Have you ever signed a contract with a vendor who didn’t support your compliance efforts? Or worse—they were clueless about the subject altogether? If you answered yes to either of those questions, you’re not alone. You realized just a little too late they weren’t willing to reply to your questions or help you be compliant.
At Clarifire, compliance—coupled with cybersecurity—is extremely important. As it should be! Some of the largest financial and healthcare companies in the industry entrust their data to us. After all, what kind of business would we be if we didn’t help our clients succeed and unlock their true potential safely with controls and governance? We lead the way as a vendor that cares about being the best which in turn provides huge value to our clients.
Here are two major audit and compliance updates Clarifire has implemented for 2018. Are your other critical vendors prepared?
Our Risk and Compliance Program is Migrating to SSAE18 and TSC
Clarifire maintains a rigorous risk and compliance program designed to monitor the security of client data and our systems. We use CLARIFIRE internally and are able to modify and upgrade our business processes to accommodate the new standards.
Some of the changes we’re implementing to mature our compliance program include:
- Additional complementary subservice organization controls.
- TSP Sec. 100: Migration to new Trust Services Criteria (TSC) based on the COSO standard.
- Mapping HIPPA and GDPR (General Data Protection Regulation) controls to security and trust services controls so our clients with European customers can comply more easily with European privacy regulations.
We perform monthly, quarterly, semiannual, and annual internal audits. External security experts perform vulnerability analyses and penetration tests. An external auditor assesses our security and trust services controls derived from AICPA’s most recent Trust Services Criteria. From there, they prepare a SOC 2 Type 2 report which is shared with our clients as validation of our control program.
We’re Addressing all HIPAA Business Associate Requirements
As a highly versatile tool that can be applied to any type of industry or workflow, the CLARIFIRE application is often used by healthcare firms which are required to conform to HIPAA requirements. Since CLARIFIRE can be used to process data, this classifies us as a Business Associate.
Clarifire’s risk and compliance program is designed to address all HIPAA Business Associate requirements which apply to us based on our systems and processes. Our security and trust services controls map to HIPAA requirements and are assessed as part of the SOC 2 Type 2 audit.
We are taking these new opportunities to mature our compliance program by implementing these new procedures and tools—and it’s a great time to boost HIPPA controls as well. Businesses and your third party vendors must evolve to keep up with compliance regulations, and having a proactive mindset means staying ahead of the game and being prepared for anything.
View These Infographics Next:
Richard Guerrero | Risk and Compliance Manager
Richard joined the Clarifire team in 2017. A systems engineer with over 10 years of
GRC and IT auditing experience maintaining the highest control standards, he now manages our risk and compliance program. Richard earned a master's degree in industrial engineering from Texas A&M and his first job out of college was with the U.S. Army Missile Command. His professional certifications include CISSP-ISSMP, CAP, and ITIL-F. He has presented technical papers on cybersecurity and was awarded a patent in the field. On the weekends, he is most likely to be found either outdoors with his family, or in his workshop welding a contraption.
