I have always had a fondness for risk management; in my career, there have been many times where I have argued against something because it was too risky, at least in my eyes. Governance and compliance always seemed to be burdens to me, and to be completely honest, I was fairly prejudice against them. With compliance, I could see the benefit from a societal level, but at a certain point I viewed it as checking off proverbial boxes.
For all that you do and are trying to accomplish with the use of your platform, there has to be some form of accountability within the confines of using it within your company. That means validating the controls, testing procedures and risks, etc. Without accountability, without the audit element of someone coming in and saying, “Here is what is supposed to be done,” you will find yourself missing a key letter in GRC.
At Onspring, figuring out the complexities of GDPR has been a complicated task, but helping customers through the wilderness of the law has been a challenge we relish. I talked with of few of our associates who dealt with intricacies of the law itself and found out just how much Onspring was able to help with the overall effects many organizations faced when first dealing with it.
Enacted on June 28, 2019, and effective January 1, 2020, the CCPA grants California consumers additional rights with respect to their personal information and requires certain entities that conduct business in California to take steps to track, grant access to, manage, and report on this data.
Whether it be ISO27001 or NIST, ensuring that you are employing the proper policies and frameworks is essential. Not doing a regular assessment could cause major, unsustainable damage to your business. Having the right platform to help you organize all of the policies, risks and other pertinent information (trust me, there’s a lot) is essential.
One of the main aspects of the HIPAA law is that it forces healthcare practices and professionals to keep and secure PHI (protected health information) from data breaches and other possible complications and problems. This makes HIPAA and other regulations associated with it something that’s extremely important to the risk and compliance field, especially when dealing with highly sensitive health data.
To help set up a strong, foundational platform that will produce desired results, A Roadmap to Control examines the different pieces of control that are necessary when mapping out a program and will help you set a course to a comprehensive compliance program to move from an overarching concept to a manageable system of controls.
The North American Electric Reliability Corporation (NERC) is certainly not new, but the approach NERC is taking in regards to its requirements has transformed over the past four years. This change was born out of the recognition that all Registered Entities have limited resources for compliance activities, and that not all issues and findings identified represent the same level of risk to the bulk power system.
Is there ever a slow week in compliance-related news? Not that we can remember. It’s tough to keep up with the latest developments in legal and regulatory requirements, evolving industry standards and internal best practices for compliance professionals. Onspring is here to help. We’ve gathered articles, opinions and insights that will bring you up to speed.
While the concept of reporting seems to be pretty straightforward, the term “report” can have a variety of meanings, so I’m always careful to validate my understanding so I don’t veer off in some unwanted direction. After all, reporting capabilities often represents the organization’s A-1 deal breaker requirement.
Common supports remain in place, even as regulations and best practices evolve. Remember this as you stand at the metaphorical “ice cream counter of compliance.” The sheer variety and complexity of requirements can be overwhelming, but the core people, processes and technologies you engage to understand and address those requirements remains largely the same.
More than likely, you have a process for managing vendor relationships. You may even have a sophisticated process with a centralized vendor repository, risk assessments, due diligence, contract review, careful onboarding and ongoing monitoring. But how many of your employees know the process? And more importantly, how many of them understand how they fit in?