explicit NDA in FlowTrack format between FlowTrack and party to receive materials. Audit reports can be requested by FlowTrack workforce members for Customers or directly by FlowTrack Customers.
The following process is used to request audit reports:
See detailed policy and procedures in Breach Notification
Prior to contracting with an external audit firm, FlowTrack shall:
Whenever possible, a third party auditing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be auditing their own services to ensure separation of duties).
Direct all other communication requests to one of the following:
For incident reporting, vulnerability disclosure and other security related inquiries:
For privacy concerns, including report of violation:
For all compliance related issues, including request of audit reports:
The status of compliance is tracked via AWS and Internally. Compliance dashboards are configured with applicable internal and external standards and frameworks. Any potential gaps detected are reported on the compliance dashboards.
Fincosa LLC, 220 Calle Manuel Domenech #2012, San Juan, PR, 00918, USA