secrets for successful regulatory compliance projects
TRANSCRIPT
INSIGHTS Presentation Series
Secrets for Successful Regulatory Compliance Projects
12 PCI DSS requirements and risk assessment key considerationsAICPA SOC 1, SOC 2, SOC 3 and 5 Trust Principles explainedInitial adherence and ongoing compliance best practices
RDX: Chris Foot
MegaplanIT: Michael Vitolo
Date: 9/21/2017
Webinar
Video Inside
• Presenters• About RDX and MegaplanIT• Regulatory Standards Overview• AICPA SOC Assessment• PCI DSS Assessment• MegaplanIT PCI Assessment Approach• RDX Assessment Best Practices for Maintaining Compliance• Contact Us
Presenters
Michael VitoloPCI-QSA | PA-QSA | CISSP | CISM | CISA | CRISC | CGEIT | OSWPManaging Partner | MegaplanIT, LLC.Over 18 years working in the Security Industry of which 12 in [email protected] |www.megaplanit.com
Chris FootVice President – Delivery Strategies and TechnologiesOracle ACE [email protected]
The Largest Pure Play Provider of Managed Data Infrastructure Services
20YEARS OF
SERVICE DELIVERY
EXPERIENCE
Database Platforms
SQL Server
Oracle
PostgreSQL*
DB2
MongoDB*
MySQL*
Operating Systems
Unix/Linux*Windows
Edge Technologies
SQL Server BI
Oracle EBS
SharePoint
Exchange
Environment
450+ Customers
10,000 Servers
200+ DBAs
Fortune 100s
Startups
All Verticals
Cloud Systems
Amazon AWS/RDS
Oracle Cloud DB
DBPaaS
Msoft Azure
IaaS (dozens)
Hybrid Cloud
* All distributions
RDX Compliance Experience
• Achieved first SOC 1 Type 2 in 2011
• Achieved first SOC 2 Type 2 in 2016
• Achieved first PCI Attestation in 2013
• Engaged MegaplanIT in 2016 to provide QSA examination of our environment
RDX is also required to adhere to hundreds of customer specific security frameworks, best practices and individual controls
About MegaplanIT, LLC
MegaplanIT, LLC. is an information security and compliance firm specializingin over 30 high-level services designed to protect cardholder data, secure in-scope networks, systems, and websites applications to ensure that yourorganization is both secure and compliant.
MegaplanIT leverages over fifteen years of applied knowledge in the areas ofGovernance, Risk Mitigation, Information Security, Penetration Testing,Compliance, and Project Management to ensure your goals are consistentlymet in a timely and efficient manner.
MegaplanIT Services
• PCI DSS Assessment• PA DSS Assessment• P2PE Assessment• HIPAA Security and Privacy Assessment• ISO 27001/27002 Risk Assessment• Shared AUP Assessment• NIST 800-171• NIST 800-53• NIST Cybersecurity• 3rd Party Risk Assessment• Policy and Procedure Development• Trusted Advisory and Remediation Assistance
• Internal Penetration Testing• External Penetration Testing• Web and Application Penetration Testing• Mobile Penetration Testing• Social Engineering• Wireless Penetration Testing• Reverse Engineering• Internal and External Scanning• Approved Scanning Vendor (ASV)• Password Cracking• Security Architecture Review• Cloud Architecture Review• Managed Security Services
COMPLIANCESERVICES
INFORMATION SECURITYSERVICES
PCI DSS - Payment Card Industry Data Security Standard Information security standard for organizations that handle branded credit cards from the major card
providers
PA DSS - Payment Application Data Security Standard Data standard for payment applications, which include any software or hardware that stores,
processes or transmits electronic credit card data
ISO 27000 - International Standards Organization Internationally recognized set of standards that provide best practice recommendations on
information security management
HIPAA/HITECH - Health Insurance Portability and Accountability Act Health Insurance Portability and Accountability Act (HIPAA) requires any organizations that process
and/or maintain healthcare-related information to meet security standards in the handling of patient Protected Health Information (PHI)
NERC CIP - North American Electric Reliability Corporation Establishes mandatory reliability standards, including the Critical Infrastructure Protection (CIP) plan
These standards aim to maintain and improve the efficiency of North America’s bulk power system while ensuring its continued security and reliability
Wide Range of Standards
Wide Range of Standards
SSAE 16/18 - Statement on Standards for Attestation Engagements Internal control reports on the services provided by a service organization providing valuable
information that users need to assess and address the risks associated with an outsourced service
NIST - National Institute of Standards and Technology A measurement standards laboratory, and a non-regulatory agency of the United States Department of
Commerce. Its mission is to promote innovation and industrial competitiveness
NIST SP 800-171 provides federal agencies with regulations for protecting the confidentiality of Controlled Unclassified Information (CUI) when the CUI resides in nonfederal information systems/organizations
NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems
NIST Cybersecurity Framework was published in February 2014, following a collaborative process involving industry, academia, and government agencies, as directed by a presidential executive order. It is a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level
Payment Card Industry Standards Council
The PCI Security Standards Council is a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security
It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training, and education and certification programs
Executive Committee• American Express• MasterCard• Discover• JCB International• Visa
Board of Advisors*
• Amazon• Citigroup• Cisco• Wal-Mart• Wells Fargo
• Target• PayPal• Walt Disney• Exxon• Microsoft
Not inclusive*
What is a Qualified Security Assessor?
Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements
• Assist in the validation of their clients scope for the assessment• Verify all technical information given by Merchant or Service Provider, Including documentation
and sample of controls• Perform an onsite for the duration of the assessment to conduct interviews• Adherence to the PCI DSS Requirements and Security Assessment Procedures• Select business facilities and system components where sampling is employed• Evaluate any compensating controls which are required to be above and beyond the original
requirement• Produce the final Report on Compliance and Attestation of Compliance
Payment Card Industry Security Standards
• PCI DSS is a set of industry standards, not a legal requirement
• Standards are enforced by the major card brands who created the PCI Council
• Financial penalties are levied by the card brands, not the PCI Council. They can be substantial
• Each major card brand has its own unique set of PCI compliance objectives
• Three types of standards: PCI PTS - Manufacturers of PIN transaction security devices PCI PA DSS – Payment application vendor software developers PCI DSS – Merchants and service providers
PCI P2PE - covers encryption, decryption, and key management requirements • Four defined levels:
Primarily based on card transaction volume Other classification criteria may vary according to card brand Levels determine security controls and processes required
Roles and Responsibilities
Payment brands’ compliance programs include:
• Tracking and enforcement• Penalties, fees, compliance deadlines• Validation process and who needs to validate• Approval and posting of compliant entities• Definition of merchant and service provider levels
Payment brands are also responsible for:
• Defining rules for forensic investigations and responding to account data compromises• Monitoring and facilitating investigations of account data compromises to completion
Roles and Responsibilities
Responsibilities for Merchants and Service Providers:
• Review and understand the PCI security standards• Understand the compliance validation and reporting requirements defined by the card brands with
regards to the levels• Validate and report compliance to their acquirer or perhaps a payment card brand as applicable, in
addition to maintaining compliance on an ongoing basis• PCI Assessment is a review of compliance at a point in time, but must be maintained throughout
the year, and not just at the time of the assessment.• Merchants and Service Providers should read communications from the card brands, acquirers, and
the Council on an ongoing basis
Non-Compliance Fines, Fees, and Risk
A non-compliant, compromised business could expect:
• Damage to their brand/reputation• Investigation costs• Remediation costs• Fines and fees
- Non-compliance (each brand issues separate fines)- Re-issuance- Fraud loss
• Ongoing compliance audits• Victim notification costs• Financial loss• Data loss• Chargebacks for fraudulent transactions• Operations disruption• Sensitive info disclosure• Denial of service to customers• Individual executives held liable• Possibility of business closure
What is PCI DSS?
A set of technical and operational requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of applications and devices used in those transactions
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees andcontractors
Individual Audit Control Objectives
https://www.pcisecuritystandards.org/
PCI Compliance – Additional Information
PCI Security Standards Council
MegaplanIT
• PCI SSC Document Library• Robust set of documents that range from
glossary of terms to implementation and ongoing adherence best practices
• Main document containing the requirements is titled “Requirements and Security Assessment Procedures”
• Each control objective contains Requirement definition and description, testing procedure(s), and guidance
• The Beginner’s Guide to Understanding PCI Compliance
• 5 Tips to Reduce Your PCI Compliance Scope
• 10 Ways to Reduce PCI Compliance Costs
• Taking PCI Compliance to the Next Level
• Penetration Testing for PCI
Why AICPA SOC?
