Journal Author Blog: Posts http://www.isaca.org/Journal/Blog/Lists/Posts/AllPosts.aspx RSS feed for the Posts list. Wed, 19 Jun 2013 12:40:22 GMT Windows SharePoint Services V3 RSS Generator 60 Journal Author Blog: Posts /Journal/Blog/_layouts/images/homepage.gif http://www.isaca.org/Journal/Blog/Lists/Posts/AllPosts.aspx Planning for FISMA Governance in the Private Enterprise http://www.isaca.org/Journal/Blog/Lists/Posts/ViewPost.aspx?ID=179 Body:
Timothy McCain
Timothy McCain, CISM
 
The US Federal Information Security Management Act (FISMA) varies from other regulations in that it was developed to address US federal agencies rather than private enterprise. Therefore, the certification and accreditation (C&A) bodies put in place to validate compliance and assign the authority to operate (ATO) are not typically accessible to private companies. The C&A process includes the performance of a risk assessment, gap analysis, control implementation, and security testing and evaluation of the FISMA boundary. The C&A process must be performed under the supervision of a federal agency, as it will provide the ATO, which is the document that attests compliance with the requirements of FISMA.
 
In recent years, government contractors and subcontractors have been held more to FISMA compliance than ever before as federal agencies have expanded oversight for contractors outside of defense and are applying FISMA to researchers. Therefore, your organization may come under governance requirements if it is awarded a contract or if it receives federal funding and grants. Unfortunately, until a company obtains a contract or receives grant funding, it has historically not been provided an understanding of the requirements and obligations it will be held to in regards to obtaining and maintaining an ATO.
 
Upon winning the contract or obtaining the grant, I recommend that the organization immediately identify and contact the contracting officer (COTR) for the agency funding the organization, as the COTR will be the primary contact in supporting your FISMA compliance efforts. The COTR will normally be listed within the contractual paperwork; however, the contract point of contact can direct you if it is not listed. The COTR will provide you with the classification of systems within your FISMA boundary based upon the FIPS 199; this is due to the extension of the contractor’s infrastructure being held to the same level of classification as the agency itself. Prior to engaging the COTR, it is advisable to define your FISMA boundary (the systems that will be used in support of the contract or grant and any interconnections to those systems); this will help the COTR better understand scoping and the impact of requirements on your company. FISMA is an organizationally based regulation, rather than data-based, which can be quite impactful to your current IT governance. However, if the COTR is brought in early, the rigor of the control application can usually be negotiated.
 
Thorough planning, early engagement of the COTR and identification/segmentation of your boundary, including interconnections, will help in minimizing the impact to your organization’s governance and decrease the overall C&A process time lines and project costs.
 
Read Timothy McCain, Jacqueline Medina, Ryan Morrell, Dennis Pickett, John Lumpkin, Dina Drankus Pekelnicky, Alex Bengoa and David Songco’s recent Journal article:
Considerations for Ensuring Security of Research Data in a Federally Regulated Environment,” ISACA Journal, volume 3, 2013.
Published: 6/17/2013 8:08 AM
]]> Journal220 Thu, 13 Jun 2013 21:37:23 GMT http://www.isaca.org/Journal/Blog/Lists/Posts/ViewPost.aspx?ID=179 Preventing Revenue Leakage in Health Care Reform: Information Governance Needs in the Risk Adjustment Program for Health Insurers http://www.isaca.org/Journal/Blog/Lists/Posts/ViewPost.aspx?ID=178 Body:
Santhosh PatilSanthosh Patil
 
The US Affordable Care Act (ACA) signed into law in 2010, represents the most significant regulatory overhaul of the US health care system since the creation of Medicare and Medicaid in 1965. As a result of this law, health care organizations in the US are undergoing drastic changes in processes, operations and technology.
 
Risk adjustment is one of the cornerstone programs of the ACA and is designed to mitigate adverse selection risk in the marketplace. This program transfers funds from plans with relatively lower-risk enrollees to plans with relatively higher-risk enrollees. To get reimbursed through the risk adjustment program, health plans are required to collect and submit a myriad of data to the government as shown in the below figure.
 

 

Figure 1

 
To ensure that health plans are receiving their fair share of the risk adjustment amount, the plans must have appropriate controls and governance processes. For example, information controls need to be in place to ensure the accuracy, consistency and reliability of the information as it moves from the source systems to the risk application, and then to the government system run by the US Department of Health and Human Services (HHS). Any loss of data or inaccuracies in data will lead to incorrect risk adjustment calculations. Similarly, health plans need to reconcile and resolve the information they receive from the HHS. The health plans are also required to ensure the integrity and reasonability of third-party data before submitting data to the HHS, in order to accurately calculate the risk scores.
 
With many of the ACA compliance deadlines fast approaching, are health plans ready? Do they have enough trust in their data? Despite significant investment in data warehouse technologies and efforts to ensure quality, the trustworthiness of information remains questionable. The cost of noncompliance for insurers will be very high in terms of lost revenue and credibility.
 
In my recent Journal article, I have attempted to highlight and address many of the challenges faced by health care organizations with regard to the reforms. With the increasing pressure to reduce cost, the accelerated need to provide accurate operational information in near real time and the expanding array of regulations, I believe that it is essential for health insurers to establish an enterprise information controls and monitoring framework to prevent revenue leakage as well as lower cost, reduce errors, and satisfy various audit and regulatory requirements.
 
Read Santhosh Patil’s recent Journal article:
Information Controls and Monitoring Framework for Health Care Organizations,” ISACA Journal, volume 3, 2013.
Published: 6/10/2013 7:19 AM
]]> Journal220 Fri, 07 Jun 2013 22:00:50 GMT http://www.isaca.org/Journal/Blog/Lists/Posts/ViewPost.aspx?ID=178