Recently we shared the first half of our interview with Briana Attinger, Orange Logic's Compliance Manager, where we discussed data privacy and security in relation to digital asset management. For the second post, we're getting into Briana's favorite topic: compliance.
ORANGE LOGIC: You’ve mentioned both security and compliance. What’s the difference?
BRIANA: Compliance is the requirements that we need to meet, whereas security is ensuring that we have the controls in place to meet those requirements. So the auditors are essentially ensuring that our digital asset management system is in compliance with regulations. So what they do is go in and review the controls that we have in place and the documentation provided to demonstrate those controls.
ORANGE LOGIC: What regulations does Orange Logic comply with?
BRIANA: Orange Logic holds the certification for ISO 27001. We hold a certification in PCI DSS, which is the Payment Card Industry Data Security Standard, as well. We also comply with HIPAA and GDPR.
ORANGE LOGIC: How do you stay on top of all those regulations?
BRIANA: We have an in-house security and compliance team. Many other DAMs do not have those in-house teams. Our compliance and security teams are always working to ensure that our product is secure and that we're complying with our requirements.
ORANGE LOGIC: Let’s change gears. You mentioned ISO 27001 — what’s that?
BRIANA: ISO 27001 is an international industry standard security framework. It’s made up of different controls that organizations must comply with. Some of those controls include access control, asset management, communications, security, business continuity and disaster recovery, incident management, and so on.
ORANGE LOGIC: Why does Orange Logic go through all that to comply with ISO 27001?
BRIANA: So the reason that we want ISO 27001 over other industry standards like SOC2 is it's an international industry standard, and we have customers across the globe. Also, ISO 27001 applies to the broader information security management system — to the entire security and compliance program within an organization. SOC2 is just applicable to certain controls. To put it more simply, it boils down to ISO 27001 standards offering customers more security.
ORANGE LOGIC: How about PCI DSS? Can you tell us a bit about that standard?
BRIANA: PCI DSS is an international standard known as the Payment Card Industry Data Security Standard. It is applicable to securing cardholder data. Now, at Orange Logic, we do not process or store cardholder data. However, our DAM can process payments using secure third-party payment processors.
ORANGE LOGIC: And you said we comply with HIPAA, but for those who don’t know, what is HIPPA?
BRIANA: HIPAA, or the Health Insurance Portability and Accountability Act, is a US federal law that applies to healthcare entities and ensures the protection of patient health information or protected health information, also known as PHI.
ORANGE LOGIC: How do you earn the “HIPAA compliant” label?
BRIANA: Every year, our digital asset management system undergoes a HIPAA risk assessment, which is performed by a third party. They're an independent assessor, and they review our HIPAA-compliant environment, which is our DAM environment that is constructed with configurations to comply with HIPAA. So a third-party assessor goes in, and they review all of our controls, our documentation to ensure that we are complying with the regulations.
ORANGE LOGIC: How do we do in those assessments?
BRIANA: We recently just completed our 2022 HIPAA Risk Assessment, and there were zero findings and even zero recommendations. Now, this is the first time that the project manager who handled our account has had an account that has had zero recommendations or findings.
ORANGE LOGIC: What is FINRA Rule 4511?
BRIANA: The Financial Industry Regulatory Authority, FINRA Rule 511, requires its members within the financial industry to preserve books and records for a specific amount of time. And this complies with the security exchange Commission, SEC Rule 1784. So Cortex has a Write Once Read Many or WORM storage feature that is compliant with these rules. This ensures that our digital asset management customers in the financial industry are able to meet their record-preservation requirements.
ORANGE LOGIC: Are there any other regulations Orange DAM complies with?
BRIANA: GDPR, of course. GDPR is the European Union's General Data Protection Regulation. It is applicable to individuals in the EU and ensures their personal data is protected.
Our DAM also includes accessibility features that can be configured that comply with a number of accessibility compliance regulations and standards. This includes the American Disabilities Act, Web Content Accessibility Guidelines, and Section 508 of the US Rehabilitation Act.
ORANGE LOGIC: What makes an accessible digital asset management system?
BRIANA: An accessible DAM has features that ensure that end users with visual or hearing impairment or mobility issues are able to use the DAM to its fullest extent.
ORANGE LOGIC: Last question - why did you want to do this interview?
BRIANA: I think that it's extremely important that we communicate our security and compliance programs to our customers and prospective customers so they know just how passionate we are about securing our data and theirs.
As someone whose personal information has been breached, I understand how important it is to secure information. And that's why I'm so passionate about security and compliance within our DAM.
To learn more about how Orange Logic can help you with your DAM compliance needs, schedule a call today!
