- About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA
- Best Practices and Cloud Implications for Comprehensive Compliance within IT Standards/Regulations
- Challenges in the Comprehensive Compliance Space
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Integrated Compliance
1. Integrated Compliance – PCI DSS, HIPAA,
FERC/NERC, EI3PA, ISO 27001 and FISMA
By Kishor Vaswani, CEO - ControlCase
2. Agenda
• ControlCase Overview
• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and
EI3PA
• Best Practices and Components for Integrated
Compliance within IT Standards/Regulations
• Challenges in the Comprehensive Compliance Space
• Q&A
1
3. ControlCase Overview
• More than 400 customers in more than 40
countries.
• Focus on Certifications and Compliance as a
Service (CaaS).
• Continued update and use of technology based
on feedback from customers
2
4. About PCI DSS, HIPAA, FERC/NERC,
EI3PA, ISO 27001 and FISMA
5. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
3
6. What is HIPAA
4
• HIPAA is the acronym for the Health Insurance
Portability and Accountability Act that was
passed by Congress in 1996. HIPAA does the
following:
› Provides the ability to transfer and continue health
insurance coverage for millions of American workers and
their families when they change or lose their jobs;
› Reduces health care fraud and abuse;
› Mandates industry-wide standards for health care
information on electronic billing and other processes; and
› Requires the protection and confidential handling of
protected health information
7. What is FERC/NERC
5
• Federal Energy Regulatory Commission (FERC)
› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity
sales, wholesale electric rates, hydroelectric licensing, natural
gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation
(NERC):
› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission
is to ensure the reliability of the bulk power system in North
America.
• Critical Infrastructure Protection Standards
› Standards for cyber security protection
8. What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer
credit bureaus in the United States
• Guidelines for securely processing, storing, or
transmitting Experian Provided Data
• Established by Experian to protect consumer
data/credit history data provided by them
6
9. What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for
implementing information security within an
organization
• ISO 27002 are the detailed controls from an
implementation perspective
7
10. What is FISMA
8
• Federal Information Security Management Act
(FISMA) of 2002
› Requires federal agencies to implement a mandatory set of
processes, security controls and information security
governance
• FISMA objectives:
› Align security protections with risk and impact
› Establish accountability and performance measures
› Empower executives to make informed risk decisions
11. Best Practices and Components for Integrated
Compliance within IT Standards/Regulations
12. Building Blocks – Integrated Compliance
• Compliance Management
• Policy Management
• Vendor/Third Party Management
• Asset and Vulnerability Management
• Logging and Monitoring
• Change Management
• Incident and Problem Management
• Data Management
• Risk Management
• Business continuity Management
• HR Management
• Physical Security
• Compliance Project Management
9
13. Compliance Management
10
Test once, comply to multiple regulations
Mapping of controls
Automated data collection
Self assessment data collection
Executive dashboards
14. Policy Management
11
Appropriate update of policies and procedures
Link/Mapping to controls and standards
Communication, training and attestation
Monitoring of compliance to corporate policies
Reg/Standard Coverage area
ISO 27001 A.5
PCI 12
EI3PA 12
HIPAA 164.308a1i
FISMA AC-1
FERC/NERC CIP-003-6
15. Vendor/Third Party Management
12
Management of third parties/vendors
Self attestation by third parties/vendors
Remediation tracking
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple
Requirements
16. Asset and Vulnerability Management
13
Asset list
Management of vulnerabilities and dispositions
Training to development and support staff
Management reporting if unmitigated vulnerability
Linkage to non compliance
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a8
FISMA RA-5
FERC/NERC CIP-010
17. Logging and Monitoring
14
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a1iiD
FISMA SI-4
Logging
File Integrity Monitoring
24X7 monitoring
Managing volumes of data
18. Change Management and Monitoring
15
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage
area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10
FISMA SA-3
19. Incident and Problem Management
16
Monitoring
Detection
Reporting
Responding
Approving
Lost Laptop
Changes to
firewall
rulesets
Upgrades to
applications
Intrusion
Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12
HIPAA 164.308a6i
FISMA IR Series
FERC/NERC CIP-008
20. Data Management
17
Identification of data
Classification of data
Protection of data
Monitoring of data
Reg/Standard Coverage area
ISO 27001 A.7
PCI 3, 4
EI3PA 3, 4
HIPAA 164.310d2iv
FERC/NERC CIP-011
21. Risk Management
18
Input of key criterion
Numeric algorithms to compute risk
Output of risk dashboards
Reg/Standard Coverage area
ISO 27001 A.6
PCI 12
EI3PA 12
HIPAA 164.308a1iiB
FISMA RA-3
22. Business Continuity Management
19
Business Continuity Planning
Disaster Recovery
BCP/DR Testing
Remote Site/Hot Site
Reg/Standard Coverage area
ISO 27001 A.14
PCI Not Applicable
EI3PA Not applicable
HIPAA 164.308a7i
FISMA CP Series
FERC/SERC CIP-009
23. HR Management
20
Training
Background Screening
Reference Checks
Reg/Standard Coverage area
ISO 27001 A.8
PCI 12
EI3PA 12
HIPAA 164.308a3i
FISMA AT-2
FERC/NERC CIP-004
24. Physical Security
21
Badges
Visitor Access
CCTV
Biometric
Reg/Standard Coverage area
ISO 27001 A.11
PCI 9
EI3PA 9
HIPAA 164.310
FISMA PE Series
FERC/NERC CIP-006
25. Compliance Project Management
22
Your Project Manager is charged with your Success:
1. Serves as your single point of contact and your advocate
for all compliance activities
2. Ensures all compliance requirements are met on schedule.
• Builds a single stream, reliable communication channel
• Strategizes to produce an efficient plan based on your
needs
• Periodic pulse checks via status reports &meetings
paced according to your stage and schedule
3. Prepares you for smooth and predictable activities across
multiple compliance paths
27. Challenges
• Redundant Efforts
• Cost inefficiencies
• Lack of compliance dashboard
• Fixing of dispositions
• Change in environment
• Reliance on third parties
• Increased regulations
• Reducing budgets (Do more with less)
23