Governance, Risk and Compliance

Home / Solutions / Governance, Risk and Compliance


Sienna Group LLC provides a customized approach to compliance program review based on prior industry experience managing and leading commercial and Medicare compliance programs. We can provide feedback and suggested revisions as needed to address industry compliance requirements and to incorporate best practices in addressing the essential elements of a compliance program. This may include:

  • Assessment of existing compliance documentation against legal and regulatory requirements and compliance program best practices to identify areas of opportunity. Documents reviewed include the Compliance Plan, Standards of Conduct, Policies, Compliance Committee Charters, and Training materials. Review the documents provided to evaluate whether they demonstrate compliance with the seven required components of a compliance plan as well as the fraud, waste, and abuse requirements.
  • Assessment of the impact and priority of each area of opportunity identified and provision of remediation recommendations
  • Assist in developing training and monitoring programs for agents and third parties who support sales operations and provide guidance to clients to develop sales programs that comply with legal and regulatory requirements
  • Development of Dashboards and Monitoring Support to establish operational and executive dashboards

Controlled Unclassified Information (CUI): The Federal Push to Protect Information

Why is it important for me to protect CUI? The Final Rule defines CUI as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” The underlying tenet is to assure confidentiality to government information by federal contractors including accountability for their supply chain. The level of accountability is multi-layered and extends through the decision criteria and evaluation of independent contractors and the associated small business programs of larger contractors. The requirements are based on a robust security program, data classification, both legacy and data created after the implementation deadline, and annual risk assessments of the information systems and organizations. The proposed regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner thereby reducing current complexity for federal agencies and their nonfederal partners, including contractors. If the requirements cannot be met, the federal government cannot and will not enter into binding agreements with nonfederal partners and contractors resulting in the loss of contracts and funds that could potentially lead to their loss of livelihood.

Benefits of a CUI Program:

  • Adherence to DFARs through NIST SP 800-171 Compliance
  • Knowledge of your CUI Data volume and who has access
  • Ability to trend the risk and behavior of CUI data in your organization


Trade secret data is likely the most important information your organization needs to protect. There are two fundamental challenges that firms have today in protecting business-critical information. The first is that they do not believe items such as marketing plans or pricing models are by definition, trade secrets. The second is that the only legal recourse a firm has, is to litigate using the statutes provided by the Defend Trade Secrets Act. Are you confident you can prove you’re doing enough to protect your trade secrets? Security and Governance play a key role in putting an organization in a defensible position, should a trade secret be stolen or misappropriated. Download Sienna’s latest datasheet to better understand what your team needs to do, in order to protect your most critical information and competitive advantage – your trade secrets

Benefits of Trade Secret Protection Services:

  • Comprehensive understanding of the value of trade secret assets
  • Awareness & alignment of HR, IT, and Legal departments to Defend Trade Secrets Act 2016
  • Complete visibility of trade secret inventory
  • Protection against misappropriation of trade secret assets
  • Evidence & analytics to support successful litigation

Examples of Trade Secrets:

  • Cost & Pricing Data
  • Vendor & Supplier Information
  • Quality Control Manuals
  • Test Plans & Records
  • Proprietary Information for Production/Processes
  • Analytical Data Blueprints Recipes
  • Competitive Analyses
  • Customer Service Procedures


  • Sales Techniques
  • Cash Flow Analysis
  • Operating Reports
  • Training Plans & Programs
  • Internal Management Policies
  • Marketing & Sales Plans Forecasts
  • Strategic Business Plans
  • Inventions Engineering Plans

Download our data sheet:


The approved EU General Data Protection Regulation (GDPR) is a significant update to the previous regulation put in place in 2012. It was designed to add uniformity throughout the member countries and to afford enhanced protection of personal data for residents and workers in the EU. This update was necessary given the vast amounts of data proliferation, lack of clarity surrounding cloud services and the inability to effectively govern past interpretations of the legacy Directive. The deadline for compliance is May 2018. Unfortunately, most organizations do not have a solid grasp on the amount of personal data that is created, shared, processed and stored, all of which will be exacerbated as the May 2018 deadline for GDPR compliance looms. While GDPR is an overarching program, there are three key areas Sienna Group can help firms leverage to ensure their risk of non-compliance remains low, along with ensuring advocacy in protecting the personal data of EU citizens and workforce.

