Clarifire Uses Hyperproof to Manage Multiple Security Standards at Scale
St.Petersburg, FL, USA
- SOC2 Type 2
- Compliance operations module
- Risk management module
Clarifire is an innovative SaaS company based in St. Petersburg, Florida. The company offers a workflow application with the versatility and flexibility to automate and improve interactive processes that drive customer service delivery across any industry. Their flagship product --CLARIFIRE® -- is highly customizable to each organization’s processes and can dynamically coordinate interactions across multiple departments and systems. The CLARIFIRE approach maximizes efficiencies, accountability, profitability, and most importantly, internal and external customer experience.
Clarifire’s customer base consists of multiple financial institutions and healthcare organizations. These financial services and healthcare customers require Clarifire to demonstrate compliance with various security and data privacy standards and regulations. For instance, 75% percent of Clarifire customers ask to see their SOC 2 Type 2 report.
Richard Guerrero, CISSP, Clarifire’s Director of Risk and Compliance, joined the company in 2017 with the mission to streamline and scale the risk management and compliance function. His predecessor had managed their security compliance program in Excel spreadsheets, which wasn’t a sustainable solution as the company’s compliance requirements continue to expand in support of business growth.
By using Hyperproof, Clarifire achieved the following results:
Streamlined audit prep process for three audits
Reduced audit prep time by 50% for the compliance team
Reduced the impact of compliance work on business stakeholders by 66%
- Integrated risk management and compliance workstreams
- Gained deeper insights on actual risks and improved company’s ability to prioritize risk mitigation efforts
What Clarifire Needs From Compliance Software
Guerrero wanted to find a compliance software solution that allows the company to efficiently manage multiple security and data privacy compliance standards, regulations and frameworks at scale. Clarifire has to go through SOC 2 Type 2, TruSight and KY3P audits each year. The company must also demonstrate compliance with the HIPAA Security and Privacy Rules and complete several other customer-driven audits each year.
Guerrero sought to find a compliance software solution with three critical capabilities:
- Mapping (or crosswalking) between different compliance standards and frameworks -- so work such as control design, implementing and testing, and evidence gathering can be streamlined as much as possible.
- Ability to manage risks and compliance efforts in an integrated approach by mapping risks to controls (and compliance requirements).
- Intuitive to use -- so that everyone who needs to participate in the company’s compliance effort could get their work done without much training.
Director of Risk and Compliance
"When I first stepped into my current role, we had separate compliance and risk management programs. All efforts were siloed. I wanted to fully integrate the two siloed programs into a single unified risk and compliance program using software that enables us to link risks to controls to demonstrate how the risks are mitigated.”, says Guerrero.
Guerrero piloted Hyperproof alongside other GRC solutions. He ultimately decided to purchase and implement Hyperproof because Hyperproof was intuitive, easy to use, and the only solution that allowed Clarifire to manage multiple data protection compliance programs at scale and integrate all risk and compliance management activities.
1. Manage Multiple Compliance Programs Efficiently
With Hyperproof, Clarifire is able to streamline audit preparation work around SOC 2 Type 2, TruSight and KY3P, and ensure compliance with HIPAA and several state-specific data privacy regulations.
Prior to 2021, Clarifire had to collect three sets of evidence, one each for the SOC 2 Type 2 audit and the TruSight and KY3P assessments scattered throughout the year. After mapping the three programs to each other using Hyperproof’s crosswalk feature, they were able to assemble a single set of evidence that would serve all three programs.
The TruSight and KY3P assessors agreed to reschedule their assessments to the same month as the SOC 2 Type 2 audit to satisfy the evidence freshness requirement.
Clarifire to reduce audit preparation time by:
Managing the evidence centrally in Hyperproof, controlling freshness with the built-in freshness tracking feature, and reusing the evidence for multiple frameworks allowed Clarifire to reduce audit preparation time by 50%. For control owners, providing evidence once a year instead of three times per year reduced their effort by 66%.
Guerrero celebrated the success of the Hyperproof implementation by retiring the compliance spreadsheet he inherited from his predecessor.
2. Integrated Risk and Compliance Management
Rather than tracking risks and compliance efforts in separate tools, Clarifire now keeps track of all risks centrally in Hyperproof’s Risk Register and links each risk to the documented controls in Hyperproof. Finally, the relationships between risks, controls and compliance requirements are clearly mapped out, and Clarifire is able to take an integrated approach to risk and compliance management. With this approach, they have gained operational efficiency and improved the management of risks.
“As a fast-growing software company, the risks we face and the magnitude of those risks can change overnight. For instance, prior to 2020 we scored pandemic risk as very low. Taking a risk-based approach to compliance efforts is the right thing to do for our business. With Hyperproof, we are able to understand actual risks much better and prioritize focus areas. It’s effortless to link risks back to controls in Hyperproof and see which risks aren’t sufficiently mitigated yet,” says Guerrero.
3. A trusted partner for the compliance journey
“Hyperproof isn’t just a company that makes really useful, intuitive compliance software, they truly value our input as a product user and a compliance professional. We’ve been particularly gratified by the fact that many suggestions for the product were implemented quickly and well. Hyperproof’s responsiveness, open-mindedness and willingness to implement recommendations are extraordinary,” says Guerrero.