Governance, Risk, and Compliance

“Customized approach based on industry experience”


Sienna Group provides a customized approach to compliance program review and creation based on prior industry experience managing and leading federal and non-federal compliance programs. We’ll provide feedback and suggest revisions as needed to address industry compliance requirements and to incorporate best practices in addressing the essential elements of a compliance program. This may include:

  • Assessment of existing compliance documentation against legal and regulatory requirements and compliance program best practices to identify areas of opportunity. Documents reviewed include the Compliance Plan, Standards of Conduct, Policies, Compliance Committee Charters, and Training materials. Review the documents provided to evaluate whether they demonstrate compliance with the seven required components of a compliance plan as well as the fraud, waste, and abuse requirements.
  • Assessment of the impact and priority of each area of opportunity identified and provision of remediation recommendations
  • Assist in developing training and monitoring programs for agents and third parties who support sales operations and provide guidance to clients to develop sales programs that comply with legal and regulatory requirements
  • Development of Dashboards and Monitoring Support to establish operational and executive dashboards

Controlled Unclassified Information (CUI): Federal Push To Protect Information

Why is it important for me to protect CUI?  The Final Rule defines CUI as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” The underlying tenet is to assure confidentiality to government information by federal contractors including accountability for their supply chain.

The requirements are based on a robust security program, data classification, both legacy and data created after the implementation deadline, and annual risk assessments of the information systems and organizations.

Complying As A Contractor

Driven by Federal Acquisition Regulations (FAR) 52.204-21 and the Defense Department Federal Acquisition Regulations (DFARS) 252.204.2071 clauses.

  • CUI information can either be disseminated to, or created by contractors
  • The vehicle for ensuring contractor compliance is through acquisition regulations such as FAR, DFARS
  • DFARS stipulates that Federal Contractors be in compliance with NIST SP 800-171 by December 31, 2017
  • Notice of NIST SP 800-171 compliance by contractors to agency/department COTR’s will be required and will influence the current and future ability to succeed in the future procurements

Sienna Group is providing our government contractor clients a full range of services to meet the requirements associated with NIST 800-171, to give them a competitive advantage.  All of these services are available separately, however, if your business is primarily government contracting, then these areas together as a Security Program support adherence to DFAR’s and CUI requirements.

  • Independent Verification and Validation (IV&V)
  • Governance and Oversight structure for CUI
  • Policy and Procedure Development
  • Controls Development and Implementation
  • Data Classification and Protection (Satisfies NIST 800-171 requirement for labeling and marking)
  • Managed Data Security Services
  • Managed Traditional Security Services
  • Review of existing contracts regarding commitments of safeguards, dissemination, and decontrol of current and legacy information
  • Gap analysis against NIST 800-171 controls
  • Vulnerability and Penetration Assessments
  • Update of current Security Awareness and Training Program for CUI
  • Incident Response and Breach Notification procedures
  • Subcontractor compliance management

Benefits of a CUI Program

  • Adherence to DFARs through NIST SP 800-171 Compliance
  • Knowledge of your CUI Data volume and who has access
  • Ability to trend the risk and behavior of CUI data in your organization

New York Department for Financial Services Cybersecurity Regulations

The New York Department for Financial Services’ (NYDFS) Cybersecurity Regulations recently came into force and represent a new code of conduct, impacting all firms operating in the financial services industry within the State of New York. The 23 NYCRR 500, is designed to protect the data of customers in the financial services sector.

Sienna Group provides a customized approach to compliance program review based on prior industry experience managing and leading commercial and federal compliance programs. We can provide feedback and suggested revisions as needed to address industry compliance requirements and to incorporate best practices in addressing the essential elements of a compliance program. This may include:

1. Assessment of existing compliance documentation against NY DFS regulatory requirements and compliance program best practices to identify areas of opportunity. Documents reviewed include the Compliance Plan, Standards of Conduct, Policies, Compliance Committee Charters, and Training materials. Review the documents provided to evaluate whether they demonstrate compliance with the cybersecurity requirements of the NY DFS

2. Assessment of the impact and priority of each area of opportunity identified and provision of remediation recommendations

3. Assist in developing training and monitoring programs for agents and third parties who support operations and provide guidance to clients to develop programs that comply with legal and regulatory requirements

Regardless of size or location, it is critical that all companies that operate in the financial services industry within the State of New York, have a cybersecurity program. Section 500.03 mandates that each organization shall implement and maintain a written policy or policies, approved by a Senior Officer or Board of Directors, setting the organizations policies and procedures for the protection of its information systems and non-public information stored on those information systems. The cybersecurity policy should address the following areas:

  • Information Security
  • Asset Inventory and Device Management
  • Business continuity and disaster recovery planning and resources
  • Systems and Network Security
  • Systems and Application Development and Quality Assurance
  • Customer Data Privacy
  • Risk Assessment
  • Data Governance and Classification
  • Access Controls and Identity Management
  • Systems Operations and Availability Concerns
  • Systems and Network Monitoring
  • Physical Security and Environmental Controls
  • Vendor and Third-Party Service Provider Management
  • Incident Response

Additionally, Section 500.04 mandates that each organization employ a Chief Information Security Officer (CISO), who will be responsible for overseeing and implementing the organization’s cybersecurity program and enforcing its cybersecurity policy

Key Dates and Timelines

Covered Entities shall have 180 days from the effective date (March 01, 2017) to comply with the requirements set forth except as otherwise specified (below).

