Integrated Compliance – PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA

By Kishor Vaswani, CEO - ControlCase

Agenda

• ControlCase Overview• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and

EI3PA

• Best Practices and Components for Integrated

Compliance within IT Standards/Regulations

• Challenges in the Comprehensive Compliance Space

• Q&A

1

ControlCase Overview

• More than 400 customers in more than 40 countries.

• Focus on Certifications and Compliance as a Service (CaaS).

• Continued update and use of technology based on feedback from customers

2

About PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card issuers• Maintained by the PCI Security Standards Council

(PCI SSC)

3

What is HIPAA

4

• HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:› Provides the ability to transfer and continue health

insurance coverage for millions of American workers and their families when they change or lose their jobs;

› Reduces health care fraud and abuse;› Mandates industry-wide standards for health care

information on electronic billing and other processes; and › Requires the protection and confidential handling of

protected health information

What is FERC/NERC

5

• Federal Energy Regulatory Commission (FERC)› The Federal Energy Regulatory Commission (FERC) is the United

States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates.

• North American Electric Reliability Corporation (NERC):› The North American Electric Reliability Corporation (NERC) is a

not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America.

• Critical Infrastructure Protection Standards› Standards for cyber security protection

What is EI3PA?

Experian Security Audit Requirements:

• Experian is one of the three major consumer credit bureaus in the United States

• Guidelines for securely processing, storing, or transmitting Experian Provided Data

• Established by Experian to protect consumer data/credit history data provided by them

6

What is ISO 27001/ISO 27002

ISO Standard:

• ISO 27001 is the management framework for implementing information security within an organization

• ISO 27002 are the detailed controls from an implementation perspective

7

What is FISMA

8

• Federal Information Security Management Act (FISMA) of 2002› Requires federal agencies to implement a mandatory set of

processes, security controls and information security governance

• FISMA objectives:› Align security protections with risk and impact› Establish accountability and performance measures› Empower executives to make informed risk decisions

Best Practices and Components for Integrated

Compliance within IT Standards/Regulations

Building Blocks – Integrated Compliance

• Compliance Management• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Logging and Monitoring• Change Management• Incident and Problem Management• Data Management• Risk Management• Business continuity Management• HR Management• Physical Security• Compliance Project Management

9

Compliance Management

10

Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards

Policy Management

11

Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies

Reg/Standard Coverage area

ISO 27001 A.5

PCI 12

EI3PA 12HIPAA 164.308a1iFISMA AC-1FERC/NERC CIP-003-6

Vendor/Third Party Management

12

Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking

Reg/Standard Coverage area

ISO 27001 A.6, A.10

PCI 12

EI3PA 12HIPAA 164.308b1FISMA PS-3FERC/NERC Multiple

Requirements

Asset and Vulnerability Management

13

Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance

Reg/Standard Coverage area

ISO 27001 A.7, A.12

PCI 6, 11

EI3PA 10, 11HIPAA 164.308a8FISMA RA-5FERC/NERC CIP-010

Logging and Monitoring

14

Reg/Standard Coverage area

ISO 27001 A.7, A.12

PCI 6, 11

EI3PA 10, 11HIPAA 164.308a1iiDFISMA SI-4

Logging File Integrity Monitoring 24X7 monitoring Managing volumes of data

Change Management and Monitoring

15

Escalation to incident for unexpected logs/alerts

Response/Resolution process for expected logs/alerts

Correlation of logs/alerts to change requests

Change Management ticketing System

Logging and Monitoring (SIEM/FIM etc.)

