2. Agenda
• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and
EI3PA
• Components for Continual Compliance Monitoring
within IT Standards/Regulations
• Recurrence Frequency and Calendar
• Challenges in Continual Compliance Monitoring
• Q&A
1
3. About PCI DSS, HIPAA, FERC/NERC,
EI3PA, ISO 27001 and FISMA
4. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
2
5. What is HIPAA
3
• HIPAA is the acronym for the Health Insurance
Portability and Accountability Act that was
passed by Congress in 1996. HIPAA does the
following:
› Provides the ability to transfer and continue health
insurance coverage for millions of American workers and
their families when they change or lose their jobs;
› Reduces health care fraud and abuse;
› Mandates industry-wide standards for health care
information on electronic billing and other processes; and
› Requires the protection and confidential handling of
protected health information
6. What is FERC/NERC
4
• Federal Energy Regulatory Commission (FERC)
› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity
sales, wholesale electric rates, hydroelectric licensing, natural
gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation
(NERC):
› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission
is to ensure the reliability of the bulk power system in North
America.
• Critical Infrastructure Protection Standards
› Standards for cyber security protection
7. What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer
credit bureaus in the United States
• Guidelines for securely processing, storing, or
transmitting Experian Provided Data
• Established by Experian to protect consumer
data/credit history data provided by them
5
8. What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for
implementing information security within an
organization
• ISO 27002 are the detailed controls from an
implementation perspective
6
9. What is FISMA
7
• Federal Information Security Management Act
(FISMA) of 2002
› Requires federal agencies to implement a mandatory set of
processes, security controls and information security
governance
• FISMA objectives:
› Align security protections with risk and impact
› Establish accountability and performance measures
› Empower executives to make informed risk decisions
11. Continuous Monitoring
8
Test once, comply to multiple regulations
Mapping of controls
Automated data collection
Self assessment data collection
Executive dashboards
12. Continual Compliance Monitoring Domains
• Policy Management
• Vendor/Third Party Management
• Asset and Vulnerability Management
• Log Management
• Change Management
• Incident and Problem Management
• Data Management
• Risk Management
• Business Continuity Management
• HR Management
• Physical Security
9
13. Policy Management
10
Appropriate update of policies and procedures
Link/Mapping to controls and standards
Communication, training and attestation
Monitoring of compliance to corporate policies
Reg/Standard Coverage area
ISO 27001 A.5
PCI 12
EI3PA 12
HIPAA 164.308a1i
FISMA AC-1
FERC/NERC CIP-003-6
14. Vendor/Third Party Management
11
Management of third parties/vendors
Self attestation by third parties/vendors
Remediation tracking
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple
Requirements
15. Asset and Vulnerability Management
12
Asset list
Management of vulnerabilities and dispositions
Training to development and support staff
Management reporting if unmitigated vulnerability
Linkage to non compliance
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a8
FISMA RA-5
FERC/NERC CIP-010
16. Logging Management
13
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a1iiD
FISMA SI-4
Logging
File Integrity Monitoring
24X7 monitoring
Managing volumes of data
17. Change Management and Monitoring
14
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage
area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10
FISMA SA-3
18. Incident and Problem Management
15
Monitoring
Detection
Reporting
Responding
Approving
Lost Laptop
Changes to
firewall
rulesets
Upgrades to
applications
Intrusion
Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12
HIPAA 164.308a6i
FISMA IR Series
FERC/NERC CIP-008
19. Data Management
16
Identification of data
Classification of data
Protection of data
Monitoring of data
Reg/Standard Coverage area
ISO 27001 A.7
PCI 3, 4
EI3PA 3, 4
HIPAA 164.310d2iv
FERC/NERC CIP-011
20. Risk Management
17
Input of key criterion
Numeric algorithms to compute risk
Output of risk dashboards
Reg/Standard Coverage area
ISO 27001 A.6
PCI 12
EI3PA 12
HIPAA 164.308a1iiB
FISMA RA-3
21. Business Continuity Management
18
Business Continuity Planning
Disaster Recovery
BCP/DR Testing
Remote Site/Hot Site
Reg/Standard Coverage area
ISO 27001 A.14
PCI Not Applicable
EI3PA Not applicable
HIPAA 164.308a7i
FISMA CP Series
FERC/SERC CIP-009
22. HR Management
19
Training
Background Screening
Reference Checks
Reg/Standard Coverage area
ISO 27001 A.8
PCI 12
EI3PA 12
HIPAA 164.308a3i
FISMA AT-2
FERC/NERC CIP-004
23. Physical Security
20
Badges
Visitor Access
CCTV
Biometric
Reg/Standard Coverage area
ISO 27001 A.11
PCI 9
EI3PA 9
HIPAA 164.310
FISMA PE Series
FERC/NERC CIP-006
25. Daily Monitoring Domains
21
• Asset and Vulnerability Management
• New Assets
• New Vulnerabilities
• Log Management
• Response time window
• Change Management
• Impact in case of an error
• Unknown and insecure applications
• Incident and Problem Management
• Root cause of systemic problems
• Response to operational and security incidents
26. Monthly/Quarterly Monitoring Domains
22
• Vendor/Third Party Management
• Time taken by third parties to respond
• Data Management
• Identification of unknown data
• HR Management
• Time taken for training
• Time taken for background checks
• Physical Security Management
• Time take to install new physical security
components
27. Annual Monitoring Domains
23
• Policy Management
• Annual policy reviews
• Risk Management
• Enterprise wide nature of risk assessment
• BCP/DR Management
• Time taken to conduct BCP/DR tests
29. Challenges
• Redundant Efforts
• Cost inefficiencies
• Lack of dashboard
• Fixing of dispositions
• Change in environment
• Reliance on third parties
• Increased regulations
• Reducing budgets (Do more with less)
24