• Defacto standard organizations use it to evaluate the quality and security of third party service providers
• The controlling organization is the AICPA, which has a strong reputation
• The SOC guidelines allow providers to create a set of control objectives that are tailored to the services they perform. RDX provides a unique offering and wanted to be evaluated on the activities that were important to our customers in addition to a standardized set of industry control objectives
• AICPA SOC focuses on service delivery QUALITY and system SECURITY
• The different levels allowed RDX to begin with a SOC 1 engagement andthen move up to a SOC 2 which expands the scope of the audit and thedepth of the examination processes
What are AICPA SOC Reports?• SSAE stands for Statement of Standards for Attestation Engagements
• Internal control reports that provide information to allow organizations to review, assess and address the risks of an outsourced service
• Created by the American Institute of Certified Public Accountants’ Auditing Standards Board
• The Statement of Standards establishes requirements and provides guidance on the entire engagement life-cycle:
Establishing overall objectives for SSAE audit engagements Identifying subject matter and evaluation criteria to be included in engagement Measuring and examination procedures Procedural best practices Reporting standards
AICPA Standards Evolution SAS 70 – Issued in April, 1992 by AICPA. Provided guidance to CPAs reporting on a service organization’s
controls relevant to user entities’ financial reporting. SAS 70 was architected to audit controls of financial reporting, not outsourced services
SSAE 16 – Issued in April, 2010. Designed to allow practitioners to report on subject matter other than financial statements. The SSAE 16 focuses on the examination of a service organization’s “system”. Further updates create SOC 1, SOC 2 and SOC 3 reports to better tailor SSAE engagements to clients’ needs
SSAE 18 – Issued in May, 2017. Enhances SSAE 16 SOC 1 by increasing focus on risk assessment/reporting and adding required controls to improve the audited entity’s monitoring of subservice organizations. Subservice organizations perform services that are relevant to the audited entity’s overall offering
1618
SOC 1 (SSAE 18) Reports
Two SOC 1 Types:
• Type 1 reports focus on the effectiveness of policies and procedures in place at a service organization at a specified point in time and (1), confirm that controls are actively in place, (2), measure the effectiveness of the controls and (3), assess how fairly the service organization's management has presented the controls to you
• Type 2 reports cover policies and procedures currently in operation and test their effectiveness over a period of time. These reports include everything from the Type 1 report (examination and confirmation of controls in place) plus an analysis of the controls’ operating effectiveness over a specified period of at least six consecutive months. Type 2 reports are favored by many user organizations for their thoroughness
When to choose SOC 1: Seeking a cost-effective method of preparing for a service audit Planning to perform an initial Type 2 service audit Your service organization currently identifies control vulnerabilities using an internal reporting
system Your organization has not recently performed an audit (financial or regulatory) that included IT
controls
SOC 2 Reports
• Outline the controls in place at your service organization and analyze their confidentiality, security, processing, integrity, availability of Information
• Provide evidence for your customers and other stakeholders that effective controls are in place which meet worldwide security concerns
• Intended for a wider range of audiences than SOC 1 reports but are not available to the general public. Their availability is restricted to those who have a demonstrated need for the information contained therein, and these reports are often a component of regulatory oversight, vendor management programs, and internal corporate governance
• SOC 2 engagements include the option of Type 1 and Type 2 reports, as described in the SOC 1
When to choose SOC 2: You require third party verification Your organization operates a system that is critical to your customers Your organization prefers a detailed audit report Your organization's system does not affect your customers’ financial reports Your organization desires that the audit be performed based on the five Trust Services Principles
SOC 3 Reports
• SOC 3 reports, also known as Trust Services Reports, are more general and are intended for a broader audience than the other reporting options. They’re designed for anyone interested in a CPA's opinion about the availability, security, and processing integrity of controls at a service organization. SOC 3 Reports are often used for marketing purposes, distributed online, or posted on a service organization's website to prove that they have controls in place to manage risks associated with outsourcing services
When to choose SOC 3: Your organization's reputation relies on the ability to keep information secure, accurate, and private Your organization operates a system that is critical to your customers Your organization desires an independent review that allows you to display the SOC 3 seal on your
website Your organization employs more than ten people and/or exceeds $2 million in annual revenue
RDX’s AICPA SOC and PCI Compliance Projects Overall Goals
Improve
Support Quality
RDX clients want us
to improve the
quality and security
of their
environments. We
can only
accomplish this by
improving our
environment FIRST
Strengthen
Security
RDX customers
have turned over the
keys to their most
sensitive database
data stores to our
organization.
