According to the CFPB, a “robust and effective compliance management system” is a critical component of the structure of an organization. Best practices define a Compliance Management System (CMS) as a set of interrelated or interacting elements that organizations use to direct and control how compliance policies are implemented and compliance objectives are achieved.

Since the CMS is essentially the foundation of your organization, let’s start from the bottom and talk about how to build and maintain your CMS. What does a “robust and effective CMS” look like? How does the flow of this management system work?

The CFPB defines a CMS by having four interdependent control components: board and management oversight, compliance program, response to consumer complaints, and compliance audit.

Learn more about CFPB Compliance with our mock audits.

4 Phases of a Compliance Management System (CMS)

Phase 1: Plan

This is where you establish the system’s intent and goals.

  • What do we intend to accomplish here?
  • Compliance with consumer laws?
  • What does success look like?
  • When there’s a systematic process in place?
  • When does clear and effective communication happen?
  • When do all employees understand their roles and responsibilities in regards to compliance?
  • When continuous improvement is happening?
  • Take the time to define your resources. Who will audit? What technical resources are needed?

The Planning phase is where we assess our risks, ranked from the greatest to least. Written policies and procedures should be developed here that are directly tied to any identified risks from your Risk Assessment. Board and Management involvement is critical during the planning phase, to help establish the “tone of compliance” and to be involved throughout the entirety of the process.

Phase 2: Do

The implementation and operation of a Compliance Management System take place during the “Do” phase. Most people think this phase is the CMS, however, it takes all of the phases working together to maintain an effective CMS. During this phase, Management should provide clear support throughout the process.

All employees should be trained on the policies and procedures that you have developed and documentation of these policies and procedures should be easily accessible to all employees. The Compliant Resolution Program is also developed and implemented during this time and should be included in the policy and procedure documentation.

Phase 3: Check

Monitoring and reviewing what we are doing to maintain compliance within our organization should be a regular and integral part of ensuring that we are doing what we say we are doing. An Internal Audit is a great way to determine this by looking at what our policies and procedures say we are supposed to be doing versus what we are actually doing.

Are there any gaps? Are there any areas of our CMS that need to be improved upon? Are we meeting our pre-established compliance goals? After the internal audit has taken place, Management should review the audit, identify where any action is needed, and provide direction when necessary.

Phase 4: Act

The fourth and final phase of implementing and maintaining a “robust and effective CMS” is all about improving upon what we’re doing and taking any corrective and preventative action that is deemed necessary throughout the process. Be sure to document any areas of non-compliance. Don’t be discouraged by findings! A good CMS WILL find areas of non-compliance, but this is to be considered a good “quality test” and will only further strengthen your CMS. Next, develop an action plan. Write down any preventative and corrective actions that need to take place. Be sure to document in your follow-up that these actions have been completed.

Maintaining a “robust and effective CMS” is an ongoing process. It’s a constant cycle of reviewing and implementing to better strengthen the compliance at your organization.

Are you in need of some assistance in developing your CMS? Are you lacking policy and procedure development?

We can help! Contact us today for help with custom policy and procedure development as well as help assessing your CMS.

More Compliance Management Resources

Top Mistakes C-Level Execs Make When it Comes to Security Compliance

Everything You Need to Know about Leading Compliance Initiatives

Preparing for the CFPB

The CFPB recently released their 2015 Supervisory Highlights noting their observations and findings during their recent supervisory examinations. There are a lot of examples and learning opportunities for us to gain from these findings that we should focus on in order to strengthen our compliance at our own organizations.

The first item that really stood out is in regards to consumer reporting. The CFPB found several occasions where dispute-handling obligations required in Section 611 of the Fair Credit Reporting Act (FCRA) were not met. The law clearly states that Credit Reporting Agencies (CRAs) must notify a furnisher any time a consumer disputes the accuracy of the information in regards to their debt.  The struggle with CRAs to properly notify of any consumer disputes is the result of a lack of clear policies and procedures that lay out guidelines for how to deal with these consumer related disputes in a way that is not harmful to the consumer.

