Cybersecurity Maturity Model Certification (CMMC) Audits Made Easy

Recently the US Federal Government announced plans to impose a cybersecurity audit and certificate program referred to as the Cybersecurity Maturity Model Certification (CMMC), which will be used as a standard requirement for all firms dealing with DoD data.  The CMMC closely follows established frameworks pulling heavily from the NIST CMF and 800-171 publications.  The obvious advantages of using a ubiquitous framework and assessment to ensure compliance with these new regulations helps to reinforce many of the best practices that firms in this space should have already been following.

Each firm must record their policies, procedures, and controls related to the NIST frameworks, showing a clearly delineated map of these relationships for auditors to follow, test, and critique.  The DoD recently announced that they plan to start the audit process in 2020 with more than 60% of firms expected to have completed their requirements by the end of the year.  This leaves firms with sparse time to evaluate and immortalize their processes, with a narrow window to fix non-compliant or lacking areas of their cybersecurity framework.

These moves by the Federal Government and the DoD are being widely celebrated by the cyber defense industry as a win against unintentional release of classified information, and as strong guidance for the industry to help ensure a curb in the currently vulnerable industry.  With a long history of leaks, and hacks, the government consulting and data analytics firms, that make up much of the cyber defense of the country, will be helping to ensure our enemies have one less tool to utilize.

With StrunkAccess Risk and Policy Manager consulting firms are finding a tool that can help navigate through the complicated process of becoming compliant with risk frameworks, helping to protect their companies and clients.  From SOC 2 to NIST to any risk framework, StrunkAccess is an elegant solution utilized to help hundreds of companies evaluate, record, and manage their risks.

Incident Reporting in the Modern Age

As web-based applications started to gain steam bugs, issues, and upgrades became a discussion point around best practices to document and distribute this vital information. With more and more sophisticated ways to streamline communication, release timelines, and as a snapshot of the backlog your team needs to complete, the usefulness of the applications started to become more appealing to industries outside of software development.  From software companies to audit firms to financial firms, closely followed and documented issue response is the most effective and indelible way to ensure your company is addressing all of your issues, from simple to complex.

The growth of users around a few big-name players is projected to explode over the next 5 years, leading to a consolidation of options, creating a homogenous and, in many cases, expensive reality.  In 2019 the average cost of Incident Reporting software was around $3,500/mo.  This mammoth monthly bill is only expected to grow over the next 5 years as firms become more entrenched in their default systems.  The sad fact is much of this Incident Reporting Software hides features behind micro-transactional pricing structures meant to increase the price for marginal benefits as your company grows.

At Strunk we develop tools meant to provide maximum value and functionality, highlighted by our renowned Risk and Compliance tools and Management Efficiency tools, like Issues Manager and Skill Manager. We believe, delivering the tools we love to use to our clients, provides the best outcome for all.  Like all of our tools and modules, Incident Reporting is included with the StrunkAccess GRC suite at no additional cost.  Sign up for a Demo to see all that StrunkAccess has to offer.

Strunk Reports Record Sales

Strunk is proud to report that October was the highest volume software sales month in our history. In addition, October 2019 YTD sales of Risk Manager, our Governance, Risk Management and Compliance management solution, are already up almost 50% relative to full-year 2018. New clients in October range in asset size from just under $100 million to over $1.2 billion.

This success was fueled by Strunk’s strategy to offer a broad range of services, allowing clients to purchase all of our GRC modules, including Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager, Vendor Manager plus our hosted ODP Manager software for one affordable price. Clients also signed up for Overdraft Privilege program reviews and implementation of new Overdraft programs.

Strunk CEO Dan Roderick commented, “In just one month we were able to add a record number of new clients across every line of our business and a broad range of software solutions. From my perspective, this is what it’s all about – providing full-featured, easy-to-use tools that also offer clients great value. Our sales team has really knocked it out of the park!”

