It was like finding a needle in a haystack. On her first day as security and risk manager at the Pennsylvania Department of Public Welfare, Pamela Skelton was met with piles of disorganized compliance files and random pieces of paper that her predecessor had left behind.
When she was told that an IRS audit report was due in a few months, a mild panic set in. "I saw all this paper and said, 'Where is everything?' It was very disorganized. I could never find anything that I needed," she recalls. That was just the start of a risk compliance odyssey for Skelton and her team.
The Department of Public Welfare must safeguard the financial and medical data of its 2.7 million participants. Yet with more than 4,000 federal and state regulatory requirements and policies to comply with, trying to gather and review data and take corrective action in response to myriad audits became nearly impossible.
100% Paper-Driven to 100% Automated
Before adding the compliance tool, the department's audit process was 100% paper-driven, Van Scyoc says. Making matters worse, each time an employee left the group, the department was losing some of the audit responses it had given in the past, as well as some of the records they would need to present, such as contracts, paper policies, emails and files that were kept in random locations and often on individual PCs. Facing such obstacles, the audit team sometimes took three months to take corrective action on a security gap.
When new controls must be added, as with the recently adopted Criminal Justice Information System controls, the framework helps staff compare the new requirements to the department's existing controls and identify security gaps.
The risk framework and GRC tool together have yielded some surprising new benefits. For starters, staffers can now track the entire procurement process. For example, when purchasing software, procurement officers can track the documentation process from start to finish, and if they need additional information, they can send the documentation out to others, such as experts in the subject matter related to the product. Also, if a product must be renewed in a certain year and the renewal requires approval, the system tracks historical information needed for the approval process.