  • 1. Role Review. A review of the roles that have been defined in the GDPR is valuable, as it serves as a mapping of the data flows and subsequent protection measures.
  • 2. Privacy Impact Assessments. Sienna Group provides a foundational approach to resolve this by properly classifying personal data at rest for existing data and upon creation of new data by using a persistent approach that maintains state across infrastructures.
  • 3. Data Security. By providing our clients with a fundamental knowledge of the scope of personal data within their organization, appropriate measures can be implemented and retention periods for anticipated usefulness implemented. It is also important to understand the trends and behaviors that occur over time in the relationship between the data subject, controller and processor, in order to prevent breaches, or have rapid acknowledgment when one occurs. Our analytics and proprietary dashboard provide insights into these trends and behaviors.


GDPR is a broad and overarching regulation that will require a change in perspective for firms collecting personal data in support of their business. The concepts surrounding the data protection impact assessments could prove difficult for many firms, if they do not possess the ability to identify personal data in either structured or unstructured data stores. While these three concepts alone do not cover the entirety of a GDPR Program, they represent foundational approaches to understanding, visualizing, and protecting personal data through the use of classification. Click here to download our whitepaper and see how Sienna Group can help you protect your personal data.

Download our white paper:

Interim Management

Sienna Group’s consulting professionals have experience in all aspects of HIPAA Privacy and Security compliance. Our experienced staff are available as consultants or as integrated team members.

Roles and functions that we could assist with are:

  • Operational and Compliance Reporting
  • Policy and Procedure Management
  • Information Security
  • Project Management
  • CAP Development and Remediation Activities


Sienna Group provides support to client organizations to ensure that sound governance structure and processes are in place. Key to this is the ability to identify and eliminate organizational and functional barriers and to ensure that critical information is preserved, communicated, and available when needed.

Corporate Integrity Agreement Validation

Sienna Group can provide key support to client organizations with Government-Imposed Compliance Programs by:

  • Developing and/or validating compliance programs necessary to satisfy the mandates of judgments, consent decrees, or deferred prosecution agreements
  • Supporting the development of project plans and activities necessary to fulfill the requirements of a Corporate Integrity Agreement (CIA)
  • Providing support in critical communications and assistance in the development of ongoing auditing and monitoring of adherence to state and federal regulations
  • Assisting with the Self-Disclosure process

Enterprise Risk And Compliance Platform Development

Sienna Group has extensive expertise to offer in the areas of Compliance Program Development, Review and Implementation. Sienna can:

  • Provide support and expertise in implementing tailored programs that promote compliance as part of the corporate culture and show regulators a commitment to compliance
  • Assist in the development of Compliance Program Effectiveness Evaluation Tools, the implementation of effective monitoring programs, risk identification and establishment of performance metrics, including operational and monitoring activities related to delegation and business process outsourcing
  • Develop and/or review Compliance Education and Training Programs, including Employee communication materials (code of ethics, policies, procedures, compliance incentives)
  • Coordinate or provide Interim Compliance Management
  • Evaluate compliance systems and vendor selection (hotlines, computer-based training programs, policy and procedure management, reporting tools)


Sienna Group can assist organizations in their compliance risk identification, prioritization and remediation activities through:

  • Assistance in the identification and prioritization of risks, with establishment of plans to address them
  • Creation of tools used to address risk remediation (education, monitoring, controls)
  • Evaluation of compliance, operations, and other key areas as part of due diligence activities conducted prior to an acquisition or partnership to help identify potential risks
  • Assistance in auditing for business process outsourcing

Data Protection

Data Protection is a key process in addressing organizational risk and ensuring appropriate internal controls. In the information lifecycle data is understood and classified, it can be managed and protected using privacy and security controls according to legal and regulatory requirements, sensitivity or organizational importance. Sienna Group can assist organizations in their data protection strategy, supporting data loss prevention, data classification and overall records information management, legal discovery needs, and compliance with privacy and security regulations.