This is a significant
responsibility
Competitive
Advantage
RDX’s LOB is
extremely
competitive. Our
competitors range
from 2 guys in a
garage to fortune
100s. Certifications
are key competitive
differentiators
Reduce
Costs
RDX chose partners
that have strong
experience and
would provide us
with best practices
to streamline
compliance. RDX is
a learning
organization
$
RDX Compliance Project Hints and Tips• Create a project team that represents all areas of the business - from backend operations to
front-line technical support teams Subject Matter Experts (business OPs, front-line support techs, security team, documentation
specialists) Assign Audit Project Manager Identify Audit Project Champion
• Encourage assigned personnel to self educate. The team should have a strong knowledge of the process before contacting potential auditing firms RDX created a robust documentation library for both PCI and AICPA SOC during initial stages RDX collected information from PCI Security Standards Council, AICPA, and well-known, reputable
auditing and compliance firm websites
• Keep management informed throughout the entire engagement life-cycle All compliance projects will incur engagement costs, potential hardware and software purchases as
well as labor costs required to remediate gaps identified in the initial analysis and labor hours required to collect and present evidence to the auditing firm
RDX was required to produce such a large volume of evidence that we were compelled to build internal applications to automate the evidence recording process
• Assign owners to all compliance activities Subject areas evaluated during audit (network, HR, security, front line support, back office OPs) Evidence gathering and collection Ongoing monitoring to identify new anomalies and outliers
RDX Compliance Project Hints and Tips
• One of the most critical meetings with your auditing firm will be to: Perform a final review the control objectives Agree upon how the evidence will be collected Agree upon how the evidence will be reported Agree upon the criteria used to determine if the evidence results in a pass/fail Establish audit period start and examination dates Communication procedures when business changes occur that impact audit
• Build a strong partnership with your auditing firm(s) Understand their role in the process Their goal is to help you improve your service delivery environment Part of that process will be to identify gaps during the initial analysis They will also identify exceptions during their audit examinations and report these findings. They
aren’t being adversarial; they’re just doing what you pay them to
• Understand that all audits are ongoing projects. In addition to the audit examinations, you will be required to: Add, modify, and remove control objectives as your business processes evolve Modify internal processes to address audit exceptions Improve the quality of evidence collection and reporting Automate processes, buy/build applications as well as purchase toolsets and products to improve
ability to comply and reduce audit costs Constantly monitor evidence to identify anomalies and outliers. Don’t get surprised during the
examination
RDX’s AICPA SOC Compliance Project• Project execution and best practices can be compared to most traditional internal initiatives. One
difference was the substantial amount of investigation performed to better understand AICPA SOCrequirements and select an auditing vendor
• Identified stakeholders, project champion and assigned selected personnel as project managers and participants. All participants were assigned a very specific set of responsibilities
• First activity was to collect SOC informational materials and best practices documents from reputable sources to educate team members
• A traditional vendor evaluation methodology was used to select an auditing vendor. RDX created a robust set of evaluation metrics that were weighted by importance. Evaluation team members reviewed information provided by vendors and compiled a short list of competitors. RDX performed a more in-depth analysis of the surviving competitors and selected the winning vendor
• RDX met with a cross-section of customers to determine the criteria they used to evaluate the quality of RDX’s support services. Common themes were identified, discussed with auditors, and used to create a set of audit control objectives that best reflect the key service quality indicators that measure RDX’s operating effectiveness
• The audit control objectives included all activities related to physical and logical security controls, data privacy, organization and administration, vendor management, work request and ticket management, incident management, and monitoring installation and configuration
RDX’s AICPA SOC Best Practices• Create a project team that represents all areas of the business - from backend operations to
front-line technical support teams Subject Matter Experts (business OPs, front-line support techs, security team, documentation
specialists) Assign Audit Project Manager Identify Audit Project Champion
• Build a robust educational library. Materials should range from glossary of terms and overviews to in-depth “how-to” documents and best practices AICPA website Auditing and compliance firm websites provide a wealth of information to draw from
• Encourage your project team to self educate. The team should have a strong knowledge of the audit controls and examination processes before contacting potential auditing firms
• Keep management informed throughout the entire engagement life-cycle All compliance projects will incur engagement costs, potential hardware and software purchases as
well as labor costs required to remediate gaps identified in the initial analysis and labor hours required to collect and present evidence to the auditing firm
RDX was required to produce such a large volume of evidence that we were compelled to build internal applications to automate the evidence recording process
RDX’s AICPA SOC Best Practices• Select the appropriate firm to perform the audit
The firm should be a member of the AICPA Have a strong track record with SOC audits Experience in auditing organizations that are in, or close to, your line of business (LOB) Check references Name recognition is important. The more widely known your auditing firm is, the more credibility
your SOC reports will have with potential customers Easy to work with. Firm but fair
• Work with your auditing firm to determine which SOC report best fits your needs
• Create a set of control objectives that: Allows customers to easily evaluate the quality and security of the services you provide
RDX solicited a cross-section of customers to discuss how they evaluated the quality of our services
Allows your organization to internally evaluate the quality and security of the services you provide. Selecting control objectives that you feel are important is critical. The goal of the process is to improve your environment (it isn’t just to create marketing spin)
• Work with your auditing firm to evaluate your third party applications and service providers to determine if your ability to deliver support to your customers is dependent upon their services. You may need to include them in your control objectives Third party applications your shop uses as well as service providers Review your service providers’ SOC reports with your auditors Agree upon what should be included Meet with your service provider to discuss gaps
SOC 2 Type 2 Benefits to RDX
Dedicated project that focuses on two subject areas that are critical to our business - service delivery quality and system security
Demonstrates to customers that RDX is being held to a rigorous industry standard
Competitive differentiation. SOC 2 Type 2 audits are broad in scope and deep in details. They are significant undertakings
Why PCI DSS?
