Advisory & Consultation

We provide subject matter expertise and advice to meet your security, risk and compliance needs. We offer consulting support through various stages of your project to help you keep KP and our members safe.

Business Risk
Consultation

We help you understand your technology risk profile and its impact to your key projects and initiatives. We also advise on leading risk management processes.

Getting Started

Risk Response and
Exception Support

We help you understand the options available to address control gaps identified by assessments or audits. Options include Operational Deviation, Treatment Exemption, Disaster Recovery Exception, Risk Acceptance, and Risk Remediation Plan.

Getting Started

Contract Review
Support

We provide advice on contractual language related to privacy and security requirements.

Getting Started

Other TRO Consultation
Services

If you can’t find what you’re looking for, please fill out our TRO engagement request form or directly consult with your technology risk consultant.

Business Risk Consultation

We help you understand your technology risk profile and its impact to your key projects and initiatives. We also advise on leading technology risk management processes.

Getting Started

You have two ways to request a consultation:

Risk Response and Exception Support

We help you respond to and seek exceptions, where necessary, for technology risks. Options include the following:

Operational Deviation: Allows an exception to KP Access Management policies and standards, such as generic accounts usage, interactive service account usage, non-human NUID accounts, password standard settings/SOX 12.04.03 control requirements, and local workstation elevated privileges. Learn More 

Treatment Exemption: Addresses technical security non-conformance at the operational level, providing exemptions from Technical Security Standard (TSS) settings, software currency, removable media encryption, patching and monitoring agents. Learn More 

Disaster Recovery Exception: Allows exceptions to IT Disaster Recovery policy, including exception to, or deferral of, disaster recovery testing and deployment. Learn More 

Risk Acceptance: Allows IT solutions, applications, services, and processes to assume risks in lieu of issue remediation due to the mitigated impact to the environment or the cost of remediation. Learn More 

Risk Remediation Plan (non CAP): This risk management service allows for a Risk Remediation Plan to be submitted for remediation of cyber security defects and vulnerabilities where remediation cannot be completed within the required Risk Treatment Period (RTP). Learn More

 

Remediation with Correction Action Plan (CAP), identified through internal and external audits and assessments, are managed by the Privacy, Security and Technology Compliance team. Visit the PSTC site to learn more or initiate an intake.

Getting Started

You have two ways to access this service:

  • Click “Learn More” for your selected service to access instructions and use cases. WSSO and account registration will be required when you are ready to initiate your request.

  • To request a risk advisory consultation, connect with your technology risk consultant.

Contract Review Support

We provide advice on contractual language related to privacy and security requirements. This service includes review of vendor and employer group contracts.

Resources

Getting Started

You have two ways to request a consultation:


Request a consultation for employer group contracts: