Más contenido relacionado Similar a 2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf (20) 2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2. ASHISH KIRTIKAR
President, UK
ControlCase
Ashish is responsible for handling the HITRUST and CSP verticals and ensures efficient and quality
delivery of services to clients in the Healthcare sector and beyond. In addition, he is also
responsible for sales and execution of business for the Europe and UK regions.
Ashish has over 13 years of experience and proficiency in Information and Network Security,
Information Risk Management, Cyber Security, Resilience, Security Architecture Designing,
Information Security Audit and Governance having handled clients across the globe. He has
handled the entire gamut of project management functions related to Cyber Security/Information
Security Operations across Banking, Financial, Insurance, Telecom, and IT Services and Industries.
Ashish has functioned as a speaker and trainer on various Information Security Topics globally and
writes online articles/blogs covering topics of Information Security and Leadership. He has a
Bachelor’s Degree in Computer Science from Mumbai University and has completed a
management program from the Indian School of Business and National University of Singapore.
Our Speaker
© ControlCase. All Rights Reserved. 2
3. Agenda
© ControlCase. All Rights Reserved. 3
1. ControlCase
Introduction
2. Data Protection
by Design
3. The Multi-cert Way
to Data Protection
4. Multi-cert Common
Challenges
5. One Audit™
Assess Once, Comply to Many
5. ControlCase Snapshot
© ControlCase. All Rights Reserved. 5
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 275+
10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS
6. Solution
© ControlCase. All Rights Reserved. 6
I’ve worked on both sides of auditing. I
have not seen any other firm deliver
the same product and service with the
same value. No other firm provides that
continuous improvement and the level of
detail and responsiveness.
— Security and Compliance Manager,
Data Center
Certification & Continuous Compliance Services
“
7. Certification Services
© ControlCase. All Rights Reserved. 7
PCI DSS ISO 27001-2 SOC 1,2,3,&
Cybersecurity
HITRUST CSF
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS FedRAMP PCI 3DS
One Audit™
Assess Once. Comply to Many. “
You have 27 seconds to make a first
impression. And after our initial meeting,
it became clear that they were more
interested in helping our business and
building a relationship, not just getting
the business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
9. DATA IS THE NEW OIL
What is Data Protection by Design?
© ControlCase. All Rights Reserved. 9
10. What is Data Protection by Design?
© ControlCase. All Rights Reserved. 10
DATA PROTECTION
=
PRIVACY
DATA PROTECTION
=
SECURITY
DATA PROTECTION
=
PRIVACY
+
SECURITY
animate
11. Data protection by design is an approach that ensures data protection
requirements are considered at the design phase of any system,
service, product or process and then throughout the lifecycle.
ICO UK has recommended this approach to be considered for effective GDPR implementation.
This approach helps in having a proactive outlook towards data protection instead of a reactive one.
This helps strategize whether a detective, preventive or deterrent control needs to be implemented for
overall security / protection as well as effective business operability for any system, service, product or process.
What is Data Protection by Design?
© ControlCase. All Rights Reserved. 11
13. Why Multi-cert?
© ControlCase. All Rights Reserved. 13
In today’s world multiple certifications/regulations have been enforced for the security and privacy of data.
Some cover specific datasets, overall security posture, or they may be specific to privacy requirements.
A multi-cert approach acts like a tongue and groove joint, where controls which are not
covered in one certification are covered in other thus giving a wholistic implementation.
This assists in organization’s achieve an effective implementation of ‘Defense in Depth’,
methodology which can provide deep Data Protection.
14. Multi-cert Way
For Example: consider the following certifications, which are seen in the UK / Europe region
© ControlCase. All Rights Reserved. 14
Payment Card Industry Data Security Standard (PCI DSS)
Established by leading payment card issuers - Guidelines
for securely processing, storing, or transmitting payment card
account data.
GDPR
General Data Protection Regulation is a regulation in EU / UK
law on data protection and privacy in the UK / European Union
and the European Economic Area. It was adopted in 2016 and
enforceable since 2018.
ISO 27001/ISO 27002 - ISO 27001
The management framework for implementing information
security within an organization. ISO 27002 are the detailed
controls from an implementation perspective.
SOC 2
Created by the American Institute of Certified Public
Accountants (AICPA) to fill the gap for organizations that were
being requested to have a SAS 70 (now SSAE 18). The
purpose of a SOC 2 report is to evaluate an organization’s
information systems relevant to Security, Availability,
Processing Integrity, Confidentiality or Privacy.
15. Multi-Cert Way – Data Protection by Design
© ControlCase. All Rights Reserved. 15
The multi-cert approach provides
an integrated way of compliance
and data protection
implementation by covering the
multiple aspects to the right.
