Regulations and recommendations from federal and state government as well as industry groups place additional security requirements on business and growing responsibility on business leaders for compliance. Many regulations offer only vague recommendations for security controls subject to interpretation and subsequent implementation by the business. Some provide specific requirements that must be addressed, documented and maintained. At the heart of all these compliance efforts is an attempt to establishment a minimal set of standard security controls that ensure the confidentiality, integrity and availability of certain respective protected information and the systems and networks wherein they reside.


A comprehensive HIPAA Compliance or HITECH assessment or Security audit meets compliance requirements and provides valuable information and support. Our HIPAA Security Audit  results in identifying gaps in compliance with the Security Rule and Privacy Rule, identifies weaknesses, vulnerabilities, misconfiguration, provides the documentation and recommendations necessary to determine reasonable improvements – we validate your regulatory compliance or give you a path to get there. Spohn’s HIPAA Security Assessment provides the following benefits:

  • Meet audit requirement of the HIPAA Security Rule Sec. 164.308(a)(1)(ii)
  • Lower IT cost by allocating security resources to preventative efforts rather than post-event remediation
  • Provide a reasonable basis on which to rely on the company’s security measures for the confidentiality, integrity, and availability of its information and systems
  • Help management develop, maintain, and improve existing security controls
  • Gain added credibility with customers, board members, investors, partners, and creditors
  • Demonstrate due-diligence in an organization’s efforts to manage risk and liability inherent in its security posture
  • Acquire detailed documentation for use in budget and remediation planning
  • Quickly prioritize and remedy vulnerabilities by using data, detailed descriptions, recommendations and links to online resources packaged on the Remediation Database on DVD-ROM


Spohn’s Financial Security Assessment assesses your security posture and risks, provides analysis and remedies allowing you to prioritize your needs, and offers you an unbiased third party assessment to meet regulatory requirements or prove due diligence. The assessment and resulting security profile are customizable based on the Gramm Leach Bliley Act, the Interagency Guidelines for Safeguarding Customer Information,FFIEC Handbook on Information Security, and other regulations and guidance provided by FRB, NCUA, FDIC, OCC, and the OTS . The ESA service provides a complete enterprise solution for detailed inspection, analysis, and reporting of the security controls across your financial institution.

Spohn utilizes experienced security consultants and proven tools and processes to assess physical, technical, and administrative security controls, including policy, plans and procedures against industry security standards, best practices, regulatory requirements and your internal needs. The comprehensive analysis, documentation and remediation recommendations provided by our services can help you to determine and plan for commercially reasonable improvements to your security.


Spohn helps all industries with our security assessment service for identifying threats, risk, vulnerabilities and commercially reasonable improvements by deploying proven people, processes and tools to assess the effectiveness of a company’s security controls against security best practices. By using ISO/IEC 17799, the internationally-recognized standard for enterprise security best practices, as a base within your audit, you can be confident that you have used an Internationally recognized “Best Practices” for security to protect your enterprise, provide proof of regulatory compliance and demonstrate due-diligence.

Spohn can assess an organization against the entire ISO 27001/2 security standard or custom tailor an assessment to meet your organization’s specific requirements through a subset of security controls detailed within the standard. Whether custom-designed or using Spohn’s ISO 27001/2 checklist, you will receive comprehensive analysis, documentation and remediation recommendations for determining and planning commercially reasonable improvements to security.

  • Meet security requirements of Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLB) and other regulations
  • Determine effectiveness of security controls compared to an Internationally recognized security standard (Best Practice)
  • Demonstrates due-diligence in an organization’s efforts to identify threats, weaknesses, vulnerabilities, and gaps in compliance
  • Provides proof of compliance with security requirements for most legislation
  • Builds confidence with stakeholders, shareholders, board members, and employees
  • Fits within standard framework for risk management
  • Quickly prioritize and remedy vulnerabilities by using data, detailed descriptions, recommendations and links to online resources packaged on the Remediation Database on DVD-ROM

Information Security becomes a bigger concern for IT managers every day.  Failure to be compliant to the regulatory body responsible for your business can be costly not only terms of fines and certification issues, but also real word monetary costs associate with a security breach, information disclosure or site useability from a DOS attack.

