top of page

vCISO Risk Management and SOC2 Compliance for Healthcare Insurance

vciso risk management solution diagram


An ICHRA solutions company needed to quickly perform a series of critical SOC2 and FISMA compliance audits to ensure business continuity and maintain its status as one of the nation’s premier small business healthcare solutions providers. Otherwise, existing and prospective customers would not be able to do business with the provider. The CTO also realized that this would require establishing a risk compliance program, and that the organization needed an external partner to provide end-to-end management. After all, employing a full-time CISO and building an in-house cybersecurity department was too expensive and time-consuming, especially considering the niche expertise requirements and the amount of work needed to be done. Similarly, hiring an independent contractor would still require in-house resources. The CTO then turned to Strategic Alliance Consulting (SAC), a cybersecurity consulting firm, to provide a virtual-CISO (vCISO) to oversee their risk compliance program.

vCISO Risk Management Solution

The SAC vCISO immediately stepped in to begin work on managing and executing SOC2 Type 1 and Type 2 attestation. SOC2 Type 2 is a step above Type 1, the bare minimum requirement for operating in health insurance. Unlike other compliance requirements like HIPAA, SOC2 focuses on cybersecurity for business operations in a holistic manner.

It had been awhile since the client had performed a compliance audit, using third parties like StrikeGraph. The vCISO interfaced with multiple vendors to establish a baseline for compliance and begin updating documents and processes. The vCISO was able to quickly make progress, thanks to SAC’s niche knowledge of the SOC2 framework, what policies needed to be implemented, and expert vendor management capabilities. Overall, over 30 policies were updated, while 200 pieces of evidence were either created or gathered for SOC2 attestation.


Thanks to the SAC's vCISO risk management solution, the ICHRA solutions provider was able to attain SOC2 Type 1 compliance within 4 months, with SOC2 Type 2 compliance also nearly complete. The client was ecstatic with the results of their new risk compliance program, and engaged SAC for external penetration testing and FISMA compliance attestation within the next 6 months.


Commenting has been turned off.
bottom of page