1 year from effective date (Mar. 01, 2017)
Annual Report
Penetration Testing & Vulnerability Assessments
Risk Assessment
Multi-factor Authentication
Cybersecurity Awareness Training

18 months from effective date (Mar. 01, 2017)
Audit Trail
Application Security
Limitations on Data Retention
Activity of Authorized User
Encryption of Nonpublic Information

2 years from effective date (Mar. 01, 2017)
Third Party Service Provider Security Policy

EU General Data Protection Regulation (GDPR)

The approved EU General Data Protection Regulation (GDPR) is a significant update to the previous regulation put in place in 2012. It was designed to add uniformity throughout the member countries and to afford enhanced protection of personal data for residents and workers in the EU. This update was necessary given the vast amounts of data proliferation, lack of clarity surrounding cloud services and the inability to effectively govern past interpretations of the legacy Directive. The deadline for compliance is May 2018. Unfortunately, most organizations do not have a solid grasp on the amount of personal data that is created, shared, processed and stored, all of which will be exacerbated as the May 2018 deadline for GDPR compliance looms. While GDPR is an overarching program, there are three key areas Sienna Group can help firms leverage to ensure their risk of non-compliance remains low, along with ensuring advocacy in protecting the personal data of EU citizens and workforce.

1. Role Review. A review of the roles that have been defined in the GDPR is valuable, as it serves as a mapping of the data flows and subsequent protection measures.

2. Privacy Impact Assessments. Sienna Group provides a foundational approach to resolve this by properly classifying personal data at rest for existing data and upon creation of new data by using a persistent approach that maintains state across infrastructures.

3. Data Security. By providing our clients with a fundamental knowledge of the scope of personal data within their organization, appropriate measures can be implemented and retention periods for anticipated usefulness implemented. It is also important to understand the trends and behaviors that occur over time in the relationship between the data subject, controller and processor, in order to prevent breaches, or have rapid acknowledgment when one occurs. Our analytics and proprietary dashboard provide insights into these trends and behaviors.

Conclusion: GDPR is a broad and overarching regulation that will require a change in perspective for firms collecting personal data in support of their business. The concepts surrounding the data protection impact assessments could prove difficult for many firms, if they do not possess the ability to identify personal data in either structured or unstructured data stores. While these three concepts alone do not cover the entirety of a GDPR Program, they represent foundational approaches to understanding, visualizing, and protecting personal data through the use of classification. Click here to download our whitepaper and see how Sienna Group can help you protect your personal data.

Download Our Data Sheet

Learn how Sienna helps you navigate the EU General Data Protection Regulation in your organization by downloading our White Paper. Click the download button below to be taken to the document.

Download Now

CISO-as-a-Service – Interim Management

Small and Mid-sized firms have an uphill battle regarding the ability to properly secure their vital business assets.  In most cases they generally hire a less-than-qualified individual as a cost constraint to a more effective solution.  At Sienna Group, we can provide you with a enterprise class security team at a fraction of the cost that enterprise firms would spend but without sacrificing talent and expertise.

Essentially you get a fractional CISO and team who can address all of your needs far better than hiring staff that may not have the depth and breadth required for your firm.

Our assessment capabilities will provide you with the path needed to move forward and our CISO-as-a-Service will give you the expertise and comfort that you have an experienced security team as your partner.

Roles and Functions we can assist with are:

    • Operational and Compliance Reporting
    • Policy and Procedure Management
    • Information Security
    • Project Management
    • CAP Development and Remediation Activities


Sienna Group provides support to client organizations to ensure that sound governance structures and processes are in place. Key to this is the ability to identify and eliminate organizational and functional barriers and to ensure that critical information is preserved, communicated, and available when needed.

Enterprise Risk and Compliance Platform Development

Sienna Group has extensive expertise to offer in the areas of Compliance Program Development, Review and Implementation. Sienna can:.

      • Provide support and expertise in implementing tailored programs that promote compliance as part of the corporate culture and show regulators a commitment to compliance
      • Assist in the development of Compliance Program Effectiveness Evaluation Tools, the implementation of effective monitoring programs, risk identification and establishment of performance metrics, including operational and monitoring activities related to delegation and business process outsourcing
      • Develop and/or review Compliance Education and Training Programs, including Employee communication materials (code of ethics, policies, procedures, compliance incentives)
      • Coordinate or provide Interim Compliance Management
      • Evaluate compliance systems and vendor selection (hotlines, computer-based training programs, policy and procedure management, reporting tools)


Sienna Group can assist organizations in their compliance risk identification, prioritization and remediation activities through:

      • Assistance in the identification and prioritization of risks, with establishment of plans to address them
      • Creation of tools used to address risk remediation (education, monitoring, controls)
      • Evaluation of compliance, operations, and other key areas as part of due diligence activities conducted prior to an acquisition or partnership to help identify potential risks
      • Assistance in auditing for business process outsourcing

Data Protection

Data Protection is a key process in addressing organizational risk and ensuring appropriate internal controls. In the information lifecycle data is understood and classified, it can be managed and protected using privacy and security controls according to legal and regulatory requirements, sensitivity or organizational importance. Sienna Group can assist organizations in their data protection strategy, supporting data loss prevention, data classification and overall records information management, legal discovery needs, and compliance with privacy and security regulations.

Sienna Group has experience in:

    • Assisting clients with data classification assessments, to include the identification of what types of data they have, who has access to that data, and how it should be protected, stored, transmitted and destroyed to meet legal and regulatory requirements
    • Development of data classification categories and controls
    • Data Loss Prevention system configuration to improve automation
    • Documentation of policies, standards and procedures required to enable data classification
    • Development of training programs to ensure organization wide adherence to data classification standards

Enterprise Security

Sienna Group’s consulting professionals have experience in all aspects of Enterprise Security.

      • Data Loss Prevention – Evaluation of current control. Tighter integration of current DLP systems. Expansion of the program into other existing systems while increasing audit ability and monitoring.
      • Access control – Evaluation of access controls. Tighter integration of current access controls with existing systems while evaluating authorization, authentication, access approval and audit.
      • Cryptography – Architect, develop and deploy encryption technology into existing systems while integrating the systems with minimal impact to users
      • Security architecture and design – Enterprise information security architecture (EISA) is the practice of applying a comprehensive method for describing a current and/or future structure and behavior for an organization’s security processes, information security systems, personnel and organizational sub-units. This allows the information security team to align with the organization’s core goals and strategic direction.
      • Telecommunications and network security – Evaluating the security of voice and data communications through local area, wide area, and remote access networking. Focusing on networking models such as Open Systems Interconnect (OSI) and TCP/IP models. Developing security mechanisms for Internet, Intranet, and Extranet focusing on innovative replacements of traditional firewalls, routers, and intrusion detection and protection systems.
      • Software development security – Integrating security into the software development lifecycle following guidance from the Open Web Application Security Project (OWASP) and Web Application Security Consortium (WASC). Protecting against the latest threats which impair web-based applications.
      • Business continuity and disaster recovery planning – identifying an organization’s exposure to internal and external threats. Providing effective prevention and recovery of data for organization’s and developing policies and plans to maintaining competitive advantage while focusing on system integrity.
      • Physical (environmental) security – Evaluating current physical control and providing guidance on how to design controls to monitor and provide security to information systems
      • Legal, regulations, investigations and compliance – Assist in the investigation of reported or detected security incidents and develop corrective action initiatives. Conduct investigations into security risks and provide guidance and feedback on investigation procedures, disciplinary rules, and communication to external customers, agencies and law enforcement.

Information Assurance & Cybersecurity

Security means more than check lists.

An organization’s security environment is dynamic: new threats constantly emerge and new solutions to meet them continuously developed. Sienna helps government organizations monitor, prioritize, and effectively manage their risks to create an acceptable level of security within which it can conduct its operations. In many ways, cybersecurity is a corporate governance issue—it crosses traditional functional boundaries and requires a strategy and support from the highest levels of leadership. Sienna can help government organizations develop effective IA policies and develop plans for driving the policies down through all levels of the organization. We take an enterprise-level perspective, identifying and mitigating security weaknesses, not only in the infrastructure and application layers, but also within business processes and employee practices.

Our IA and Cybersecurity capabilities include:

  • Certification and accreditation
  • Security management program design
  • FISMA and NIST independent verification and validation
  • Data classification
  •  Interim Management
  • Crisis management
  • Forensics

Executive Risk Visibility

Sienna’s Executive Risk Visibility service provides our clients with risk mitigation through real-time metrics. This gives our customers the ability to identify and assess risk, quantify the issue, and then take appropriate action based on that knowledge. By consolidating security management to a centralized platform, Sienna provides the expertise our clients need with continuous monitoring and management of your security environment to control your risk.

Sienna’s Data Executive Risk Visibility Services Business Impact:

  • Gain real-time visibility of your risk
  • Focus on the most relevant risks
  • Save time and enhance accuracy with automated management
  • Demonstrate measurable ROI for existing security products
  •  Stay compliant with regulations.
  • Avoid “patch panic”