With Strunk’s Governance, Risk Management, and Compliance (GRC) solution suite clients can greatly enhance internal control and risk management processes and save time. The suite includes:

  • Vendor Manager is a specialized tool for managing vendor risk that standardizes risk assessment methodology and organizes all vendor related documentation.
  • Risk Assessor helps prepare comprehensive risk assessments consistent with regulatory or other requirements, in days, not weeks.
  • Policy Manager organizes all existing policies into a single database, mapped to the relevant standards and control procedures.
  • Controls Manager schedules tests of policy compliance and tracks test results.
  • Issues Manager is a centralized database for tracking all compliance issues and incidents across your entire organization.
  • Skills Manager provides online testing and training to ensure employees are knowledgeable about the organization’s policies.

In addition to our GRC solutions, financial institutions should periodically review their overdraft program to ensure they are not using policies and procedures that are non-compliant with current laws and regulations. Strunk’s comprehensive Overdraft Privilege Program review includes recommendations to increase fee income and ensure compliance. Additionally, clients receive access to our state-of-the-art program management software, ODP Manager.

Doing Risk Assessments Doesn’t Have to be Daunting

Community banks across the county struggle with the risk assessment process and generally they come in the form of Excel Spreadsheets or Word documents. Each functional area of the bank does their regulatory required risk assessment in silo’s and periodically the bank’s board reviews and approves the assessment.

Regulatory scrutiny of BSA/AML, ACH, Fair Lending, Loan Concentrations, Cybersecurity, Information Technology and other areas of the bank have caused financial institutions to spend more time and money focusing on the risks the bank faces. Some banks have declared their compliance officer the chief risk officer as a way to show the regulators that they are on top of enterprise risk management.

Outsourcing some of these functions to vendors is an expensive way to manage the risk assessment process and certainly unnecessary. Strunk’s GRC (Governance, Risk Management and Compliance) solution makes the risk assessment process easy to do and it consolidates all areas of risk the bank faces into one report.

Bank examiners often tell the community bank that they are coming out for the annual exam six weeks to two months prior to actually showing up. Generally, they ask the bank to send an extensive amount of information prior to coming onsite. This gives the regulator time to form their opinion on what risks the bank faces before arriving at the bank.

Strunk’s solution lets the bank tell their story rather than have the regulator tell the bank’s story to them. Comprehensive risk assessments are made easy with Strunk’s GRC and Vendor Management solution.

SOC 2 for Companies vs CPA Firms

SOC 2 reports are becoming ubiquitous for businesses in the B2B market, creating a shared confidence that best business practices are followed and systems are developed with security and data privacy in mind.  StrunkAccess GRC provides a unique SOC 2 experience, and through our conversations with clients we have seen that predictably CPA firms have a much different view of the SOC 2 vs Companies required to have them.

Companies

To compete in today’s market a company must be able to satisfy their customers’ needs.  With many companies now requiring 3rd party verifications from their vendors, the go to responses are an assessment based on how integrated the vendor is within the operations of the requesting company and a SOC 2 report.  From a company’s perspective a SOC 2 is really just a means to lubricate the sales processes and removing barriers or objections to the perspective business.  While a SOC 2 audit can add value to a company by solidifying policies, procedures and controls, the overwhelming sense our clients have relayed to us is a SOC 2 is necessary to help increase their bottom line by doing business with more sophisticated entities.

CPA Firms

While the SOC 2 has been a big boom to the bottom line of CPA firms, many firms realize SOC 2 readiness is a time consuming and onerous process for their clients.  It also winds up delaying the SOC 2 process more than any other part of the audit, especially for first time SOC 2 participants.  Because of this CPA firms concentrate on giving companies tools and examples that can help them fill gaps in their organizational structure.  The issue arises that before a SOC 2 audit no company is fully ready, all companies need to add policies or modify existing policies to close gaps and follow the general outline of the SOC 2 trust principles.  The biggest divergence that we see here is that the CPA controls for SOC 2 vary from firm to firm and can create a maze that is hard for companies to follow, even though the process with the CPA firm may be well established.  The big difference here is that CPA firms are looking at a SOC 2 as an ends, where as companies view them as a means to an end.

