CastleHill Managed Risk Solutions Blog

Policy Management – What would Henry Ford do?

Posted by Joseph Santangelo on Apr 17, 2018 6:04:57 PM

Ford’s Model N cars (the Model T’s predecessor) were built by workers adding parts that were laid out on the floor.

Read More

Topics: Policy Exception Management, Policy Management, Policy and Procedure Management

CastleHill exhibiting at the 7th Annual Risk Americas Conference - May 17-18, 2018 in New York

Posted by Michael Duggan on Mar 26, 2018 2:45:44 PM

7th Annual Risk Americas 2018 Conference
May 17-18, 2018
New York Marriot Downtown 

Read More

Topics: Events & Conferences

GDPR in the USA

Posted by Joseph Santangelo on Mar 6, 2018 12:51:36 PM

Coming soon!   Actually, very soon!  In May of this year, the EU's General Data Protection Regulation (“GDPR”) goes live.

Read More

Topics: Risk Management, GDPR, GDPR Compliance, GDPR for US Companies

Managing Regulatory Changes – Thankless Job or Hidden Gem

Posted by Joseph Santangelo on Feb 12, 2018 12:02:11 PM

Managing Regulatory Changes – Thankless Job or Hidden Gem

Read More

Topics: GRC, Risk Management

Operational Risk Levels Remain Elevated - Third-Party Service Providers are the Reason

Posted by Joseph Santangelo on Feb 1, 2018 5:10:25 PM

Organizations have seen a steady increase in the use of third-party service providers. Not knowing if the risks associated with third-parties are being managed properly intensifies risk management challenges and keeps board members awake at night. These risks demand steadfast supervisory focus as well as effective programs to manage each organization’s Third-Party Risk. The OCC’s recent Semiannual Risk Perspective publication highlights the urgency to address these risks.

Read More

Topics: Risk Management

A Faster Path to “Yes:” Improve Your RFP Response Time and Win More Deals

Posted by Michael Duggan on Sep 22, 2017 8:59:30 AM

Let’s set the table. If you’re a vendor who regularly responds to Requests for Proposals or information (RFPs / RFIs) as part of your prospecting or sales process, we don’t have to tell you they’re a proverbial pain in the tush – pages and pages of company data is required upfront just to be in the running. The work is time (as in weekend) consuming and tedious. In fact, if you want to clear a room quickly, just casually remark “We’re responding to an RFP….” and watch sales people, relationship managers, and IT staff scatter. You won’t even hear crickets chirping in the background… they ran too.  The truth is it can be soul-crushing work to assemble solid responses for every last question, insight, use case, heading and subheading. Yet, for many businesses, RFPs represent some of the most enduring and lucrative business partnership opportunities. The potential value of every response is significant, so the struggle continues.

Read More

How Your Credit Union Can Stay Up to Date on Your Vendor Risk Management Program

Posted by Michael Duggan on Aug 25, 2017 10:20:00 AM

Weighing in at $18.5 million, Target has agreed to pay the largest-ever fine for a third-party data breach. When you consider the scope of the compromise – nearly 70 million customers and/or accounts affected and an estimated total loss of $202 million by Target, the fine almost pales by comparison. How did the thieves access Target’s data? Through an unlikely third-party vendor, specifically an HVAC contractor. More important lessons to learn from Target’s unfortunate risk debacle are in the details, specifically the breakdowns and negligence of their own risk management processes. While you might not see immediate parallels between a retail behemoth like Target and your credit union, the fact is that all third-party vendors put every organization at some degree of risk, making a functional and up to date vendor risk management program an important part of a mature approach to overall enterprise risk management.

Read More

Topics: Credit Unions

The Costs of Storing Protected Health Information (PHI) in Spreadsheets

Posted by Michael Duggan on Aug 8, 2017 2:29:00 PM

There is a data war being waged in many healthcare organizations – spreadsheets vs. overall data security and integrity. In fact, in our experience, the number one risk to data protection and management is the common spreadsheet. Excel has been around since 1985, and, while a long-proven data workhorse, carries with it a multitude of security risks. In fact, according to the Identity Theft Resource Center, 2016 data breaches overall increased 40%, and the Healthcare sector accounted for about 35% of those breaches which were largely driven by hacking or similar practices (over 50% and climbing sharply).

Read More

Topics: healthcare

Do You Really Know Where Your Data Resides?

Posted by Michael Duggan on Aug 3, 2017 2:10:00 PM

What you don’t know can hurt you. With the constant pressure of streamlining and creating cost-effective operations, outsourcing of core processing and data management to domestic third-parties by the banking and insurance industries has been common practice for many years. Although this practice is common and in most cases quite necessary, it is still important for an organization to ask the question of where their customer’s data will be stored when leveraging a third party.   

Read More

Topics: GRC

How Can I Ensure Our Vendors Are HIPAA Compliant?

Posted by Michael Duggan on Jul 20, 2017 1:54:00 PM

You’ve been diligent about developing the needed policies and procedures to ensure HIPAA compliance within your organization. It’s been challenging, but your internal audits have been positive, and you are confident your internal processes are up to standard. Are you as confident about your vendors and their HIPAA compliance?  If your vendors aren’t compliant, who pays the price? You do. As the outsourcing organization, you are responsible for the HIPAA practices of all vendors who have access to, work with, or store your sensitive PHI. Beyond the vendors who physically touch your data, such as IT providers, data centers, and document shredders, HIPAA compliance requirements could extend to other vendors who may have access to your contacts database, or even the data center where your IT provider backs up their own data (see: How Many Degrees of Separation Are There Between You and Your Data?

Read More

Topics: healthcare