Compliance, Governance, Risk Management Services
Compliance, Governance and Risk Management
AG Grace’s compliance, governance and risk management (CGR) services help clients confront the comprehensive issues of corporate governance, enterprise risk management, and effective corporate compliance, while offering specialized assistance in key areas such as privacy, security, health, information technology, human capital, anti-fraud and dispute consulting, and financial services.
Our services include compliance audits, assessments and implementation of the following Federal Regulations:
Cybersecurity Maturity Model Certification (CMMC)
This Model measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type of sensitivity of information to be protected and the associated ranges of threats.
We assist companies in developing compliant System Security Plans. We take a business approach in system security planning. This means we ensure your company’s business goals and objectives are first in developing a security architecture.
CMMC stands for Cybersecurity Maturity Model Certification. CMMC is a new framework for organizations doing business with the Department of Defense (DoD). CMMC applies to any organization that stores, processes, and/or transmits either:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
CMMC evolved from the current NIST 800-171 standard. According to the DoD, malicious cyber activity is costly to the US economy. In 2016, malicious activity cost an estimated $57 billion to $109 billion dollars. It is more than the money though. Any loss of CUI has an impact on both the national economic security and national security. It is the duty of the Defense Industrial Base (DIB) to reduce this risk through excellent cyber hygiene.
CMMC consists of domains, capabilities, and practices
Domains and Capabilities are a way to categorize the practices. A domain (e.g. Access Control) contains one or more capabilities (e.g. establish system access requirements) which in turn have one or more practices. Practices are the security controls, or the activities performed to ensure security
All DOD Suppliers need CMMC Certification
The five levels of CMMC
CMMC contains five levels of maturity. Each CMMC level will continue to add practices and processes. This is because each level has a unique focus.
- Level one focuses on the basic safeguard of Federal Contract Information (FCI).
- Level two is a transition step to protecting Controlled Unclassified Information (CUI).
- Starting with level three, an organization will be ready to protect CUI. Levels 3 – 5 increase their protection by adding practices and processes.
- Levels four and five have requirements focused on reducing Advanced Persistent Threats (APTs). APTs are attacks sponsored by nations or very large organizations.
Control of Unclassified Information (CUI) | National Institute of Standards & Technology (NIST) Special Publication (SP) 800-171
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.
The CUI office has differentiated when NIST SP 800-171 would apply to contracts. The key to this question is whether the contractor is developing a product that contains CUI or if they are developing a system that processes, stores or handles CUI. NIST SP 800-171 only addresses the confidentiality of CUI which is important to all users of CUI, ensuring that the CUI is not shared inappropriately. In developing systems that process store or handle CUI, the system must ensure the Availability and Integrity of the information as well as its confidentiality. In these cases, the government may establish additional controls through the contracting process.
AG Grace provides data protection solutions that enable government agencies and contractors to automatically apply consistent CUI markings that comply with all regulations, and appropriately safeguard sensitive government information.
Federal Information Security Modernization Act 2014 (FISMA)
Provides for the use of automated tools in agencies’ information security programs, including for periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents. Requires Agencies to report on (1) threats and threat actors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) the total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.
AG Grace has been providing FISMA support to our customers for more than 18 years we have helped our customers increase their FISMA Scores and Audit Readiness by 30% and improved security effectiveness.
Graham Leach Bliley Act (GLBA)
The Graham-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution. Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by unauthorized sharing or loss of private customer data.
AG Grace, has been assisting financial institutions comply with and avoid the penalties of noncompliance GLBA for more than 10 years the services we offer industry best practices and help them:
- Understand technologies that enable compliance
- Common pitfalls and challenges to be aware of
- How to build a sustainable GDPR compliance program
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
The OCR’s role in maintaining HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations.
Through a series of interlocking regulatory rules, HIPAA compliance is a living culture that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. Learn more about how to become HIPAA compliant with Compliancy Group’s software solutions.
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.
Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI. Common examples of business associates affected by HIPAA rules include: billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.
We help our customers with:
- Self-Audits – HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.
- Remediation Plans – Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
- Policies, Procedures, Employee Training – Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
- Documentation – HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.
- Business Associate Management – Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.
- Incident Management – If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule.
Office of Management and Budget OMB-A123
The Federal Managers’ Financial Integrity Act of 1982 (FMFIA) is to provide reasonable assurance that “(i) obligations and costs are in compliance with applicable law; (ii) funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and (iii) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets.”
Management must focus on ensuring effective internal control over financial reporting is established and maintained throughout the federal government.
The safeguarding of assets and Internal control should be designed to provide reasonable assurance regarding the prevention of or prompt detection of unauthorized acquisition, use, or disposition of assets.
AG Grace helps our customers prepare for the audit by assisting with:
- Evaluating Internal Controls
- Evaluating Internal Processes
- Reporting and Understanding and Correcting Deficiencies
We offer the following services:
- Audit Support
- Audit Assessments
- Business Impact Assessments
- Continuous Monitoring
- Gap Analysis
- Policy Development
- Procedure Development
- Risk Assessments
All publicly traded companies that do business in the United States require formal data security policies, communication of data security policies, and consistent enforcement of data security policies. AG Grace assists companies in developing and implementing comprehensive data security strategy’s that protects and secures all financial data stored and utilized during normal business operations.
SOX Compliance Requirements:
- CEOs and CFOs are directly responsible for the accuracy, documentation, and submission of all financial reports as well as the internal control structure to the SEC. Officers risk jail time and monetary penalties for compliance failures – intentional or not.
- SOX requires an Internal Control Report that states management is responsible for an adequate internal control structure for their financial records. Any shortcomings must be reported up the chain as quickly as possible for transparency.
- SOX requires formal data security policies, communication of data security policies, and consistent enforcement of data security policies. Companies should develop and implement a comprehensive data security strategy that protects and secures all financial data stored and utilized during normal operations.
- SOX requires that companies maintain and provide documentation proving they are compliant and that they are continuously monitoring and measuring SOX compliance objectives.
Benefits of SOX Compliance:
- SOX provides the framework that companies need to follow to be better stewards of their financial records, which in turn improves many other aspects of the company.
- SOX compliant companies report that their financials are more predictable, which makes stockholders happy. Companies also report that they have easier access to capital markets due to their improved financial reporting.
- By implementing SOX, companies are safer from cyberattack and the expensive, embarrassing aftermath of a data breach. Data breaches are expensive to manage and clean up, and companies might never recover the damage to their brand.
- SOX compliance builds a cohesive internal team and improves communication between teams involved with the audits. The benefits of a companywide program like SOX can have other tangible effects on the company – like improved cross-functional communication and cooperation.
To be SOX compliant, it is crucial to demonstrate your capability in the following controls:
- Access: Access means both physical controls (doors, badges, locks on file cabinets) and electronic controls (login policies, least privileged access, and permissions audits). Maintaining a least permissive access model means each user only has the access necessary to do their jobs and is a requirement of SOX compliance.
- Security: Security in this context means that you can demonstrate protections against data breaches. How you choose to implement this control is up to you.
- Data Backup: Maintain SOX compliant off-site backups of all of your financial records.
- Change Management: Have defined processes to add and maintain users, install new software, and make any changes to databases or applications that manage your company financials.