Technology Service Provider Contracts

Understanding the increase dependence that financial institutions have on technology service providers, bank regulators have increased their efforts to require banks to appropriately handle third-party risk management.  The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance.  These contracts were missing or inadequately addressed key terms, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lack standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response. Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology related services can create special risks to depository institutions that need to be properly addressed in their service contracts.  The FDIC indicated that it plans to hold the board and senior management of financial institutions accountable for controlling those risks in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract.  All financial institutions should have provisions that they review for all of their contracts with a robust vendor management program, this will help uncover any weakness in business continuity and data recovery early in the process.

 

Tell Your Story … Before the Examiner Does

Most bankers understand the importance of explaining their philosophy, strategic direction, successes and challenges to directors, auditors, examiners, analysts, and even their fellow executives and employees. They know it’s always better to tell their story before opinions are formed and judgements made about the condition and direction of their institution. Waiting until questions are asked after financial statements or audit reports reflect any weakness, or worse, when examiners arrive on-site, often means responding defensively to what is typically a very good story about management’s ability to identify, measure, monitor and mitigate risks. Given its undeniable importance, the best bankers excel at presenting the facts first and then reinforcing the message about the quality of their management team. If done efficiently, your comprehensive enterprise risk management report will provide the perfect opportunity to tell your story.

The issue is one of timing. Everybody’s busy and nobody has time to continuously repeat what we may naively assume is a message everybody has already heard and retained. But we aren’t always in front of the audience when issues arise. Examiners, for example, spend a considerable amount of time off-site analyzing the institution before coming through your doors. Their pre-work is critical to ensure an effective, risk-focused examination. In the process, it’s inevitable to have opinions formed and even CAMEL ratings roughed-out before speaking with management. Bankers must ensure their own viewpoint is timed to arrive before being judged by examiners, directors, auditors, and others. In particular, your enterprise risk assessments should clearly communicate management’s perspective on all risks, and especially your highest risks.

Equally important is presenting all the facts in a credible manner. The truth eventually comes out, and if people closest to the work fail to acknowledge high risks and other issues before they are obvious, it means they either can’t be trusted because they hid the facts, or they are deficient because they didn’t know the facts. Bankers conduct comprehensive risk assessments for this exact reason: identify the risks and then measure, monitor and mitigate them. ,Risk assessments are fundamental to the business of banking. Done right, they ensure no stone is left unturned and they validate management credibility. They provide the facts backing the story.

Identifying risks comes naturally to most bankers – we’re in the risk taking business after all – but completing and communicating risk assessment results has often been labor intensive and time consuming. If not done efficiently, individual and enterprise risk assessments can drain resources, incur opportunity costs by diverting resources from other important assignments, and lead to frustration and corner-cutting. The key is ensuring individuals closest to the action conduct or oversee the risk assessment in their functional area, but not require them to spend an inordinate amount of time on the work. About an hour each quarter should prove sufficient at most institutions for executives to complete the task…provided they have the right tools to perform the assessment.

Most bankers appreciate how important it is to tell their story to the right audience before opinions are formed and judgement passed. Comprehensive Enterprise Risk Assessments present a golden opportunity to do just that if they can be done efficiently and without draining resources or busting the budget. Enterprise Risk Assessments are the perfect way to back your story with facts.

Take The Scary Out of Your SOC2 Exam

SOC 2 examinations can be scary and complicated, taking up extended amounts of your employees‘ and stakeholders‘ time. Changes to the AICPA framework can throw your SOC 2 exam into a tailspin, if you discover you don’t have policies and controls to address the newer principles. Utilizing a patchwork of spreadsheets, word docs and PDFs ensures your company will be sinking the maximum human investment into SOC 2 compliance, helping to increase frustration and the possibility of a qualified report.

Strunk Risk Manager can decrease the frustration and the complexity of your policy management process. Our software includes six basic tools for managing risks, policies, controls, compliance issues, vendors and employee knowledge, helping you seamlessly manage your compliance and policy frameworks. Strunk SOC 2 tools don’t just stop at management. We also include a suite of SOC 2 Trust Principle templates to help jump start your policy creation or fill gaps in your already-developed policy regime.

What can you expect from Strunk’s SOC 2/Risk Framework enablement tools?

