integrated compliance
TRANSCRIPT
Integrated Compliance – PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA
By Kishor Vaswani, CEO - ControlCase
Agenda
• ControlCase Overview• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and
EI3PA
• Best Practices and Components for Integrated
Compliance within IT Standards/Regulations
• Challenges in the Comprehensive Compliance Space
• Q&A
1
ControlCase Overview
• More than 400 customers in more than 40 countries.
• Focus on Certifications and Compliance as a Service (CaaS).
• Continued update and use of technology based on feedback from customers
2
About PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card issuers• Maintained by the PCI Security Standards Council
(PCI SSC)
3
What is HIPAA
4
• HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:› Provides the ability to transfer and continue health
insurance coverage for millions of American workers and their families when they change or lose their jobs;
› Reduces health care fraud and abuse;› Mandates industry-wide standards for health care
information on electronic billing and other processes; and › Requires the protection and confidential handling of
protected health information
What is FERC/NERC
5
• Federal Energy Regulatory Commission (FERC)› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation (NERC):› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America.
• Critical Infrastructure Protection Standards› Standards for cyber security protection
What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer credit bureaus in the United States
• Guidelines for securely processing, storing, or transmitting Experian Provided Data
• Established by Experian to protect consumer data/credit history data provided by them
6
What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for implementing information security within an organization
• ISO 27002 are the detailed controls from an implementation perspective
7
What is FISMA
8
• Federal Information Security Management Act (FISMA) of 2002› Requires federal agencies to implement a mandatory set of
processes, security controls and information security governance
• FISMA objectives:› Align security protections with risk and impact› Establish accountability and performance measures› Empower executives to make informed risk decisions
Best Practices and Components for Integrated
Compliance within IT Standards/Regulations
Building Blocks – Integrated Compliance
• Compliance Management• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Logging and Monitoring• Change Management• Incident and Problem Management• Data Management• Risk Management• Business continuity Management• HR Management• Physical Security• Compliance Project Management
9
Compliance Management
10
Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards
Policy Management
11
Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies
Reg/Standard Coverage area
ISO 27001 A.5
PCI 12
EI3PA 12HIPAA 164.308a1iFISMA AC-1FERC/NERC CIP-003-6
Vendor/Third Party Management
12
Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12HIPAA 164.308b1FISMA PS-3FERC/NERC Multiple
Requirements
Asset and Vulnerability Management
13
Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11HIPAA 164.308a8FISMA RA-5FERC/NERC CIP-010
Logging and Monitoring
14
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11HIPAA 164.308a1iiDFISMA SI-4
Logging File Integrity Monitoring 24X7 monitoring Managing volumes of data
Change Management and Monitoring
15
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10FISMA SA-3
Incident and Problem Management
16
Monitoring Detection Reporting Responding Approving
Lost LaptopChanges to
firewall rulesets
Upgrades to
applications
Intrusion Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12HIPAA 164.308a6iFISMA IR SeriesFERC/NERC CIP-008
Data Management
17
Identification of data Classification of data Protection of data Monitoring of data
Reg/Standard Coverage area
ISO 27001 A.7
PCI 3, 4
EI3PA 3, 4HIPAA 164.310d2ivFERC/NERC CIP-011
Risk Management
18
Input of key criterion Numeric algorithms to compute risk Output of risk dashboards
Reg/Standard Coverage area
ISO 27001 A.6
PCI 12
EI3PA 12HIPAA 164.308a1iiBFISMA RA-3
Business Continuity Management
19
Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site
Reg/Standard Coverage area
ISO 27001 A.14
PCI Not Applicable
EI3PA Not applicableHIPAA 164.308a7iFISMA CP SeriesFERC/SERC CIP-009
HR Management
20
Training Background Screening Reference Checks
Reg/Standard Coverage area
ISO 27001 A.8
PCI 12
EI3PA 12HIPAA 164.308a3iFISMA AT-2FERC/NERC CIP-004
Physical Security
21
Badges Visitor Access CCTV Biometric
Reg/Standard Coverage area
ISO 27001 A.11
PCI 9
EI3PA 9HIPAA 164.310FISMA PE SeriesFERC/NERC CIP-006
Compliance Project Management
22
Your Project Manager is charged with your Success:
1. Serves as your single point of contact and your advocate for all compliance activities
2. Ensures all compliance requirements are met on schedule. • Builds a single stream, reliable communication channel • Strategizes to produce an efficient plan based on your needs• Periodic pulse checks via status reports &meetings paced
according to your stage and schedule
3. Prepares you for smooth and predictable activities across multiple compliance paths
Challenges in Compliance Space
Challenges
• Redundant Efforts• Cost inefficiencies• Lack of compliance dashboard• Fixing of dispositions• Change in environment• Reliance on third parties• Increased regulations• Reducing budgets (Do more with less)
23
ControlCase Solution
Learn more about continual compliance ….
24
Complianceas a Service
(Caas)
Integrated compliance
25
Question. No.
Question PCI DSS 2.0 Reference PCI DSS 3.0 ISO 27002: 2013 SOC2 HIPAA NIST 800-53
37
Provide data Encryption policy explaining encryption controls implemented for Cardholder data data secure storage (e.g. encryption, truncation, masking etc.) – applicable for application, database and backup tapes
- Screenshots showing full PAN data is encrypted with strong encryption while stored (database tables or files) . The captured details should also show the encryption algorithm and strength used - For Backup tapes, screenshot showing the encryption applied (algorithm and strength – e.g. AES 256 bit) through backup solution
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.4.a, 3.4.b, 3.4.c, 3.4.d 3.4 10.1.1, 18.1.5 164.312(a)(1)
38
If Disk encryption used for card data data, then is the logical access to encrypted file-system is separate from native operating system user access? (Provide the adequate evidences showing the logical access for local operating system and encrypted file system is with separate user authentication)
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.4.1.a 3.4.1 10.1.2 164.312(a)(1)
39
Provide evidence showing restricted access control for Data Encryption Keys (DEK) and Key Encryption Keys (KEK) at store
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.5 3.5.2 10.1.2 164.312(a)(1)
40Provide the evidence showing the exact locations where encryption keys are stored (keys should be stored at fewest possible locations)
3.5.3 10.1.2 164.312(a)(1)
Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessment Department
› EI3PA Assessor
› HIPAA Assessor
› HITRUST Assessor
› SOC1, SOC2, SOC3 Assessor
› BITS Shared Assessment Company
26
To Learn More About ControlCase
• Visit www.controlcase.com• Email us at [email protected]
Thank You for Your Time