continual compliance monitoring– pci dss, hipaa, ferc/nerc, ei3pa, iso 27001 and fisma
TRANSCRIPT
![Page 1: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/1.jpg)
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA
By Kishor Vaswani, CEO - ControlCase
![Page 2: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/2.jpg)
Agenda
• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA
• Components for Continual Compliance Monitoring
within IT Standards/Regulations
• Recurrence Frequency and Calendar
• Challenges in Continual Compliance Monitoring
• Q&A
1
![Page 3: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/3.jpg)
About PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA
![Page 4: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/4.jpg)
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card issuers• Maintained by the PCI Security Standards Council
(PCI SSC)
2
![Page 5: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/5.jpg)
What is HIPAA
3
• HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:› Provides the ability to transfer and continue health
insurance coverage for millions of American workers and their families when they change or lose their jobs;
› Reduces health care fraud and abuse;› Mandates industry-wide standards for health care
information on electronic billing and other processes; and › Requires the protection and confidential handling of
protected health information
![Page 6: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/6.jpg)
What is FERC/NERC
4
• Federal Energy Regulatory Commission (FERC)› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation (NERC):› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America.
• Critical Infrastructure Protection Standards› Standards for cyber security protection
![Page 7: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/7.jpg)
What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer credit bureaus in the United States
• Guidelines for securely processing, storing, or transmitting Experian Provided Data
• Established by Experian to protect consumer data/credit history data provided by them
5
![Page 8: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/8.jpg)
What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for implementing information security within an organization
• ISO 27002 are the detailed controls from an implementation perspective
6
![Page 9: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/9.jpg)
What is FISMA
7
• Federal Information Security Management Act (FISMA) of 2002› Requires federal agencies to implement a mandatory set of
processes, security controls and information security governance
• FISMA objectives:› Align security protections with risk and impact› Establish accountability and performance measures› Empower executives to make informed risk decisions
![Page 10: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/10.jpg)
Components of Continual Compliance Monitoring
![Page 11: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/11.jpg)
Continuous Monitoring
8
Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards
![Page 12: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/12.jpg)
Continual Compliance Monitoring Domains
• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Log Management• Change Management• Incident and Problem Management• Data Management• Risk Management• Business Continuity Management• HR Management• Physical Security
9
![Page 13: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/13.jpg)
Policy Management
10
Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies
Reg/Standard Coverage area
ISO 27001 A.5
PCI 12
EI3PA 12HIPAA 164.308a1iFISMA AC-1FERC/NERC CIP-003-6
![Page 14: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/14.jpg)
Vendor/Third Party Management
11
Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12HIPAA 164.308b1FISMA PS-3FERC/NERC Multiple
Requirements
![Page 15: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/15.jpg)
Asset and Vulnerability Management
12
Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11HIPAA 164.308a8FISMA RA-5FERC/NERC CIP-010
![Page 16: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/16.jpg)
Logging Management
13
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11HIPAA 164.308a1iiDFISMA SI-4
Logging File Integrity Monitoring 24X7 monitoring Managing volumes of data
![Page 17: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/17.jpg)
Change Management and Monitoring
14
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10FISMA SA-3
![Page 18: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/18.jpg)
Incident and Problem Management
15
Monitoring Detection Reporting Responding Approving
Lost LaptopChanges to
firewall rulesets
Upgrades to applications
Intrusion Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12HIPAA 164.308a6iFISMA IR SeriesFERC/NERC CIP-008
![Page 19: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/19.jpg)
Data Management
16
Identification of data Classification of data Protection of data Monitoring of data
Reg/Standard Coverage area
ISO 27001 A.7
PCI 3, 4
EI3PA 3, 4HIPAA 164.310d2ivFERC/NERC CIP-011
![Page 20: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/20.jpg)
Risk Management
17
Input of key criterion Numeric algorithms to compute risk Output of risk dashboards
Reg/Standard Coverage area
ISO 27001 A.6
PCI 12
EI3PA 12HIPAA 164.308a1iiBFISMA RA-3
![Page 21: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/21.jpg)
Business Continuity Management
18
Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site
Reg/Standard Coverage area
ISO 27001 A.14
PCI Not Applicable
EI3PA Not applicableHIPAA 164.308a7iFISMA CP SeriesFERC/SERC CIP-009
![Page 22: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/22.jpg)
HR Management
19
Training Background Screening Reference Checks
Reg/Standard Coverage area
ISO 27001 A.8
PCI 12
EI3PA 12HIPAA 164.308a3iFISMA AT-2FERC/NERC CIP-004
![Page 23: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/23.jpg)
Physical Security
20
Badges Visitor Access CCTV Biometric
Reg/Standard Coverage area
ISO 27001 A.11
PCI 9
EI3PA 9HIPAA 164.310FISMA PE SeriesFERC/NERC CIP-006
![Page 24: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/24.jpg)
Recurrence Frequency and Calendar
![Page 25: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/25.jpg)
Daily Monitoring Domains
21
• Asset and Vulnerability Management• New Assets• New Vulnerabilities
• Log Management• Response time window
• Change Management• Impact in case of an error• Unknown and insecure applications
• Incident and Problem Management• Root cause of systemic problems• Response to operational and security incidents
![Page 26: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/26.jpg)
Monthly/Quarterly Monitoring Domains
22
• Vendor/Third Party Management• Time taken by third parties to respond
• Data Management• Identification of unknown data
• HR Management• Time taken for training• Time taken for background checks
• Physical Security Management• Time take to install new physical security
components
![Page 27: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/27.jpg)
Annual Monitoring Domains
23
• Policy Management• Annual policy reviews
• Risk Management• Enterprise wide nature of risk assessment
• BCP/DR Management• Time taken to conduct BCP/DR tests
![Page 28: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/28.jpg)
Challenges in Continual Compliance Monitoring
![Page 29: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/29.jpg)
Challenges
• Redundant Efforts• Cost inefficiencies• Lack of dashboard• Fixing of dispositions• Change in environment• Reliance on third parties• Increased regulations• Reducing budgets (Do more with less)
24
![Page 30: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/30.jpg)
Integrated compliance
25
Question. No.
Question PCI DSS 2.0 Reference PCI DSS 3.0 ISO 27002: 2013 SOC2 HIPAA NIST 800-53
37
Provide data Encryption policy explaining encryption controls implemented for Cardholder data data secure storage (e.g. encryption, truncation, masking etc.) – applicable for application, database and backup tapes
- Screenshots showing full PAN data is encrypted with strong encryption while stored (database tables or files) . The captured details should also show the encryption algorithm and strength used - For Backup tapes, screenshot showing the encryption applied (algorithm and strength – e.g. AES 256 bit) through backup solution
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.4.a, 3.4.b, 3.4.c, 3.4.d 3.4 10.1.1, 18.1.5 164.312(a)(1)
38
If Disk encryption used for card data data, then is the logical access to encrypted file-system is separate from native operating system user access? (Provide the adequate evidences showing the logical access for local operating system and encrypted file system is with separate user authentication)
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.4.1.a 3.4.1 10.1.2 164.312(a)(1)
39
Provide evidence showing restricted access control for Data Encryption Keys (DEK) and Key Encryption Keys (KEK) at store
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.5 3.5.2 10.1.2 164.312(a)(1)
40Provide the evidence showing the exact locations where encryption keys are stored (keys should be stored at fewest possible locations)
3.5.3 10.1.2 164.312(a)(1)
![Page 31: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/31.jpg)
Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessment Department
› EI3PA Assessor
› HIPAA Assessor
› HITRUST Assessor
› SOC1, SOC2, SOC3 Assessor
› BITS Shared Assessment Company
26
![Page 33: Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA](https://reader035.vdocuments.us/reader035/viewer/2022081504/55ccc228bb61ebea2e8b4680/html5/thumbnails/33.jpg)
Thank You for Your Time