The client: A health care medical management and administrative services organization that supports health insurance companies.
Given the competitive environment in which the shared services corporation operates, the client moved to an eighty-six vendor, hybrid cloud enterprise that allowed for greater availability, scalability, and maintainability.
The new technology environment introduced compliance, data governance, and risk management challenges. Given the sensitivity of the member health care data, they required capabilities and processes that would provide high levels of security and privacy in order to maintain confidence and trust their customers expect and demand.
After a risk analysis auditing company completed an assessment of their foundational processes and controls, the client approached FarWell with the assessment results looking for a path forward.
Strategically, the client sought to modernize their security capabilities and member health data controls, while building a mature, digital business that provides fast, secure, and personalized digital customer experiences.
After completing a Right-Fit™ Discovery, FarWell recommended the following approach:
Working with the client, FarWell identified thirteen key risk- related business capabilities, six of which were prioritized as critical or high. The Gap Analysis assessment provided the current state of the capabilities; the FarWell Senior Advisor then identified the desired end state and maturity level to meet industry security standards.
The goal was to achieve an operational maturity level that would ensure sound foundational controls. Ongoing maturation would be achieved through a one- to three- year roadmap.
Once the gaps were identified in the Gap Analysis, the FarWell Senior Advisor determined that the three 3 key program objectives were to:
Each objective adhered to LEAN principles to make the resulting program efficient, cost effective, and sustainable.
Most importantly, the nature of the client’s business required compliance with industry and government specific standards.
As a digital compliance transformation, there were two aspects of the plan that could be labor intensive for the hybrid cloud enterprise that had a lot of vendor data integrations: third party risk management (vendor compliance) and policy, process and procedure creation. To give the program a quick lift, FarWell researched and found two compliance accelerators as partners who specialized in these areas.
The vendor compliance partner was critical to creating a LEAN risk assessment process for the 86-vendor enterprise allowing focus on the highest risk vendors and related necessary mitigations. The niche, compliance policy partner allowed rapid creation of policy, process, controls and procedures from customizable templates.
FarWell delivered a comprehensive plan and roadmap for how to achieve required maturity levels. The plan was facilitated by FarWell in the first year, while the team collaboratively built policies, processes, and controls and the related organizational committees, practices and owners. At the handoff, the client had an established, trusted path to effectively mitigate critical and high risks by the end of year two on their own.
Over the course of the project, FarWell was able to provide support in the form of team led by a Senior Advisor with deep experience in IT and IT security, as well as a background in business and practical application of technology, who was supported by a Business Analyst. Having a single leader/team manage the project from strategy development to solution architecture and through to execution allowed for a highly coordinated, holistic approach.
The project started mid-year. During the first two months, the team’s focus was on vulnerability and patch management, developing a Security Operations Center (SOC) roadmap, and building an Infrastructure and Security portfolio and roadmap.
During the next two months, the team focused on vendor management, establishing a security program and governance, developing an enterprise architecture team, building out application and data portfolios and roadmaps, drafting an IT service management roadmap and an incident/response management plan, completing a network security assessment, and creating the following year’s budget and plan.
By year end, the team had finalized identity and access management, drafted a data protection and governance policy/process, and established a security steering committee.
With FarWell’s help, the client revamped their entire digital compliance and security program over the course of six months. Per the solution design, which ultimately focused on self-sufficiency, the client has now hired their own security manager who is following the roadmap developed by FarWell to grow and mature the program.
The client recently passed their first post-implementation compliance assessment audit and saw a 64% improvement, with all critical issues and all but one of the other identified issues having been addressed completely.