Integrated Compliance
•Descargar como PPTX, PDF•
1 recomendación•902 vistas
AGENDA: - About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA - Best Practices and Cloud Implications for Integrated Compliance within IT Standards/Regulations - Challenges in the Integrated Compliance Space - Q&A
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (19)
Destacado
Destacado (12)
Similar a Integrated Compliance
Similar a Integrated Compliance (20)
Más de ControlCase
Más de ControlCase (20)
Último
Último (20)
Integrated Compliance
- 1. Integrated Compliance – PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA By Kishor Vaswani, CEO - ControlCase
- 2. Agenda • ControlCase Overview • About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA • Best Practices and Components for Integrated Compliance within IT Standards/Regulations • Challenges in the Comprehensive Compliance Space • Q&A 1
- 3. ControlCase Overview • More than 400 customers in more than 40 countries. • Recognized as a Inc 500/5000 company. • Continued focus on PCI DSS and Compliance as a Service (CaaS). • Continued update and use of technology based on feedback from customers (including many in this room) 2
- 4. About PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA
- 5. What is PCI DSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC) 3
- 6. What is HIPAA 4 • HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: › Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; › Reduces health care fraud and abuse; › Mandates industry-wide standards for health care information on electronic billing and other processes; and › Requires the protection and confidential handling of protected health information
- 7. What is FERC/NERC 5 • Federal Energy Regulatory Commission (FERC) › The Federal Energy Regulatory Commission (FERC) is the United States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. • North American Electric Reliability Corporation (NERC): › The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America. • Critical Infrastructure Protection Standards › Standards for cyber security protection
- 8. What is EI3PA? Experian Security Audit Requirements: • Experian is one of the three major consumer credit bureaus in the United States • Guidelines for securely processing, storing, or transmitting Experian Provided Data • Established by Experian to protect consumer data/credit history data provided by them 6
- 9. What is ISO 27001/ISO 27002 ISO Standard: • ISO 27001 is the management framework for implementing information security within an organization • ISO 27002 are the detailed controls from an implementation perspective 7
- 10. What is FISMA 8 • Federal Information Security Management Act (FISMA) of 2002 › Requires federal agencies to implement a mandatory set of processes, security controls and information security governance • FISMA objectives: › Align security protections with risk and impact › Establish accountability and performance measures › Empower executives to make informed risk decisions
- 11. Best Practices and Components for Integrated Compliance within IT Standards/Regulations
- 12. Building Blocks – Integrated Compliance • Compliance Management • Policy Management • Vendor/Third Party Management • Asset and Vulnerability Management • Logging and Monitoring • Change Management • Incident and Problem Management • Data Management • Risk Management • Business continuity Management • HR Management • Physical Security • Compliance Project Management 9
- 13. Compliance Management 10 Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards
- 14. Policy Management 11 Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies Reg/Standard Coverage area ISO 27001 A.5 PCI 12 EI3PA 12 HIPAA 164.308a1i FISMA AC-1 FERC/NERC CIP-003-6
- 15. Vendor/Third Party Management 12 Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Reg/Standard Coverage area ISO 27001 A.6, A.10 PCI 12 EI3PA 12 HIPAA 164.308b1 FISMA PS-3 FERC/NERC Multiple Requirements
- 16. Asset and Vulnerability Management 13 Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance Reg/Standard Coverage area ISO 27001 A.7, A.12 PCI 6, 11 EI3PA 10, 11 HIPAA 164.308a8 FISMA RA-5 FERC/NERC CIP-010
- 17. Logging and Monitoring 14 Reg/Standard Coverage area ISO 27001 A.7, A.12 PCI 6, 11 EI3PA 10, 11 HIPAA 164.308a1iiD FISMA SI-4 Logging File Integrity Monitoring 24X7 monitoring Managing volumes of data
