Governance, Risk and Compliance

Home / Solutions / Governance, Risk and Compliance

SECURITY MANAGEMENT AND COMPLIANCE

Are you worried that your Security Strategy is being overrun by business and IT needs? Are you having trouble with a litany of audit requests and findings or unsure which regulations are required? If so, we are here to help.


Sienna Group’s dedicated security and compliance professionals provide consulting services honed through decades of experience in all areas of security management and compliance program development. We are experts in strategy development and maturity, business and IT alignment, and ensuring that your program can be measured for success. Our team has experienced and successful CISOs, and CCOs from a wide-array of industries who have first-hand knowledge of the challenges and solutions to make these programs a valuable and cohesive component of your company’s goals.



VENDOR RISK MANAGEMENT

Management of vendor relationships is a trust and regulatory issue faced by all organizations. Having an effective vendor risk management program enables your organization to minimize the risk of less direct oversight or control and maximize the benefits gained through a well-managed vendor relationship program.


Sienna Group’s experienced consultants work across your organization’s enterprise to ensure appropriate functional participation and key expertise is integrated into your framework. Sienna Group takes a programmatic approach to Vendor Risk Management which results in an implemented and repeatable process for your organization.



BREACH MANAGEMENT AND SUPPORT

So you’ve had a breach now what? Sienna Group can help you respond quickly when your sensitive information is compromised, no matter the source of the data breach, whether it’s the result of a malicious hacker or negligent employee.


Sienna Group’s cyber experts respond quickly and provide forensic analysis, compliant notifications, reputation-saving remediation and litigation support. We will be your trusted advisor so you make informed decisions which leave you standing in the best defensible position, reputation intact and where “business as usual” proceeds without disruption.



Governance, Risk and Compliance

Sienna Group provides support to client organizations to ensure that sound governance structure and processes are in place. Key to this is the ability to identify and eliminate organizational and functional barriers and to ensure that critical information is preserved, communicated, and available when needed.

Corporate Integrity Agreement Validation

Sienna Group can provide key support to client organizations with Government-Imposed Compliance Programs by:


  • Developing and/or validating compliance programs necessary to satisfy the mandates of judgments, consent decrees, or deferred prosecution agreements
  • Supporting the development of project plans and activities necessary to fulfill the requirements of a Corporate Integrity Agreement (CIA)
  • Providing support in critical communications and assistance in the development of ongoing auditing and monitoring of adherence to state and federal regulations
  • Assisting with the Self-Disclosure process

Enterprise Risk And Compliance Platform Development

Sienna Group has extensive expertise to offer in the areas of Compliance Program Development, Review and Implementation. Sienna can:


  • Provide support and expertise in implementing tailored programs that promote compliance as part of the corporate culture and show regulators a commitment to compliance
  • Assist in the development of Compliance Program Effectiveness Evaluation Tools, the implementation of effective monitoring programs, risk identification and establishment of performance metrics, including operational and monitoring activities related to delegation and business process outsourcing
  • Develop and/or review Compliance Education and Training Programs, including Employee communication materials (code of ethics, policies, procedures, compliance incentives)
  • Coordinate or provide Interim Compliance Management
  • Evaluate compliance systems and vendor selection (hotlines, computer-based training programs, policy and procedure management, reporting tools)

Risk

Sienna Group can assist organizations in their compliance risk identification, prioritization and remediation activities through:


  • Assistance in the identification and prioritization of risks, with establishment of plans to address them
  • Creation of tools used to address risk remediation (education, monitoring, controls)
  • Evaluation of compliance, operations, and other key areas as part of due diligence activities conducted prior to an acquisition or partnership to help identify potential risks
  • Assistance in auditing for business process outsourcing

Data Protection

Data Protection is a key process in addressing organizational risk and ensuring appropriate internal controls. In the information lifecycle data is understood and classified, it can be managed and protected using privacy and security controls according to legal and regulatory requirements, sensitivity or organizational importance. Sienna Group can assist organizations in their data protection strategy, supporting data loss prevention, data classification and overall records information management, legal discovery needs, and compliance with privacy and security regulations.


