HIPAA/FERPA Statement

Public Consulting Group, Inc. (PCG) recognizes that having a robust security program is critical in minimizing the impact of threats inherent in today’s workplace and computing environments. As a service provider often responsible for handling sensitive data, PCG is committed to safeguarding the privacy and confidentiality of customer and company information.

Policies and standards issued by the PCG Information Security Office have been written to assist in establishing and implementing PCG's information security posture, and they are subject to regular internal reviews and external audits to ensure that they have been properly designed and are operating effectively. These documents establish security at PCG as more than just a compliance activity; they aim to elevate and incorporate security into PCG’s culture and practice.

The following policies, organized by control family in the below list, were developed by PCG based on careful examination and inclusion of National Institute of Standards and Technology (NIST) 800-53, the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act of 1974 (FERPA), American Institute of Certified Public Accountants (AICPA) Attestation Standards, and Section 101 Service Organization Control 2 (SOC2) controls. In addition, these policies and standards reflect international and federal laws, executive orders, directives, regulations, standards, and guidance.

  • Access Control

    • Access Control

    • Account Management

    • Access Enforcement

    • Remote Access

    • Wireless Access

    • Access Control for Mobile Devices

  • Audit and Accountability

    • Documentation

    • Audit and Accountability

  • Security Awareness and Training

  • Configuration Management

    • Configuration Management

    • Change Management

    • Asset Management

  • Contingency Planning

    • Pandemic Response

    • Business Continuity

    • Disaster Recovery

    • Backup and Recovery

  • Identification and Authentication

  • Incident Response and Management

  • System Maintenance

  • Media Protection

    • Media Protection

    • Media Sanitization and Disposal

  • Personnel Security

    • Personnel Security

    • Acceptable Use

  • Physical and Environmental Protection

    • Physical and Environmental Protection

    • Physical Access

  • Security Planning

  • Program Management

    • Enterprise Architecture

  • Risk Assessment

    • Data Classification

    • Risk Assessment

    • Risk Management

    • Security and Confidentiality

    • Vulnerability Management

  • Security Assessment and Authorization

    • Continuous Monitoring

    • System and Communications Protection

    • Encryption

    • Privacy

  • System and Information Integrity

    • Capacity Management

    • Data Retention

    • Malicious Code Protection

    • Patch Management

    • System and Information Integrity

    • System Monitoring

  • System and Services Acquisition