  1. Your company submits your current policies to our secure portal. If your company does not have developed policies, we have you covered. Use our library of policies and controls to pick and choose templates applicable to your company, helping to speed up the policy and control creation process.
  2. From there we load your policies into the system. Once completed we will train you and your team on how to utilize the system, enabling your team to take off running.
  3. Once your policies are in the system, we will work with your team to map these policies to the correct SOC 2 trust principles.
  4. When your policies and controls are loaded and mapped to the correct trust principles, the heavy lifting is over. Modifying existing policies or adding new ones takes very little time, and your team can easily document board and management approvals.
  5. Help speed along your compliance audits using our Policy Map View, which provides a single document, showing the SOC 2 trust principles, your mapped policies and controls, as well as your control test history and applicable documents. Give your auditors most of what they will need in a single shot, reducing overhead and delays caused by communication lag.

At Strunk, we know our solution works because we use it on our own SOC 2. Contact us today for a demo to see if our solution is right for your company.

Our GRC Services

Our roots go back to 1976, when we began providing consulting services to banks and credit unions. Since then, we have worked with more than 1,500 clients in all fifty states. Among banks and credit unions, we are best known for our compliant fee income improvement programs, including Overdraft Privilege, Rewards Checking and Value Checking. Because risk management and compliance have always been a big part of what we do, in recent years we have gradually expanded our focus to helping clients in all industries improve their risk management and compliance processes and productivity using our software.

We now offer six comprehensive, easy-to-use and affordable compliance management tools that are useful for clients in any industry:

Risk Assessor helps you prepare comprehensive risk assessments consistent with regulatory or other requirements, in days, not weeks.

Policy Manager organizes all your policies into a single database, mapped to the relevant standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Vendor Manager is a specialized tool for managing vendor risk that standardizes risk assessment methodology and organizes all vendor related documentation.

Issues Manager is a centralized database for tracking all compliance issues and incidents across your entire organization.

Skills Manager provides online testing and training to ensure employees are knowledgeable about your policies.

All our tools are securely and reliably hosted at Amazon AWS, from which they are available on a variety of devices from anywhere. We’ve gotten some great feedback from our clients. Here are a few comments:

Our policy and control structure is very complex having both a broker/dealer and an investment advisory firm. Policy Manager allows us to easily organize a large volume of policies and maintain our control testing documentation all in one convenient place—a significant improvement over our previous process! — Laura Hendricks: Woodlands Securities / Woodlands Asset Management

We currently use Strunk’s Policy Manager to update and track changes to our policies. We like the audit trail it leaves of changes and also the PDF Redline that indicates changes used for the Board to review and approve. Strunk Customer Support has been prompt and they always assist with any issues we might have. — Karen Lomax, Vice President and CFO Kinetic Credit Union

Strunk’s program brings efficiency to the process and allows us to focus on areas of high risk. Our team sees great value in the process and reporting generated by the Strunk program. It is an affordable way to manage regulatory required risk assessments. — Bob Sundquist, CFO/CRO, NebraskaLand National Bank

Our core customer base has always been smaller and medium-sized organizations and so, unlike most providers, we have tried to price Risk Manager at a level that is affordable by all. In order to encourage usage, we charge a flat annual fee based an organization size. That fee gets you unlimited access to the tools for an unlimited number of users, along with unlimited support from for our support team.

Strunk at WBA’s Education Summit & Regulatory Compliance Conference

Strunk is excited to be exhibiting once again at the Western Bankers Association’s Education Summit & Regulatory Compliance Conference next week, August 25th-28th. This year hosted at the Hyatt Regency Huntington Beach, the event always proves to have many learning opportunities for bankers to gain insight into the most current information facing our industry.

In addition to visiting with many current clients, we look forward to showing attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software. The solution now includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and the all new Vendor Manager.

Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and stores all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

Please stop by booth 28 to learn how to improve compliance, streamline responses, and enhance collaboration… all with less effort. All bankers will also have the opportunity to enter to win a $250 Amazon gift card from Strunk. We can’t wait to see you!

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.