Spohn’s security consultants can provide the guidance to get and  keep you regulatory compliant with most business sector requirements – SOX, GLB, HIPAA, HITECH…  Please feel free to call one of our trained consultant at 512-685-1820 or call our main line at 512-685-1000.

External Resources

Florida FIPA Security

Florida is no longer more lax in personal information security, data protection law and HIPAA compliance than most other states!  Florida is in fact leading the way in breach notification – FIPA applies to almost every company or organization doing business or providing service in the state with few exemptions or or political caveats. 


The Florida Information Protection Act of 2014 (FIPA), similar to but not to be confused with HIPAA, was passed through the Florida State Legislature out of  State Capitol in Tallahassee on June 20th and approved by Gov. Rick Scott. The law became effective as of July 1st, 2014. It encompasses two sides of the data breach notification law – how companies are expected to prevent a breach of personal information and what is expected of them should they experience a breach.

Personal identification is defined under FIPA as:

An individual’s first name or first initial combined with the individual’s last name in combination with one ore more of the following:

  • Social Security Number
  • Drivers license or identification card number, passport number, military ID number or other similar government issued ID
  • Financial account number or credit/debit card number combined with the required security code
  • Any information regarding an individual’s medical history, mental or phyiscal condition, or medical treatment or diagnosis by a heath care professional
  • An individual’s health insurance policy number or subscriber identification number, along with any unique identifier used by a health insurer to identify the individual.

Personal identifiable information under florida FIPA is not:

  • Information that is encrypted
  • Secured or modified by any other method or technology
  • Modified to removes elements that personally identify an individual or that otherwise renders the information unusable.

Have Questions?
Let Us Help

Contact Us

FIPA Security Breach Notification

“Covered entities must notify Florida’s Department of Legal Affairs (i.e., the Florida Office of the Attorney General) of any breach that affects more than 500 people. Notice must be provided as expeditiously as practicable, but no later than 30 days after determination of the breach or reason to believe a breach occurred. An additional 15 days is permitted if good cause for delay is provided in writing to the Attorney General within 30 days after determination of the breach or reason to believe a breach occurred.”

General Rules:

  • Less than 500 the individuals and as directed by law enforcement
  • 500 to 1000 Florida’s Attorney General, the individuals  and as directed by law enforcement
  • Over 1000 – add the Credit Reporting Agencies to the is above.

“A violation of the FIPA Security Law is an unfair or deceptive trade practice subject to an action by the Attorney General under Florida’s Deceptive and Unfair Trade Practices Act against the covered entity or third-party agent.  A covered entity that does not properly notify affected individuals or the Attorney General may be fined up to $500,000 per breach, depending on the number of days in which the covered entity is in violation of the Florida FIPA Security Law.  The law creates no private cause of action, nor does the presumed FDUTPA violation for the Attorney General appear to apply to a private action under FDUTPA.”

The departure here from most fine structures that exist – such as HIPAA … Fines are not issues on a per record basis, but rather on a scale of days, weeks, months a failure to notify condition occurred up  a maximum of $500K…in addition to any other regulatory agency criminal or civil fines assessed by HIPAA or NERC or…

The details get more complex depending on the covered entity’s business sector covered under HIPAA/HITECH or NERC or …

Upon request by the Attorney General, the entity, covered entity or third-party vendor  must provide a police report, incident report, or computer forensics report; a copy of the policies in place regarding breaches; and/or steps that have been taken to rectify the breach.

The definition of “Covered Entity” or CE under FIPA covers just about anyone doing business in the State of Florida or providing a service of any kind and does NOT exempt any state or federal agencies providing said services in Florida and you ARE as a CE responsible for the action of your business associates BAs!!!

FIPA Requires Proactive Measures

The Florida Information Protection Act distinctly states that covered entities are to take all reasonable measures to protect and secure personal information. Third-party vendors and covered entities must also take thes same reasonable steps to protect and secure electronic personal information.  FIPA makes it clear – covered entities need to take proactive measures to protect the personal information of its clients; this includes taking all possible steps to dispose of customer records containing personal information – both hard and electronic copies.

Punishments for violating this provision of FIPA is through the Unfair and Deceptive Trade Practices statute it punishes those who thought it was to expensive or time consuming to take all reasonable step/measures to protect personal information of its customers or verify their business associates were taking all reasonable steps to protect personal information.

