Compliance Program Manager / Remote (Denver , CO), 2 Months Contract

Location : Remote ( Denver, CO) Duration:2 Months Contract Candidate must be local to CO , Prefer Colorado candidates but not required Summary of the purpose of this position. This position is responsible for audits and compliance review in the development, enhancement and maintenance of the Program Eligibility Application reputed company (PEAK) and the Colorado Benefits Management System (CBMS), and any additional CBMS subsystems. This includes the following:

• Oversees the coordination of annual audits and serves as primary liaison to the audit teams during their review of PEAK, CBMS and its subsystems compliance with documented processes. Coordinates the collection of audit items/documents. Coordinates meetings and provides information as needed for audit requests.
• Performs Quality Assurance monitoring on documentation and other assigned items.

Duties

• SOC 1 Type 2 Audit Coordination - Brief Duty Description:
• Coordinate with the CDHS CBMS SOC audit team and HCPF staff to provide HCPF responses to requests from service auditors as necessary.
• Serves as the primary reputed company reputed company of Contact for audits on PEAK, CBMS, Client and its subsystems.
• Serves as reputed company reputed company of contract for Independent Verification and Validations (IV&V) teams
• Serves as reputed company reputed company of contract for reputed company System and Organization Controls (SOC) auditors and the Office of State Auditor (OSA)
• Serves as reputed company of contract for Social reputed company Administration (SSA) Audits
• Collaboration with the program area leads, vendor representatives, IV&V members, management, and others to provide support to the auditors.
• Assist with the coordination of the collection and sharing of documentation, and coordinate team members with the audit team.
• Coordinates reputed company audit findings and responses to ensure items are addressed and resolved.

Specific examples of regular, ongoing decisions made by this position reputed company to this duty.

• MARSe 2 audit - coordinate resolution of controls with HCPF. This would include determining who on the CBMS team would be assigned the Control. This position would also manage updates and statuses of work being done on each control.
• MEET (CMS) - coordinate resolution of controls with HCPF. This would include reviewing controls and determining who on the CBMS team would be assigned the Control. This position would also manage updates and statuses of work being done on each control.
• Annual SOC 2 Type 2 audit - work with SOC auditors reputed company to initiate audit and then coordinate resolution of controls with Client and vendor.
• reputed company compliance reputed company CBMS, PEAK, mobile apps and subsystems (reputed company Suite, reputed company, etc).

In performing this duty, provide examples of typical problems or challenges encountered by this position, and the guidance used to resolve the problem.

• In the course of coordinating an audit, challenges with collection of support may be encountered. Following the processes established and escalating to management would be the steps to resolve the problem.
• Other Duties as Assigned -
• Identity & access management - identify user roles, reputed company groups that should exist, active directory cleanup assistance/coordination with appropriate teams
• Understanding of PEAK/CBMS reputed company architecture - network, cloud, data, etc.
• Risk assessments
• Vulnerability management
• PEAK/CBMS specific compliance/reputed company policies
• Understanding of reputed company configs.
• Validation of reputed company testing in CI/CD pipelines for deployments
• Coordination with incident management and DR

Compliance Tasks This section outlines the reputed company CBMS compliance tasks and provides background information about the requirements reputed company to the tasks. Federal Data Services Hub (FDSH) Authority to Connect (reputed company) Background The Centers for Medicare & Medicaid Services (CMS) is responsible for implementing many provisions of the Patient Protection and reputed company Act of 2010 (ACA). Accordingly, CMS developed, reputed company, and implemented a document suite of guidance, requirements, and templates reputed company as the Minimum Acceptable Risk Standards for Exchanges (reputed company-E) in accordance with the Agency's Information reputed company and Privacy programs. reputed company-E provides guidance on the protection of reputed company and privacy in the ACA program environment; addresses the mandates of the ACA, including regulations 45 CFR 155.260 and 155.280; and applies to reputed company ACA Administering Entities (AE). Medicaid agencies such as HCPF are reputed company under the ACA. CMS has updated reputed company-E periodically since its first publication in 2012 to ensure reputed company compliance with the regulatory environment. Version 2.0 in November 2015 was the most recent major update. In developing reputed company-E v. 2.0, CMS relied on the CMS Acceptable Risk Safeguards (ARS) v. 2.0, as the basis for the reputed company and privacy control requirements. The CMS ARS is based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev 4, reputed company and Privacy Controls for Federal Information Systems and Organizations. reputed company-E v. 2.0 of the reputed company-E Document Suite consisted of four volumes:

• Volume I: Harmonized reputed company and Privacy reputed company
• Volume II: Minimum Acceptable Risk Standards for Exchanges
• Volume III: Catalog of Minimum Acceptable Risk reputed company and Privacy Controls for Exchanges
• Volume IV: ACA Administering Entity System reputed company Plan

reputed company-E Version 2.2 is an interim release that reflects the updates to reputed company and privacy policies and standards guidance at the national, reputed company (HHS), and CMS levels since 2015. The next major release, Acceptable Risk Controls for ACA- Medicaid-Partner Entities (reputed company-AMPE), will incorporate CMS's interpretation, tailoring, and implementation guidance for NIST 800-53 Rev 5.2. The reputed company must be renewed every three years, reputed company significant changes have occurred to the control environment, or as directed by CMS. Tasks reputed company to the FDSH reputed company