It was also noted that there are many violations regarding the Fair Debt Collection Practices Act (FDCPA). This law protects against false and misleading representation of a collector or a debt to a consumer. It was found that many collector calls, scripts, and letters sent to consumers contained false or misleading information. This brings focus to call monitoring and what you are doing at your organization to ensure that collectors are not violating FDCPA laws. Do you have a script that is truthful? Are you monitoring your collectors to ensure they are following the policies and procedures you have established for collecting debts? Properly training and monitoring collector communications with consumers can keep you from a serious offense if you are found in violation of FDCPA laws.

According to the Highlights, a “sound and robust Compliance Management System (CMS) is essential to ensuring compliance with Federal consumer financial law.” The supervisory examinations found that many organizations are operating with a weak CMS. A CMS is the basis for which you ensure you are in compliance with all CFPB laws and regulations, so without a strong and functional CMS you have no foundation for which to measure and monitor your compliance. The fault was found primarily in regards to training, both board members and employees, in regards to their specific compliance responsibilities. Not understanding their compliance obligations also led many organizations to have third-party audits with a limited scope, which resulted in a failure to find several regulation violations. Appointing a Chief Compliance Officer to oversee and manage the CMS and overall compliance related activities is the starting point for ensuring that you have a fully developed CMS that is being properly implemented. Once the CCO and staff have been designated, a full set of policies and procedures should be documented, tested, disseminated to appropriate personnel, and implemented.

Achieving compliance cannot be a solo act. It takes togetherness and awareness to truly educate and inspire everyone to do their due diligence to achieve information security and compliance with federal regulations and industry standards. If you have any tips or best practices that you’ve found helpful when achieving your own compliance, tweet them to us here: @KPAudit.

 

Regularly training your employees is a critical component of compliance and security in your organization. The risk of an employee not understanding the potential security threats facing them as a frontline target could be just the opening that an attacker needs to create a security breach.

You are only as strong as your weakest link, so implementing a regular security awareness training program is crucial to ensure that you’re doing your part to inspire and educate your employees to greater levels of security and awareness. The first step in a successful training program is having a culture of security at your organization, including buy-in from upper management. If the employees see management’s focus on creating a secure work environment, that attitude will spread.

Here are five things to think about when training your employees to practice security in the workforce:

Physical Security

Are you required to wear badges while on the property? Are there appropriate identification and sign-in procedures at the front desk to monitor individuals who are coming in and out of the facility? Are these processes being followed every time?

Password Security

Passwords should be at least 8 characters long and use a variety of upper and lowercase letters, numbers, and special characters. Default passwords should never be used, and passwords should never be shared.

Phishing

Train your staff to be wary phishers and to know what to look for. Make sure they know not to open attachments in emails if they do not know the source. Encourage them to not send confidential information in response to an email claiming that “urgent action is required”. Test your employees, train your employees, and make sure you’ve created an environment where if in doubt, someone will ask before engaging in an email that may look suspicious.

Social Engineering

Social engineering threats are threats based on human vulnerabilities. It’s a way attackers manipulate people into giving away confidential information, password/ID combinations, or to gain unauthorized access to a facility. Train your employees to operate with a healthy amount of skepticism, and to never give out sensitive information without fully identifying the other person.

Malware

Malware, much like phishing, can enter your environment through non-malicious looking threats such as employees opening emails from unknown sources, using a USB drive that is infected, or going to websites that may be unsafe. Be sure employees are trained to be aware of these kinds of attacks, and practice identifying malware threats.

If you’re looking for a cost-effective security awareness training solution for your company, KirkpatrickPrice offers several libraries in our online training solution.

For more information about the courses we offer, contact us today!

More Security Resources

Stay Secure While working From Home

Security Awareness Training Tools You Need

Security Awareness: Dev, Staging, and Production Environments

3 Types of Social Engineering Attacks on the Financial Services Industry: Would Your Employees Fall for Them?

The terms “data breach” and “healthcare organization” aren’t strangers in headlines as of late, but recent studies and investigations done by cybersecurity professionals in the industry have found that cyber hackers are beginning to use medical device vulnerabilities as an intrusion point into the entire organization’s network. It’s quite common for medical devices to run outdated, thus vulnerable, software, and are difficult to mitigate vulnerabilities, putting millions at risk.