NERC Compliance

NERC compliance is adhering to each of the requirements and specifications laid out in CIPv3 security rules with appropriate updates until April of 2016; at that time “steady state” compliance and Enforcement for CIPv5 are active, The “Effective date” is April, 2014 base on the draft transition plan.  Note that the revised CIPv5 standard will be published January, 2015 with RAI and CIPv5 training and awareness slated for the entire year…Quite a mouth full and a lot of data packed into a small area – read below for easier to comprehend definitions and timelines as they relate to CIP Security and NERC Compliance.

NERC definition:

The North American Electric Reliability Corporation – NERC is a non-profit, international regulatory authority whose mission is to ensure the reliability and security of the bulk power system in North America.  In the post 911 world and with Cyber Security and Data Security breaches front line – NERC continues to develop, evolve and enforce new standards in the following areas:

  • Assessments – annual, seasonal and long‐term reliability
  • System Awareness – monitor the bulk power system throughout
  • Industry Personnel – educates, trains, and certifies

CIP Definition: Critical Infrastructure Protection

Currently Enforced CIP Regulations Applicable to Regional Entities and Responsible Entities – CIPv3:

  • CIP-002-3   Cyber Security – Critical Cyber Asset Identification
  • CIP-003-3   Cyber Security – Security Management Controls
  • CIP-004-3a Cyber Security – Personnel & Traning
  • CIP-005-3a Cyber Security – Electronic Security Perimeter(s)
  • CIP-006-3c Cyber Security – Physical Security of Critical Cyber Assets
  • CIP-007-3a Cyber Security – Systems Security Management – “The version number was updated from CIP-007-3a to incorporate the approved interpretation that should have previously been appended”
  • CIP-008-3   Cyber Security – Incident Reporting and Response Planning
  • CIP-009-3   Cyber Security – Recovery Plans for Critical Cyber Assets

Future Enforced (4/1/2016 unless otherwise noted) CIP Regulations Applicable to Regional Entities and Responsible Entities – CIPv5:

  •  CIP-002-5.1 Cyber Security – BES Cyber System Categorization – Errata approved by the SC on 9/27/2013
  • CIP-003-5    Cyber Security – Security Management Controls – has an enforcement date of 4/1/2016, except for CIP-003-5 R2 which has an enforcement date of 4/1/2017
  • CIP-004-5.1 Cyber Security – Personnel & Training – Errata approved by the SC on 9/27/2013
  • CIP-005-5    Cyber Security – Electronic Security Perimeter(s)
  • CIP-006-5    Cyber Secuirty – Physical Security of BES Cyber Systems
  • CIP-007-5    Cyber Security – System Security Management
  • CIP-008-5    Cyber Security – Incident Reporting and Response Planning
  • CIP-009-5    Cyber Security – Recovery Plans for BES Cyber Systems
  • CIP-010-1    Cyber Security – Configuration Change Management and Vulnerability Assessments
  • CIP-011-1    Cyber Security – Information Protection

According to the Cyber Security Standards Transition Guidance (Revised), NERC’s CIP Version 5 Reliability Standards represent a significant improvement over the current CIP Version 3 Standards. CIP Version 5 adopts new cyber security controls, both technical and administrative, as well as extends the scope of the IT infrastructure’s expanded list of systems that the newer CIP standards are designated to protect.  The current transition plan is still in draft (June, 2014) but contains a lot of viable data even if the transition and enforcement dates slip – but don’t expect significant changes or assume the dates will slip.

Click here to download a detailed comparison of CIPv3 vs CIPv5. The spreadsheet is ordered by CIPv5 rule, then requirements. The additional requirements to CIPv5 are in yellow/orange text.  Accurate as of 10/23/2014.

NERC/FERC Authority and Reporting Chains

NERC’s total area of responsibility and authority serves nearly 3.5 million people across the United States, Canada and Mexico.

NERC is responsible for the following areas:

  • Continental United States
  • Canada
  • Northern portion of Baja California, Mexico

NERC maintains authority over:

  • Users of the bulk power system
  • Owners of the bulk power system
  • Operators of the bulk power system

NERC is responsible and accountable to the Federal Energy Regulatory Commission (FERC) and various regulatory authorities in the Canadian government.

We provide custom solutions to everyone from Fortune 500 companies to rural hospitals.

Get a Quote