Reg/Standard Coverage area

ISO 27001 A.10

PCI 1, 6, 10

EI3PA 1, 9, 10FISMA SA-3

Incident and Problem Management

16

Monitoring Detection Reporting Responding Approving

Lost LaptopChanges to

firewall rulesets

Upgrades to

applications

Intrusion Alerting

Reg/Standard Coverage area

ISO 27001 A.13

PCI 12

EI3PA 12HIPAA 164.308a6iFISMA IR SeriesFERC/NERC CIP-008

Data Management

17

Identification of data Classification of data Protection of data Monitoring of data

Reg/Standard Coverage area

ISO 27001 A.7

PCI 3, 4

EI3PA 3, 4HIPAA 164.310d2ivFERC/NERC CIP-011

Risk Management

18

Input of key criterion Numeric algorithms to compute risk Output of risk dashboards

Reg/Standard Coverage area

ISO 27001 A.6

PCI 12

EI3PA 12HIPAA 164.308a1iiBFISMA RA-3

Business Continuity Management

19

Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site

Reg/Standard Coverage area

ISO 27001 A.14

PCI Not Applicable

EI3PA Not applicableHIPAA 164.308a7iFISMA CP SeriesFERC/SERC CIP-009

HR Management

20

Training Background Screening Reference Checks

Reg/Standard Coverage area

ISO 27001 A.8

PCI 12

EI3PA 12HIPAA 164.308a3iFISMA AT-2FERC/NERC CIP-004

Physical Security

21

Badges Visitor Access CCTV Biometric

Reg/Standard Coverage area

ISO 27001 A.11

PCI 9

EI3PA 9HIPAA 164.310FISMA PE SeriesFERC/NERC CIP-006

Compliance Project Management

22

Your Project Manager is charged with your Success:

1. Serves as your single point of contact and your advocate for all compliance activities

2. Ensures all compliance requirements are met on schedule. • Builds a single stream, reliable communication channel • Strategizes to produce an efficient plan based on your needs• Periodic pulse checks via status reports &meetings paced

according to your stage and schedule

3. Prepares you for smooth and predictable activities across multiple compliance paths

Challenges in Compliance Space

Challenges

• Redundant Efforts• Cost inefficiencies• Lack of compliance dashboard• Fixing of dispositions• Change in environment• Reliance on third parties• Increased regulations• Reducing budgets (Do more with less)

23

ControlCase Solution

Learn more about continual compliance ….

24

Complianceas a Service

(Caas)

Integrated compliance

25

Question. No.

Question PCI DSS 2.0 Reference PCI DSS 3.0 ISO 27002: 2013 SOC2 HIPAA NIST 800-53

37

Provide data Encryption policy explaining encryption controls implemented for Cardholder data data secure storage (e.g. encryption, truncation, masking etc.) – applicable for application, database and backup tapes

- Screenshots showing full PAN data is encrypted with strong encryption while stored (database tables or files) . The captured details should also show the encryption algorithm and strength used - For Backup tapes, screenshot showing the encryption applied (algorithm and strength – e.g. AES 256 bit) through backup solution

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.4.a, 3.4.b, 3.4.c, 3.4.d 3.4 10.1.1, 18.1.5 164.312(a)(1)

38

If Disk encryption used for card data data, then is the logical access to encrypted file-system is separate from native operating system user access? (Provide the adequate evidences showing the logical access for local operating system and encrypted file system is with separate user authentication)

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.4.1.a 3.4.1 10.1.2 164.312(a)(1)

39

Provide evidence showing restricted access control for Data Encryption Keys (DEK) and Key Encryption Keys (KEK) at store

Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.

3.5 3.5.2 10.1.2 164.312(a)(1)

40Provide the evidence showing the exact locations where encryption keys are stored (keys should be stored at fewest possible locations)

3.5.3 10.1.2 164.312(a)(1)

Why Choose ControlCase?

• Global Reach

› Serving more than 400 clients in 40 countries and rapidly growing

• Certified Resources

› PCI DSS Qualified Security Assessor (QSA)

› QSA for Point-to-Point Encryption (QSA P2PE)

› Certified ASV vendor

› Certified ISO 27001 Assessment Department

› EI3PA Assessor

› HIPAA Assessor

› HITRUST Assessor

› SOC1, SOC2, SOC3 Assessor

› BITS Shared Assessment Company

26

To Learn More About ControlCase

• Visit www.controlcase.com• Email us at contact@controlcase.com

Thank You for Your Time