Managing Risk At Non-Profits - A Healthy Perspective | With Michael Parisi

Managing Risk At Non-Profits - A Healthy Perspective_With Michael Parisi.jpeg

The Pepperdine Graziadio Business School and ITSPmagazine have joined forces to provide a unique, online, dynamic learning program, tapping into the wealth of knowledge from the growing number of ITSPmagazine Subject Matter Experts (SMEs) willing to share their experience and learnings with the students taking part in the Cyber Risk Certification Program (CyRP).

Through this dynamic learning program, ITSPmagazine SMEs will answer questions posed by the CyRP students, providing them with real-world insights into the challenges they will face as cyber risk management professionals.

The question answered in this learning chronicle, which explores the issues of dealing with cyclical changes that can impact how risk is managed, was answered by Michael Parisi, VP, Assurance Strategy & Community Development at HITRUST.

Enjoy and share!

Do you have any advice for how a nonprofit can tackle risk and security management as a volunteer-run organization?

There are many challenges that nonprofits face within the marketplace based upon the nature of the organization and the accounting standards they must follow. However, this does not excuse them from having appropriate security and privacy policies, procedures, practices and controls in place.

Many organizations share sensitive information with nonprofits for the betterment of the community, research or to support a greater cause. Because of this, they may view the nonprofits as an extension of the organization that ultimately owns the data and expects them to follow similar, if not the same, security and privacy practices that they follow. This may be based upon business culture or regulatory demand. For example, in the healthcare industry, any “partner” that obtains PHI from a covered entity is considered a Business Associate (BA) under the regulation known as HIPAA.

There are countless examples in which a traditional covered entity, like a hospital system or health insurer, shares information with a non-profit research organization or university system for multiple reasons. In these instances, the covered entity (CE) must treat that nonprofit as a BA. This requires the CE to perform an appropriate level of due diligence over that BA to ensure that they are in compliance with HIPAA and are protecting the sensitive information that is shared with them (in the same way that the CE is expected to under federal law).

This can impose a significant challenge on nonprofits, especially those classified as BAs, as the cost to build an effective security and privacy program that meets those requirements can be unbearable. That being said, it is no excuse for a nonprofit to not have appropriate posture in place within the organization.

In my experience, the best way to tackle this is to leverage “off-the-shelf” security and privacy programs available from non-profit standard organizations; these have the right level of granularity and implementation guidance that allows the organization to achieve a “table stakes” minimum that is necessary for security and privacy posture.

Do not try to recreate the wheel or start from the ground up. Look for a suite of programs that includes a free control framework that, if implemented appropriately, will address multiple authoritative sources and requirements relevant to multiple industries. It also helps if that framework has an assessment methodology wrapped around it and is certifiable to provide a level of transparency and third-party assurance to the marketplace.

I recommend that nonprofits build appropriate security and privacy posture into the DNA of their organizations and look for a single suite of programs that offers all implementation aspects that work toward an effective and efficient security and privacy program.

About Michael Parisi


Michael Parisi has led over 500 controls-related engagements primarily in the healthcare and financial services industries. He has extensive experience with third-party assurance reporting including HITRUST readiness, HITRUST certification, SOC 1, SOC 2, SOC 3, Agreed Upon Procedure and customized AT-101 engagements.

He also has several years’ experience implementing large Oracle ERP systems specializing in the General Ledger and Governance Risk and Compliance modules. He has extensive knowledge of financial reporting and regulatory standards through his external audit and consulting experience, including Sarbanes Oxley, HIPAA, NIST, CMS and state specific standards. He holds a Bachelor of Science in Accounting, a Bachelor of Science in Computer Information Systems and an MBA from Quinnipiac University. He is an active member of ISACA and IAPP.

Learn more about the Pepperdine Graziadio Business School Cyber Risk Certification Program (CyRP).