All the regulations mentioned in
the earlier slide, have a very
important parameter which talks
of security / privacy as a part of
the organizational lifecycle.
This when implemented in an
integrated manner helps achieve
Data Protection by Design.
Compliance Management Policy Management
Vendor / Third Party Management Asset and Vulnerability Management
Logging and Monitoring Change Management
Incident and Problem Management Data Management
Risk Management Business Continuity Management
HR Management Physical Security
Compliance Project Management
16. INDUSTRY REGULATION
Business Process Organizations (BPOs) GDPR, PCI DSS, SOC2, ISO 27001, Cyber Essentials (UK)
Payments GDPR, PCI DSS, SOC2, ISO 27001, Cyber Essentials (UK)
Financial Services GDPR, PCI DSS, PSD-2, ISO 27001, Cyber Essentials (UK)
Critical Infrastructure GDPR, NIS-1 / NIS-2, ISO27001, Cyber Essentials plus (UK)
Common Regulations by Region / Industry
© ControlCase. All Rights Reserved. 16
18. Multi-cert Common Challenges
© ControlCase. All Rights Reserved. 18
Redundant Efforts Cost Inefficiencies
Lack of Compliance Dashboard Fixing of Dispositions
Change in Environment Reliance on Third Parties
Increased Regulations Reducing Budgets (Do more with less)
20. ControlCase Solution – One Audit™
© ControlCase. All Rights Reserved. 20
One Audit™
Assess Once. Comply to Many.
? No. Topic Question ControlCase
Integrated Standard
PCI DSS
3.2.1
ISO
27001
HIPAA SOC2
4 Scoping Provide your asset list, a list of the software, databases, data storage locations, Sample Sets and other related data elements. CC4 X X X X
28
Data
Encryption
at rest
Provide the following for all filesystems, databases and any backup media:
• Details on the method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage
• Evidence (screenshots or settings) showing covered information is protected. For encryption method, please share the evidence of it's
associated key management.
• Documented description of the cryptographic architecture that includes:
1. Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
2. The function of each key used in the cryptographic architecture.
3. Inventory of any HSMs and other secure cryptographic devices (SCD) used for key management (to be provided in inventory
as part of Q4).
CC37 X X X X
44
Logical
Access
Provide the organizational access control policy. CC63 X X X X
50
Logical
Access
For all assets identified in the sample provide evidence of logical access account and password features to include:
CC69 X X X X
67
Logging and
Monitoring
For the sample, provide the audit log policy settings. CC95 X X X 67
77
Security
Testing
Provide external penetration test reports for network and application layer. CC115 X X X 77
21. Compliance Evidence Overlap
© ControlCase. All Rights Reserved. 21
Regulation(s) Completed Other Regulation status based on questions overlap
PCI SOC 2 ISO 27001 HIPAA
100% Complete 49.1% (84) Complete 67% (77) Complete 76.1% (54) Complete
50.9% (87) No Evidence Uploaded 33% (38) No Evidence Uploaded 23.9% (17) No Evidence Uploaded
22. Assisted by Automation
© ControlCase. All Rights Reserved. 22
ACE
• Automated Compliance Engine
• Can collect evidence such as configurations remotely
CDD
• Data Discovery Solution
• Can scan end user workstations for card data
1 2
23. Compliance & Certification Time Savings
© ControlCase. All Rights Reserved. 23
1,600 HRS. EVIDENCE COLLECTION* 600 HRS. CERTIFICATION SUPPORT*
350 HRS. EVIDENCE
COLLECTION*
600 HRS. CERTIFICATION SUPPORT*
2,200 hrs. total time
spent on compliance &
certification using
another auditor*
950 hrs. total time spent
on compliance &
certification by partnering
with ControlCase*
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, HIPAA).
24. Three Key Areas of Focus
© ControlCase. All Rights Reserved. 24
CONTROLCASE SOLUTION
CONTINUOUS
An effective compliance program for
cyber security must provide a stream
of continuous, accurate information
about posture.
AUTOMATED
Continuous compliance requires an
automated platform that collects and
processes data in as close to real-time as
can be achieved.
INTEGRATED
The best compliance programs are
integrated into the systems being
measured, versus built as after-the-
fact overlays.
25. Summary – Why ControlCase
© ControlCase. All Rights Reserved. 25
They provide excellent service, expertise
and technology. And, the visibility into
my compliance throughout the year and
during the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company
“
27. THANK YOU FOR THE OPPORTUNITY
TO CONTRIBUTE TO YOUR IT
COMPLIANCE PROGRAM.
www.controlcase.com
(US) + 1 703.483.6383 (INDIA) + 91.22.62210800
contact@controlcase.com