- About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA - Best Practices and Cloud Implications for Comprehensive Compliance within IT Standards/Regulations - Challenges in the Comprehensive Compliance Space

1. Integrated Compliance – PCI DSS, HIPAA,
FERC/NERC, EI3PA, ISO 27001 and FISMA
By Kishor Vaswani, CEO - ControlCase

2. Agenda
• ControlCase Overview
• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and
EI3PA
• Best Practices and Components for Integrated
Compliance within IT Standards/Regulations
• Challenges in the Comprehensive Compliance Space
• Q&A
1

3. ControlCase Overview
• More than 400 customers in more than 40
countries.
• Focus on Certifications and Compliance as a
Service (CaaS).
• Continued update and use of technology based
on feedback from customers
2

4. About PCI DSS, HIPAA, FERC/NERC,
EI3PA, ISO 27001 and FISMA

5. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
3

6. What is HIPAA
4
• HIPAA is the acronym for the Health Insurance
Portability and Accountability Act that was
passed by Congress in 1996. HIPAA does the
following:
› Provides the ability to transfer and continue health
insurance coverage for millions of American workers and
their families when they change or lose their jobs;
› Reduces health care fraud and abuse;
› Mandates industry-wide standards for health care
information on electronic billing and other processes; and
› Requires the protection and confidential handling of
protected health information

7. What is FERC/NERC
5
• Federal Energy Regulatory Commission (FERC)
› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity
sales, wholesale electric rates, hydroelectric licensing, natural
gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation
(NERC):
› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission
is to ensure the reliability of the bulk power system in North
America.
• Critical Infrastructure Protection Standards
› Standards for cyber security protection

8. What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer
credit bureaus in the United States
• Guidelines for securely processing, storing, or
transmitting Experian Provided Data
• Established by Experian to protect consumer
data/credit history data provided by them
6

9. What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for
implementing information security within an
organization
• ISO 27002 are the detailed controls from an
implementation perspective
7

10. What is FISMA
8
• Federal Information Security Management Act
(FISMA) of 2002
› Requires federal agencies to implement a mandatory set of
processes, security controls and information security
governance
• FISMA objectives:
› Align security protections with risk and impact
› Establish accountability and performance measures
› Empower executives to make informed risk decisions

11. Best Practices and Components for Integrated
Compliance within IT Standards/Regulations

12. Building Blocks – Integrated Compliance
• Compliance Management
• Policy Management
• Vendor/Third Party Management
• Asset and Vulnerability Management
• Logging and Monitoring
• Change Management
• Incident and Problem Management
• Data Management
• Risk Management
• Business continuity Management
• HR Management
• Physical Security
• Compliance Project Management
9

13. Compliance Management
10
 Test once, comply to multiple regulations
 Mapping of controls
 Automated data collection
 Self assessment data collection
 Executive dashboards

14. Policy Management
11
 Appropriate update of policies and procedures
 Link/Mapping to controls and standards
 Communication, training and attestation
 Monitoring of compliance to corporate policies
Reg/Standard Coverage area
ISO 27001 A.5
PCI 12
EI3PA 12
HIPAA 164.308a1i
FISMA AC-1
FERC/NERC CIP-003-6

15. Vendor/Third Party Management
12
 Management of third parties/vendors
 Self attestation by third parties/vendors
 Remediation tracking
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple
Requirements

16. Asset and Vulnerability Management
13
 Asset list
 Management of vulnerabilities and dispositions
 Training to development and support staff
 Management reporting if unmitigated vulnerability
 Linkage to non compliance
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a8
FISMA RA-5
FERC/NERC CIP-010

17. Logging and Monitoring
14
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a1iiD
FISMA SI-4
 Logging
 File Integrity Monitoring
 24X7 monitoring
 Managing volumes of data

18. Change Management and Monitoring
15
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage
area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10
FISMA SA-3

19. Incident and Problem Management
16
 Monitoring
 Detection
 Reporting
 Responding
 Approving
Lost Laptop
Changes to
firewall
rulesets
Upgrades to
applications
Intrusion
Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12
HIPAA 164.308a6i
FISMA IR Series
FERC/NERC CIP-008

