North American Customer Service Management Association

Support for Contact Center Professionals

Step 1 Compliance Review


A compliance audit is a comprehensive review of the organization’s adherence to regulatory guidelines. Independent auditors: IT, PCI, FedRAMP, HIPAA auditors for example evaluates the strength and thoroughness of your compliance program. Policy and procedures are reviewed including user access and risk management procedures. You want to discover the holes in your armor before a hacker does.

The FedRAMP certification is a complicated process and you will need the help of a 3PAO, a Third-Party Assessment Organization. A 3PAO is an organization that has been certified to help cloud service providers and government agencies meet FedRAMP compliance regulations. Selecting your 3PAO is a big decision; you rely on this partner for guidance through the certification process.
A few things to look for in 3PAO:
- Experience is more important than how big the firm is. Ensure the partner understands both the commercial and federal environments. This perspective will allow them to make recommendations that balance compliance processes that are scalable and cost-effective.

- Next, look for providers who have substantial experience with National Institute of Standards and Technology (NIST). NIST is the foundation for FedRAMP. A 3PAO with solid NIST background will have a better framework that includes a deep understanding of the process and compulsory security controls ensuring your certification audit runs smoothly.

- Your partner needs to have an intimate understanding of the FedRamp process, cyber security and a deep understanding of the cloud.

Choosing a 3PAO partner must be someone you can trust that can provide thought leadership and insight into the security process.
The HIPAA compliance checklist Security Rule is divided into three different safeguard categories: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Each of the safeguard categories is itself divided into standards for Covered Entities to follow to ensure HIPAA compliance.

Administrative Safeguards are the policies and procedures that bring the Privacy Rule and the Security Rule together:
- Conducting risk assessments
- Introducing a risk management policy
- Training employees to be secure
- Developing a contingency plan
- Testing of Contingency plan
- Restricting third-party access
- Reporting security incidents

Physical Safeguards focus on physical access to electronic protected health information (ePHI) regardless of where it is stored.
- Facility access controls must be implemented
- Policies relating to workstation use
- Policies and procedures for mobile devices
- Inventory of hardware

Technical Safeguards concern the technology that is used to protect electronic protected health information (ePHI) and provide access to the data. It must be encrypted to NIST standards when it travels beyond the organizations internal firewall.
- Implement a means of access control
- Introduce a mechanism to authenticate ePHI
- Implement tools for encryption and decryption
- Introduce activity audit controls
- Facilitate automate logoff

The Payment Card Industry Data Security Standard (PCI DSS) is a set of data protection mandates by the major payment card companies and imposed on businesses that store, process or transmit payment card data. Businesses that fail to comply are subject to stiff fines.

Here is a high-level checklist to use in your PCI compliance review.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data. - Regularly test security systems and processes.
- Maintain a policy that addresses information security.

Most organizations don’t like to invest in their compliance program and don’t see the value until its too late and they owe a small fortune in fines. Outsource the auditing process to the right type of company and ultimately the right person. Recently a provider was informed he owed $100,000 in claims. When the review was completed it was discovered that the provider didn’t have a trained auditor; instead he had a coder managing the audit. The provider did in fact owe the money to the insurance company but not nearly as much as $100,000.

When choosing your Third-Party Compliance Partner consider the following:
- Skills set and resources
- Price
- Quality
- Reporting and Scoring methodologies
- Post audit education
- Industry Knowledge; not all auditors have PCI, HIPPA specific experience

Having the right type of auditor can make a difference in your results. Due your due diligence and use an accredited provider just like you would use a licensed contractor.

Tips!

NDA’s signed sealed and delivered before starting the audit process. Don’t rush and skip this step.
A good auditor will report back vulnerabilities for you to make the changes as an opposed to allowing the auditor to make changes to your site. This way you maintain control.

Take the Next Step!

In today’s world of cybercrime, you want to be at least one step ahead of the criminals. Unfortunately, today they can be internal as well as external and even a good employee could commit a criminal act. How do you protect your company? A comprehensive audit review will help evaluate your infrastructure for any weaknesses and report back recommendations for improvement. This annual event is critical to self-protection.

Your HIPPA compliance audit is very structured with three areas to be concerned with: Administrative, Physical and Technical safeguards. Administrative reviews the policies and procedures you have in place. Physical safeguards focus on physical access both internal employees and any third-party vendors. The last area is Technical Safeguards meaning what is the technology that is used to protect electronic health information. Is it encrypted to the standard? Follow the checklist and avoid potential breaches and hefty fines.

PCI Compliance unlike HIPAA is not government regulated. The credit card brands put in place mandates and there are fines for failing to comply to PCI standards. PCI is about protecting credit card numbers and is targeted towards all businesses that process, store and or transmit payment card data. You can find third-party companies to assist in the compliance certification process.

Finally, FedRAMP is for any organization that does business with the federal government. You can do it yourself and get certified and risk missing a compliance element or you can partner with a 3PAO who can guide you through the long and complex certification process. Depends on how much time and money you want to invest.

Today compliance is taken seriously and it is a constant effort to stay ahead of the curve. Find a quality certified auditor to help you maintain your certifications and you will at least minimize breaches; no sure way you can eliminate breaches completely.

Work Space Vendors

Contact Center Furniture

Commercial Interior Designer

NACSMA Consultant

Furniture

Specialized Office Systems offers customized solutions to deliver printing, promotional products, apparel, office supplies and business furniture to multiple locations across the country. You will receive the personalized service you want and the attention to detail you need.

Interior Designer

Cresa Commercial founded in 1993 was convinced that representing tenants exclusively was the best way to go. Not only would it give our clients the kind of objective, unbiased advice they might not get elsewhere, but it would also give us a unique offering in the real estate marketplace.

Consultant

The North American Customer Service Management Association (NACSMA) assists Service Center professionals with improving the delivery of Customer Care to their clients by providing a collaborative networking approach to operational issues.