PCI compliance allows RDX to more easily and quickly comply with other regulatory frameworks
Stringent controls, well defined requirements and test procedures. Controls evolve as new threats are identified
RDX uses PCI as the foundation to build our overall security architecture upon
PCI is the industry standard businesses use to evaluate security
FOUNDATION
CONSUMERCONFIDENCE
ROBUSTCONTROLS
NEW COMPLIANCES
PCI is the Foundation of Our Security Architecture
PCI
SecurityTraining Endpoint
Security
Config.Standards
VPN/IPSEC
Logging &
Monitoring
IDS/FIM
Change Control
ThreatDetection
Secure Development
Access Control
Patch Management
Firewall
Unique Accounts
RDX expands PCI controls to cover our entire network
• Business operations change frequently. You must be aware of their impact on PCI compliance activities New lines of business New business processes Business growth Improvements to current business processes Automation New applications New organizational units, roles and personnel
• Maintain a steady stream of high quality communications with your PCI auditing firm Discuss any potential changes to compliance activities immediately to reduce confusion during
examination period Continuously monitoring your evidence allows you to identify new anomalies or outliers. Address
them immediately with your auditing firm
• Perform spot checks on evidence. Tailor evidence evaluation schedules based on occurrence of past issues, potential for exceptions, volume of evidence produced, importance to examination process
RDX’s PCI Best Practices
RDX’s PCI Best Practices• Encourage assigned personnel to self educate. The team should have a strong knowledge of
the process before contacting potential auditing firms RDX downloaded the PCI compliance document, copied each control into a spreadsheet and added
columns for apply/does not apply, dependent upon third-party vendor, additional product purchases required, how to comply, who complies, level of effort to comply, evidence for compliance, questions for auditor and notes
• Select the appropriate firm to perform the audit The firm should be a Qualified Security Assessor (QSA) QSAs are held to a high standard by PCI Standards Council Experience in auditing organizations that are in, or close to, your line of business (LOB) Check references Name recognition is important. The more widely known your auditing firm is, the more credibility
your PCI will have with potential customers
• Work with your auditing firm to determine which PCI Level you should adhere to
• Work with your auditing firm to evaluate your third party applications and service providers to determine if your ability to achieve PCI compliance is dependent upon their services. You may need to include them in your control objectives Third party applications your shop uses as well as service providers Review your service providers’ SOC and PCI reports with your auditors Agree upon what should be included Meet with your service provider to discuss gaps
• Compliance Project Details
• Selecting Audit Compliance Firms
• Lessons Learned
• Ongoing Compliance Challenges
• Streamlining and Improving Evidence Collection and Reporting
• Audit Compliance Best Practices
Contact Us For Additional Information
• PCI DSS Assessments
• Trusted Advisory and Remediation Assistance
• Internal/External Penetration Testing
• Internal/External ASV Scanning
• PCI DSS GAP assessments
• Quarterly Health Checks
• Policy and Procedure Development
• Compliance Project Management
• Web/Mobile Penetration Testing
• Managed Security Services Provider
And our realcore competency:
RemoteData Infrastructure
Management
DATABASE EXPERTSSECURITY EXPERTS
Next Month’s Presentation – Microsoft BI Intelligence Overview
and Power BI Demo
The RDX Report - Sign up by emailing [email protected] CosmosDB – NoSQL Competition Killer, Power BI Videos, Amazon
AWS, Microsoft Azure and Oracle Cloud IaaS Architecture Deep Dives
LinkedInSelecting Cloud DBMS, NoSQL Architectures, Rising Interest in Open Source
Relational Databases, Database Security Series, Improving Customer Service
RDX Report Signup
View YouTube Video of this Presentation
20YEARS OF
SERVICE DELIVERY
EXPERIENCE