20. Data Management
17
 Identification of data
 Classification of data
 Protection of data
 Monitoring of data
Reg/Standard Coverage area
ISO 27001 A.7
PCI 3, 4
EI3PA 3, 4
HIPAA 164.310d2iv
FERC/NERC CIP-011

21. Risk Management
18
 Input of key criterion
 Numeric algorithms to compute risk
 Output of risk dashboards
Reg/Standard Coverage area
ISO 27001 A.6
PCI 12
EI3PA 12
HIPAA 164.308a1iiB
FISMA RA-3

22. Business Continuity Management
19
 Business Continuity Planning
 Disaster Recovery
 BCP/DR Testing
 Remote Site/Hot Site
Reg/Standard Coverage area
ISO 27001 A.14
PCI Not Applicable
EI3PA Not applicable
HIPAA 164.308a7i
FISMA CP Series
FERC/SERC CIP-009

23. HR Management
20
 Training
 Background Screening
 Reference Checks
Reg/Standard Coverage area
ISO 27001 A.8
PCI 12
EI3PA 12
HIPAA 164.308a3i
FISMA AT-2
FERC/NERC CIP-004

24. Physical Security
21
 Badges
 Visitor Access
 CCTV
 Biometric
Reg/Standard Coverage area
ISO 27001 A.11
PCI 9
EI3PA 9
HIPAA 164.310
FISMA PE Series
FERC/NERC CIP-006

25. Compliance Project Management
22
Your Project Manager is charged with your Success:
1. Serves as your single point of contact and your advocate
for all compliance activities
2. Ensures all compliance requirements are met on schedule.
• Builds a single stream, reliable communication channel
• Strategizes to produce an efficient plan based on your
needs
• Periodic pulse checks via status reports &meetings
paced according to your stage and schedule
3. Prepares you for smooth and predictable activities across
multiple compliance paths

26. Challenges in Compliance Space

27. Challenges
• Redundant Efforts
• Cost inefficiencies
• Lack of compliance dashboard
• Fixing of dispositions
• Change in environment
• Reliance on third parties
• Increased regulations
• Reducing budgets (Do more with less)
23

28. ControlCase Solution

29. Learn more about continual compliance ….
24
Compliance
as a Service
(Caas)

30. Integrated compliance
25
Question.
No.
Question PCIDSS2.0Reference PCIDSS3.0 ISO27002:2013 SOC2 HIPAA NIST800-53
37
Provide dataEncryptionpolicyexplainingencryptioncontrolsimplementedfor
Cardholderdatadatasecure storage (e.g.encryption,truncation,maskingetc.) –
applicable forapplication,database andbackuptapes
-Screenshotsshowingfull PANdataisencryptedwithstrongencryptionwhile
stored(database tablesorfiles). The captureddetailsshouldalsoshowthe
encryptionalgorithmandstrengthused
-ForBackuptapes,screenshotshowingthe encryptionapplied(algorithmand
strength–e.g.AES256bit)throughbackupsolution
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.4.a,3.4.b,3.4.c,3.4.d 3.4 10.1.1,18.1.5 164.312(a)(1)
38
IfDiskencryptionusedforcarddatadata,thenisthe logical accesstoencryptedfile-
systemisseparatefromnative operatingsystemuseraccess? (Provide the
adequate evidencesshowingthe logical accessforlocal operatingsystemand
encryptedfile systemiswithseparateuserauthentication)
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.4.1.a 3.4.1 10.1.2 164.312(a)(1)
39
Provide evidence showingrestrictedaccesscontrol forDataEncryptionKeys(DEK)
andKeyEncryptionKeys(KEK)atstore
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.5 3.5.2 10.1.2 164.312(a)(1)
40
Provide the evidence showingthe exactlocationswhere encryptionkeysare stored
(keysshouldbe storedatfewestpossible locations)
3.5.3 10.1.2 164.312(a)(1)

31. Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessment Department
› EI3PA Assessor
› HIPAA Assessor
› HITRUST Assessor
› SOC1, SOC2, SOC3 Assessor
› BITS Shared Assessment Company
26

32. To Learn More About ControlCase
• Visit www.controlcase.com
• Email us at contact@controlcase.com

33. Thank You for Your Time