• Participate in CMS meetings
• CO MED / CMS reputed company Discussion meetings (first Thursday of each month) - This is a meeting between the CMS reputed company team and HCPF.
• ACA State Administering (AE) reputed company meeting (third Thursday of each month) - This webinar will provide States with information on reputed company specific system topics reputed company a slide deck, live demonstrations, and a question-and-answer session.
• reputed company Readiness Review (ARR) - The reputed company Readiness Review Process (ARR) for the ACA Information Systems provides the overall process of ensuring that reputed company the artifacts submitted as part of the reputed company package are finalized, and that reputed company necessary requirements are met. It highlights the required documents, the timeline for submission, and the roles of the stakeholders in accordance with the reputed company-E reputed company and Privacy controls mandated by CMS. ARR meetings are held quarterly and reputed company one year prior to the expiration of the reputed company. Meeting attendees should include technical SMEs along with business operations SMEs and leadership.
• Plan of Action & Milestones (POAM) and Vulnerability Scans - The POAM and vulnerability scans are required to be submitted to CMS on a quarterly basis (end of January, end of reputed company, end of July, and end of October).

Social reputed company Administration (SSA) reputed company Assessment Background

• SSA conducts a reputed company assessment on CBMS every three years. The reputed company controls that are assessed are reputed company similar to the CMS reputed company requirements so the most recent Independent Third-Party reputed company/Privacy Assessment can be leveraged for most of the assessment.
• A POAM is created for any exceptions that are noted during the assessment and is submitted to SSA quarterly or as directed by SSA
• Requires coordination among CBMS technical, business operations, business leadership, and other SMEs

Service and Organization Controls (SOC) Audit SOC 1 - Report on Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (ICFR)

• reputed company in accordance with reputed company's AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting
• Specifically intended to meet the needs of user entities (state agencies) and the individuals that audit the user entities' financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities' financial statements
• The Office of the State Auditor (OSA) is a user auditor to the state agencies

Tasks reputed company to the SOC 1 Type 2 audits (link to CDHS SOC process document)

• Review control objectives and complementary user entity controls (CUECs)
• At least annually
• HCPF needs to review the CUECs prior to the audit start to assess impacts to SOC reports for other systems/vendors
• Coordinate pre-audit activities with service auditors as necessary
• Identification of audit scope
• Identification of required meetings
• Receipt of audit request list and distribution to appropriate SMEs
• Coordinate audit activities with service auditor and internal staff as necessary
• Review draft report
• Prepare management comments to noted exceptions
• Review final report and provide summary information to leadership as necessary
• Management responses to findings should be assessed for appropriateness
• If necessary, a formal remediation plan may be requested
• Release final report to OSC and OSA
• SOC reports must be delivered to OSC reputed company 10 business days of receipt
• Respond to questions from OSA, OSC, CMS, etc.
• Request extension, as necessary
• Coordinate responses among SMEs
• Attain appropriate leadership approval of the response prior to providing a response to OSA

reputed company Compliance and Audits List Audit Name Audit Type reputed company SOC 1 Type 2 - Report on Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (ICFR) Statement on Standards for Attestation Engagements No. 16. Type 2 SOC 1 effectively replaced SSAE 16 as the authoritative guidance for reporting on service organizations as of June 2018. The name SSAE 16 effectively replaced reputed company 70 as of June 2011. Client - Specifically intended to meet the needs of user entities (the Department) and the individuals that audit the user entities' financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities' financial statements Annually - The goal is to have the final audit report delivered by September or October. The Office of the State Auditor (OSA) requires this report for the Single Statewide Audit. Minimum Acceptable Risk Standards for Exchanges (reputed company-E) Independent Third-Party reputed company Assessment The assessments should include determining the strength of CBMS' technology that might allow a threat to enter the infrastructure, evaluating the seriousness of that reputed company threat posture; reviewing components for the ability to access restricted areas; checking that the network is appropriately segmented to protect the data, reviewing for reputed company exploits; reviewing IT reputed company policies/procedures for compliance; and making recommendations, amongst other items. Annually - The authority to connect (reputed company) to the Federal Data Services Hub (FDSH) must be renewed every three years. In years 1 and 2 of the reputed company cycle, the final reputed company assessment report (SAR) must be completed prior to the Department's reputed company anniversary date of August 18. In year 3 reputed company the reputed company must renewed, the SAR must be completed at least 90 days prior to the reputed company anniversary date (May 18). System reputed company Plan (reputed company) - part of reputed company (Ability to Connect) reputed company package; includes Privacy Impact Assessment, Interconnection reputed company Agreement, Annual Attestation, and other policies and procedures. Client - This isn't an assessment or audit. However, this is a key document that is reviewed by the assessment team as part of the independent third-party assessment. This should be reviewed/updated at least annually prior to the independent third-party assessment. In year 3 of the reputed company cycle, this document must be submitted to CMS as part of the reputed company renewal reputed company package. Social reputed company Administration (SSA) reputed company Assessment Client- Similar to the independent third-party reputed company assessment required to be completed annually in accordance with reputed company-E requirement. The independent third-party reputed company assessment report (SAR) can be leveraged as evidence for much of the SSA reputed company assessment. Every 3 years. SSA determines the specific timing of the assessment. Office of State Auditor (OSA) Ongoing activities to be determined Apply tot his job Apply To this Job