Sienna Group has experience in:


  • Assisting clients with data classification assessments, to include the identification of what types of data they have, who has access to that data, and how it should be protected, stored, transmitted and destroyed to meet legal and regulatory requirements
  • Development of data classification categories and controls
  • Data Loss Prevention system configuration to improve automation
  • Documentation of policies, standards and procedures required to enable data classification
  • Development of training programs to ensure organization wide adherence to data classification standards
  • Coordination of data classification categories with information security and privacy controls, as well as organizational record retention programs

Safe Harbor

Sienna Group can assist business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health data by:


  • Architecting encryption strategies for data protection
  • Assisting in the development of policies and procedures that meet the requirements of the safe harbor provision
  • Offer knowledge and expertise on de-identification of protected health information. Provide assistance in performing safe harbor provision analysis and audits.

Fraud Waste And Abuse (Fwa)

Sienna Group LLC can assist client organizations in the prevention and detection of fraudulent, wasteful and abusive activity on both pre-payment and post-payment bases by:


  • Providing guidance on the development and administration of an organization’s Fraud Program
  • Assisting in the development of policies and procedures that meet the expectations of regulatory bodies
  • Offer knowledge and expertise on Medicare and Medicaid regulations pertaining to FWA concerns
  • Provide guidance and expertise on FWA aspects of commercial health insurance programs, as well as claims coding, billing and processing
  • Provide assistance in performing FWA analysis and audits, as well as reporting to relevant regulatory and law enforcement entities

Enterprise Security

Sienna Group’s consulting professionals have experience in all aspects of Enterprise Security.


  • Data Loss Prevention - Evaluation of current control. Tighter integration of current DLP systems. Expansion of the program into other existing systems while increasing audit ability and monitoring.
  • Access control - Evaluation of access controls. Tighter integration of current access controls with existing systems while evaluating authorization, authentication, access approval and audit.
  • Cryptography - Architect, develop and deploy encryption technology into existing systems while integrating the systems with minimal impact to users
  • Security architecture and design - Enterprise information security architecture (EISA) is the practice of applying a comprehensive method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational sub-units. This allows the information security team to align with the organization's core goals and strategic direction.
  • Telecommunications and network security - Evaluating the security of voice and data communications through local area, wide area, and remote access networking. Focusing on networking models such as Open Systems Interconnect (OSI) and TCP/IP models. Developing security mechanisms for Internet, Intranet, and Extranet focusing on innovative replacements of traditional firewalls, routers, and intrusion detection and protection systems.
  • Software development security - Integrating security into the software development lifecycle following guidance from the Open Web Application Security Project (OWASP) and Web Application Security Consortium (WASC). Protecting against the latest threats which impair web-based applications.
  • Business continuity and disaster recovery planning - identifying an organization's exposure to internal and external threats. Providing effective prevention and recovery of data for organization's and developing policies and plans to maintaining competitive advantage while focusing on system integrity.
  • Physical (environmental) security - Evaluating current physical control and providing guidance on how to design controls to monitor and provide security to information systems
  • Legal, regulations, investigations and compliance – Assist in the investigation of reported or detected security incidents and develop corrective action initiatives. Conduct investigations into security risks and provide guidance and feedback on investigation procedures, disciplinary rules, and communication to external customers, agencies and law enforcement.

Privacy Breach Detection Analysis And Notification

With a broad spectrum of experience in both privacy and security controls, Sienna Group can assist organizations who have or are experiencing breach issues. Our breach response service offerings include:


  • Coordination with clients to review and evaluate data pulled by internal systems and provision of necessary expertise to perform forensics
  • Provision of training on data review and identification of potential incidents/issues
  • Provision of data breach response services when an incident has been identified, including investigation, interviews, coordination with relevant authorities, notifications, etc.
  • Development and / or provision of tools for breach investigation including procedures, interview templates, investigation tracking and documentation templates

Compliance

Sienna Group LLC provides a customized approach to compliance program review based on prior industry experience managing and leading commercial and Medicare compliance programs. We can provide feedback and suggested revisions as needed to address industry compliance requirements and to incorporate best practices in addressing the essential elements of a compliance program. This may include:


  • Assessment of existing compliance documentation against legal and regulatory requirements Medicare, Medicaid, etc. and compliance program best practices to identify areas of opportunity. Documents reviewed include the Compliance Plan, Standards of Conduct, Policies, Compliance Committee Charters, and Training materials. Review the documents provided to evaluate whether they demonstrate compliance with the seven required components of a compliance plan as well as the fraud, waste, and abuse requirements.
  • Assessment of the impact and priority of each area of opportunity identified and provision of remediation recommendations
  • Review of any outsourcing agreements, including functions delegated, metrics and SLAs versus CMS Medicare or other regulatory expectations per operational area
  • Assist in developing training and monitoring programs for agents and third parties who support sales operations and provide guidance to clients to develop sales programs that comply with legal and regulatory requirements
  • Development of Dashboards and Monitoring Support to establish operational and executive dashboards

CMS Audit Readiness Assessments

Utilizing prior experience with CMS compliance and operational audits, as well as the annual CMS compliance audit plan, Sienna Group can provide recommendations and guidance for entities entering the Medicare market or for those who may be facing a CMS audit.


Sienna Group will evaluate existing operational processes using criteria from prior business-level ownership experience and CMS guidance/audit rationale. This includes review of existing process documentation (such as policies, procedures, standards, workflows, training materials and member and provider materials) and deep-dive interviews with operational business owners and internal compliance leadership. Through this process we seek to gain a thorough understanding of the client’s existing landscape and to provide clear guidance on compliance with applicable regulatory requirements.


Interim Management

Sienna Group’s consulting professionals have experience in all aspects of HIPAA Privacy and Security compliance. Our experienced staff are available as consultants or as integrated team members.


Roles and functions that we could assist with are:


  • Medicare Compliance Leadership
  • Operational leadership or SME roles in Claims, Customer Service, Enrollment, Medicare Appeals & Grievances Sales Oversight
  • Operational and Compliance Reporting
  • Policy and Procedure Management
  • Information Security
  • Project Management
  • CAP Development and Remediation Activities

HIPPA Hitech Arra Assessments

Sienna Group’s consulting professionals have experience in all aspects of HIPAA Privacy and Security compliance.


  • Management - Provide guidance on the oversight and management of corporate HIPAA programs, including assistance in the coordination and management of HIPAA related projects
  • Training – Provide and / or assist in the development of corporate HIPAA compliance education and training programs
  • Monitoring – Provide guidance on monitoring and auditing for on-going HIPAA compliance, including auditing for regulatory compliance and appropriate documentation of compliance activities
  • Reporting – Provide assistance with the development and implementation of effective lines of HIPAA compliance program communications and reporting
  • Enforcement – Assist in the development and implementation of oversight committees and procedures to enforce sanctions and disciplinary actions for violations of HIPAA regulations or corporate privacy and security policies
  • Business Associates – Provide auditing support for review of business associate agreements and operational functions
  • Investigations – Assist in the investigation of reported or detected non-compliance incidents and develop corrective action initiatives. Conduct investigations into allegations of non-compliance and provide guidance and feedback on investigation procedures, disciplinary rules, and communication to external customers, agencies and law enforcement.
  • ARRA / Privacy Breach response - Coordination with clients to review and evaluate data pulled by internal systems and provision of necessary expertise to perform forensics. Provision of training on data review and identification of potential incidents/issues. Provision of data breach response services when an incident has been identified, including investigation, interviews, coordination with relevant authorities, notifications, etc. Development and / or provision of tools for breach investigation including procedures, interview templates, investigation tracking and documentation templates.

Information Assurance & Cybersecurity

Security means more than check lists.


An organization’s security environment is dynamic: new threats constantly emerge and new solutions to meet them continuously developed. Sienna helps government organizations monitor, prioritize, and effectively manage their risks to create an acceptable level of security within which it can conduct its operations. In many ways, cybersecurity is a corporate governance issue—it crosses traditional functional boundaries and requires a strategy and support from the highest levels of leadership. Sienna can help government organizations develop effective IA policies and develop plans for driving the policies down through all levels of the organization. We take an enterprise-level perspective, identifying and mitigating security weaknesses, not only in the infrastructure and application layers, but also within business processes and employee practices.

Sienna Group’s IA and cybersecurity capabilities include the following:


  • Certification and accreditation
  • Security management program design
  • FISMA and NIST independent verification and validation
  • Data classification
  • Interim management
  • Crisis management
  • Forensics

Executive Risk Visibility

Sienna’s Executive Risk Visibility service provides our clients with risk mitigation through real-time metrics. This gives our customers the ability to identify and assess risk, quantify the issue, and then take appropriate action based on that knowledge. By consolidating security management to a centralized platform, Sienna provides the expertise our clients need with continuous monitoring and management of your security environment to control your risk.


Sienna’s Data Executive Risk Visibility Services Businesses Impact:

  • Gain real-time visibility of your risk
  • Focus on the most relevant risks.
  • Save time and enhance accuracy with automated management
  • Enjoy simplified, centralized risk reporting
  • Demonstrate measurable ROI for existing security products
  • Stay compliant with regulations.
  • Avoid “patch panic”