- 18. Change Management and Monitoring 15 Escalation to incident for unexpected logs/alerts Response/Resolution process for expected logs/alerts Correlation of logs/alerts to change requests Change Management ticketing System Logging and Monitoring (SIEM/FIM etc.) Reg/Standard Coverage area ISO 27001 A.10 PCI 1, 6, 10 EI3PA 1, 9, 10 FISMA SA-3
- 19. Incident and Problem Management 16 Monitoring Detection Reporting Responding Approving Lost Laptop Changes to firewall rulesets Upgrades to applications Intrusion Alerting Reg/Standard Coverage area ISO 27001 A.13 PCI 12 EI3PA 12 HIPAA 164.308a6i FISMA IR Series FERC/NERC CIP-008
- 20. Data Management 17 Identification of data Classification of data Protection of data Monitoring of data Reg/Standard Coverage area ISO 27001 A.7 PCI 3, 4 EI3PA 3, 4 HIPAA 164.310d2iv FERC/NERC CIP-011
- 21. Risk Management 18 Input of key criterion Numeric algorithms to compute risk Output of risk dashboards Reg/Standard Coverage area ISO 27001 A.6 PCI 12 EI3PA 12 HIPAA 164.308a1iiB FISMA RA-3
- 22. Business Continuity Management 19 Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site Reg/Standard Coverage area ISO 27001 A.14 PCI Not Applicable EI3PA Not applicable HIPAA 164.308a7i FISMA CP Series FERC/SERC CIP-009
- 23. HR Management 20 Training Background Screening Reference Checks Reg/Standard Coverage area ISO 27001 A.8 PCI 12 EI3PA 12 HIPAA 164.308a3i FISMA AT-2 FERC/NERC CIP-004
- 24. Physical Security 21 Badges Visitor Access CCTV Biometric Reg/Standard Coverage area ISO 27001 A.11 PCI 9 EI3PA 9 HIPAA 164.310 FISMA PE Series FERC/NERC CIP-006
- 25. Compliance Project Management 22 Your Project Manager is charged with your Success: 1. Serves as your single point of contact and your advocate for all compliance activities 2. Ensures all compliance requirements are met on schedule. • Builds a single stream, reliable communication channel • Strategizes to produce an efficient plan based on your needs • Periodic pulse checks via status reports &meetings paced according to your stage and schedule 3. Prepares you for smooth and predictable activities across multiple compliance paths
- 26. Challenges in Compliance Space
- 27. Challenges • Redundant Efforts • Cost inefficiencies • Lack of compliance dashboard • Fixing of dispositions • Change in environment • Reliance on third parties • Increased regulations • Reducing budgets (Do more with less) 23
- 29. Learn more about continual compliance …. 24 Compliance as a Service (Caas)
- 30. Integrated compliance 25 Question. No. Question PCIDSS2.0Reference PCIDSS3.0 ISO27002:2013 SOC2 HIPAA NIST800-53 37 Provide dataEncryptionpolicyexplainingencryptioncontrolsimplementedfor Cardholderdatadatasecure storage (e.g.encryption,truncation,maskingetc.) – applicable forapplication,database andbackuptapes -Screenshotsshowingfull PANdataisencryptedwithstrongencryptionwhile stored(database tablesorfiles). The captureddetailsshouldalsoshowthe encryptionalgorithmandstrengthused -ForBackuptapes,screenshotshowingthe encryptionapplied(algorithmand strength–e.g.AES256bit)throughbackupsolution SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.4.a,3.4.b,3.4.c,3.4.d 3.4 10.1.1,18.1.5 164.312(a)(1) 38 IfDiskencryptionusedforcarddatadata,thenisthe logical accesstoencryptedfile- systemisseparatefromnative operatingsystemuseraccess? (Provide the adequate evidencesshowingthe logical accessforlocal operatingsystemand encryptedfile systemiswithseparateuserauthentication) SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.4.1.a 3.4.1 10.1.2 164.312(a)(1) 39 Provide evidence showingrestrictedaccesscontrol forDataEncryptionKeys(DEK) andKeyEncryptionKeys(KEK)atstore SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.5 3.5.2 10.1.2 164.312(a)(1) 40 Provide the evidence showingthe exactlocationswhere encryptionkeysare stored (keysshouldbe storedatfewestpossible locations) 3.5.3 10.1.2 164.312(a)(1)
- 31. Why Choose ControlCase? • Global Reach › Serving more than 400 clients in 40 countries and rapidly growing • Certified Resources › PCI DSS Qualified Security Assessor (QSA) › QSA for Point-to-Point Encryption (QSA P2PE) › Certified ASV vendor › Certified ISO 27001 Assessment Department › EI3PA Assessor › HIPAA Assessor › HITRUST Assessor › SOC1, SOC2, SOC3 Assessor › BITS Shared Assessment Company 26
- 32. To Learn More About ControlCase • Visit www.controlcase.com • Email us at contact@controlcase.com
- 33. Thank You for Your Time