Recent reports are noting that several medical devices are now being targeted by hackers as a way to infiltrate an otherwise secure network. These networks likely have an IDS, firewall, antivirus, etc. to safeguard information, however, the lack of security in these devices presents a huge threat to patient information. At an increasingly growing rate, more and more Americans are using medical devices and/or equipment that supports a direct connection to the hospital’s network. According to research by the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, they found and reported that roughly 300 medical devices from approximately 40 vendors, are vulnerable due to passwords that are unchangeable.

The types of medical devices that are possible targets for a cyberattack include, but are not limited to, devices such as blood gas analyzers, X-ray machines, pacemakers, insulin pumps, and heart monitors. These wireless and Bluetooth enabled devices can allow hackers to create a backdoor into the network’s security infrastructure, gain access to patient records (healthcare information, social security numbers, date of birth), and plant malware on employees computers through malicious websites.

As manufacturers struggle to find a quick solution to properly securing every medical device from potential threats going forward, several entities are urging manufacturers, healthcare organizations, and users to follow best practice security guidelines to protect against a possible cyberattack. As the FDA continues to implement software security guidelines for manufacturers, healthcare organizations can begin protecting themselves from potential threats by following these best practices:

1. Use Strong Passwords

Do not use default passwords set by vendors. These become easy targets for hackers. Use strong passwords and utilize a strict password management program to ensure that network security is maximized.

2. Policies and Procedures

Be sure you have a fully documented and enforced set of policies and procedures, specifically, dictating your network security program. Who has access to what? How do we detect intrusions in our network? What are our firewall and antivirus policies? Updating these to reflect the secure culture of your organization can help defend against an attack.

3. Annual External and Internal Penetration Testing

Network and application security is critical to your organization. Engage in regular testing to help identify and mitigate any weaknesses and vulnerabilities in your organization’s security before someone else does.

The healthcare sector continues to be a major target of hackers. According to a recent study by the Ponemon Institute, breaches cost the healthcare industry around $6 billion a year. Defending ourselves from the threat of cyberattacks must continue to be a group effort as we educate and empower each other to greater levels of security.

For more information on ways to improve network security at your organization or for tips on how to safeguard your PHI, contact us today!

Did you now you could avoid a costly data breach by having regular Penetration Testing and Vulnerability Scans? So why don’t we? Every week we hear about an unforgiving hacker who has taken advantage of a security gap to maliciously gain access to tons of irretrievable data, costing them tons of money, and ultimately damaging the reputation of the organization. Not to mention those affected by the stolen data – credit card numbers, social security numbers, patient healthcare information, the list goes on.

Take a real-world approach with your security measures by engaging in a Penetration Test to expose any vulnerabilities in your network’s infrastructure before someone else does. This form of permission-based ethical hacking will ultimately increase the security at your organization.

Still not convinced? Here are three reasons why you should have a regular Penetration Test performed at your organization:

  1. Avoid the inconvenience of network downtime – Recovering from the aftermath of a data breach can be quite costly. The financial burden associated with paying legal fees, any IT remediation, customer protection programs, loss in sales, and disheartened customers can cost organizations millions of dollars. Being proactive with regular Penetration Testing can help to prevent the financial loss while protecting your reputation and brand.
  2. Comply with regulatory requirements and avoid fines – Regulatory fines can be steep. Penetration Tests can be helpful in addressing the requirements for regulations such as HIPAA and GLBA, but are required to comply with regulations such as PCI DSS 3.0 and FISMA. The costs associated with these kinds of fines vastly outweigh the costs of undergoing regular Penetration Tests. Be proactive.
  3. Learn about holes in your security policies – Undergoing a Penetration Test is like practicing for a real-life hacker attack. It is a proactive approach to evaluate the security of an IT infrastructure. The process will uncover and exploit vulnerabilities within your organization that you can properly mitigate before an actual attack happens. Penetration Testing identifies and prioritizes risks.

If you aren’t already undergoing a regular Penetration Test, why not? Start today. For more information on the benefits of Penetration Tests or information about the types of testing we perform, contact us today.