Sienna Group has experience in:

  • Assisting clients with data classification assessments, to include the identification of what types of data they have, who has access to that data, and how it should be protected, stored, transmitted and destroyed to meet legal and regulatory requirements
  • Development of data classification categories and controls
  • Data Loss Prevention system configuration to improve automation
  • Documentation of policies, standards and procedures required to enable data classification
  • Development of training programs to ensure organization wide adherence to data classification standards
  • Coordination of data classification categories with information security and privacy controls, as well as organizational record retention programs

Safe Harbor

Sienna Group can assist business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health data by:

  • Architecting encryption strategies for data protection
  • Assisting in the development of policies and procedures that meet the requirements of the safe harbor provision
  • Offer knowledge and expertise on de-identification of protected health information. Provide assistance in performing safe harbor provision analysis and audits.

Enterprise Security

Sienna Group’s consulting professionals have experience in all aspects of Enterprise Security.

  • Data Loss Prevention - Evaluation of current control. Tighter integration of current DLP systems. Expansion of the program into other existing systems while increasing audit ability and monitoring.
  • Access control - Evaluation of access controls. Tighter integration of current access controls with existing systems while evaluating authorization, authentication, access approval and audit.
  • Cryptography - Architect, develop and deploy encryption technology into existing systems while integrating the systems with minimal impact to users
  • Security architecture and design - Enterprise information security architecture (EISA) is the practice of applying a comprehensive method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational sub-units. This allows the information security team to align with the organization's core goals and strategic direction.
  • Telecommunications and network security - Evaluating the security of voice and data communications through local area, wide area, and remote access networking. Focusing on networking models such as Open Systems Interconnect (OSI) and TCP/IP models. Developing security mechanisms for Internet, Intranet, and Extranet focusing on innovative replacements of traditional firewalls, routers, and intrusion detection and protection systems.
  • Software development security - Integrating security into the software development lifecycle following guidance from the Open Web Application Security Project (OWASP) and Web Application Security Consortium (WASC). Protecting against the latest threats which impair web-based applications.
  • Business continuity and disaster recovery planning - identifying an organization's exposure to internal and external threats. Providing effective prevention and recovery of data for organization's and developing policies and plans to maintaining competitive advantage while focusing on system integrity.
  • Physical (environmental) security - Evaluating current physical control and providing guidance on how to design controls to monitor and provide security to information systems
  • Legal, regulations, investigations and compliance – Assist in the investigation of reported or detected security incidents and develop corrective action initiatives. Conduct investigations into security risks and provide guidance and feedback on investigation procedures, disciplinary rules, and communication to external customers, agencies and law enforcement.

Information Assurance & Cybersecurity

Security means more than check lists.

An organization’s security environment is dynamic: new threats constantly emerge and new solutions to meet them continuously developed. Sienna helps government organizations monitor, prioritize, and effectively manage their risks to create an acceptable level of security within which it can conduct its operations. In many ways, cybersecurity is a corporate governance issue—it crosses traditional functional boundaries and requires a strategy and support from the highest levels of leadership. Sienna can help government organizations develop effective IA policies and develop plans for driving the policies down through all levels of the organization. We take an enterprise-level perspective, identifying and mitigating security weaknesses, not only in the infrastructure and application layers, but also within business processes and employee practices.

Sienna Group’s IA and cybersecurity capabilities include the following:

  • Certification and accreditation
  • Security management program design
  • FISMA and NIST independent verification and validation
  • Data classification
  • Interim management
  • Crisis management
  • Forensics

Executive Risk Visibility

Sienna’s Executive Risk Visibility service provides our clients with risk mitigation through real-time metrics. This gives our customers the ability to identify and assess risk, quantify the issue, and then take appropriate action based on that knowledge. By consolidating security management to a centralized platform, Sienna provides the expertise our clients need with continuous monitoring and management of your security environment to control your risk.

Sienna’s Data Executive Risk Visibility Services Businesses Impact:

  • Gain real-time visibility of your risk
  • Focus on the most relevant risks.
  • Save time and enhance accuracy with automated management
  • Enjoy simplified, centralized risk reporting
  • Demonstrate measurable ROI for existing security products
  • Stay compliant with regulations.
  • Avoid “patch panic”