Downloaded 11 times
Uploaded byControlCase
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
This webinar discussed data protection by design and the Multi-cert approach to compliance. It defined data protection by design as an approach that considers data protection requirements at the design phase and throughout the lifecycle of any system. The Multi-cert approach recognizes that many organizations must comply with multiple certifications and regulations, and integrating these helps provide comprehensive data protection. Common challenges with the Multi-cert approach include redundant efforts and cost inefficiencies. ControlCase's One Audit solution aims to help organizations assess once and comply to many certifications by automating evidence collection and integrating compliance activities.
More Related Content
Similar to 2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
- 1. WEBINAR: DATA PROTECTION BY DESIGN THEMULTICERT WAY YOUR IT COMPLIANCE PARTNER GO BEYOND THE CHECKLIST
- 2. ASHISH KIRTIKAR President, UK ControlCase Ashishis responsible for handling the HITRUST and CSP verticals and ensures efficient and quality delivery of services to clients in the Healthcare sector and beyond. In addition, he is also responsible for sales and execution of business for the Europe and UK regions. Ashish has over 13 years of experience and proficiency in Information and Network Security, Information Risk Management, Cyber Security, Resilience, Security Architecture Designing, Information Security Audit and Governance having handled clients across the globe. He has handled the entire gamut of project management functions related to Cyber Security/Information Security Operations across Banking, Financial, Insurance, Telecom, and IT Services and Industries. Ashish has functioned as a speaker and trainer on various Information Security Topics globally and writes online articles/blogs covering topics of Information Security and Leadership. He has a Bachelor’s Degree in Computer Science from Mumbai University and has completed a management program from the Indian School of Business and National University of Singapore. Our Speaker © ControlCase. All Rights Reserved. 2
- 3. Agenda © ControlCase. AllRights Reserved. 3 1. ControlCase Introduction 2. Data Protection by Design 3. The Multi-cert Way to Data Protection 4. Multi-cert Common Challenges 5. One Audit™ Assess Once, Comply to Many
- 4. CONTROLCASE INTRODUCTION 1 © ControlCase. AllRights Reserved. 4
- 5. ControlCase Snapshot © ControlCase.All Rights Reserved. 5 CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 275+ 10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
- 6. Solution © ControlCase. AllRights Reserved. 6 I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center Certification & Continuous Compliance Services “
- 7. Certification Services © ControlCase.All Rights Reserved. 7 PCI DSS ISO 27001-2 SOC 1,2,3,& Cybersecurity HITRUST CSF HIPAA PCI P2PE GDPR NIST 800-53 PCI PIN PCI PA-DSS FedRAMP PCI 3DS One Audit™ Assess Once. Comply to Many. “ You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant
- 8. DATA PROTECTION BY DESIGN 2 ©ControlCase. All Rights Reserved. 8
- 9. DATA IS THENEW OIL What is Data Protection by Design? © ControlCase. All Rights Reserved. 9
- 10. What is DataProtection by Design? © ControlCase. All Rights Reserved. 10 DATA PROTECTION = PRIVACY DATA PROTECTION = SECURITY DATA PROTECTION = PRIVACY + SECURITY animate
- 11. Data protection bydesign is an approach that ensures data protection requirements are considered at the design phase of any system, service, product or process and then throughout the lifecycle. ICO UK has recommended this approach to be considered for effective GDPR implementation. This approach helps in having a proactive outlook towards data protection instead of a reactive one. This helps strategize whether a detective, preventive or deterrent control needs to be implemented for overall security / protection as well as effective business operability for any system, service, product or process. What is Data Protection by Design? © ControlCase. All Rights Reserved. 11
- 12. THE MULTI-CERT WAY TODATA PROTECTION 3 © ControlCase. All Rights Reserved. 12
- 13. Why Multi-cert? © ControlCase.All Rights Reserved. 13 In today’s world multiple certifications/regulations have been enforced for the security and privacy of data. Some cover specific datasets, overall security posture, or they may be specific to privacy requirements. A multi-cert approach acts like a tongue and groove joint, where controls which are not covered in one certification are covered in other thus giving a wholistic implementation. This assists in organization’s achieve an effective implementation of ‘Defense in Depth’, methodology which can provide deep Data Protection.
- 14. Multi-cert Way For Example:consider the following certifications, which are seen in the UK / Europe region © ControlCase. All Rights Reserved. 14 Payment Card Industry Data Security Standard (PCI DSS) Established by leading payment card issuers - Guidelines for securely processing, storing, or transmitting payment card account data. GDPR General Data Protection Regulation is a regulation in EU / UK law on data protection and privacy in the UK / European Union and the European Economic Area. It was adopted in 2016 and enforceable since 2018. ISO 27001/ISO 27002 - ISO 27001 The management framework for implementing information security within an organization. ISO 27002 are the detailed controls from an implementation perspective. SOC 2 Created by the American Institute of Certified Public Accountants (AICPA) to fill the gap for organizations that were being requested to have a SAS 70 (now SSAE 18). The purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.
- 15. Multi-Cert Way –Data Protection by Design © ControlCase. All Rights Reserved. 15 The multi-cert approach provides an integrated way of compliance and data protection implementation by covering the multiple aspects to the right. All the regulations mentioned in the earlier slide, have a very important parameter which talks of security / privacy as a part of the organizational lifecycle. This when implemented in an integrated manner helps achieve Data Protection by Design. Compliance Management Policy Management Vendor / Third Party Management Asset and Vulnerability Management Logging and Monitoring Change Management Incident and Problem Management Data Management Risk Management Business Continuity Management HR Management Physical Security Compliance Project Management
- 16. INDUSTRY REGULATION Business ProcessOrganizations (BPOs) GDPR, PCI DSS, SOC2, ISO 27001, Cyber Essentials (UK) Payments GDPR, PCI DSS, SOC2, ISO 27001, Cyber Essentials (UK) Financial Services GDPR, PCI DSS, PSD-2, ISO 27001, Cyber Essentials (UK) Critical Infrastructure GDPR, NIS-1 / NIS-2, ISO27001, Cyber Essentials plus (UK) Common Regulations by Region / Industry © ControlCase. All Rights Reserved. 16
- 17. MULTI-CERT COMMON CHALLENGES 4 © ControlCase.All Rights Reserved. 17
- 18. Multi-cert Common Challenges ©ControlCase. All Rights Reserved. 18 Redundant Efforts Cost Inefficiencies Lack of Compliance Dashboard Fixing of Dispositions Change in Environment Reliance on Third Parties Increased Regulations Reducing Budgets (Do more with less)
- 19. ONE AUDIT™ ASSESS ONCE, COMPLYTO MANY 5 © ControlCase. All Rights Reserved. 19
- 20. ControlCase Solution –One Audit™ © ControlCase. All Rights Reserved. 20 One Audit™ Assess Once. Comply to Many. ? No. Topic Question ControlCase Integrated Standard PCI DSS 3.2.1 ISO 27001 HIPAA SOC2 4 Scoping Provide your asset list, a list of the software, databases, data storage locations, Sample Sets and other related data elements. CC4 X X X X 28 Data Encryption at rest Provide the following for all filesystems, databases and any backup media: • Details on the method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage • Evidence (screenshots or settings) showing covered information is protected. For encryption method, please share the evidence of it's associated key management. • Documented description of the cryptographic architecture that includes: 1. Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date 2. The function of each key used in the cryptographic architecture. 3. Inventory of any HSMs and other secure cryptographic devices (SCD) used for key management (to be provided in inventory as part of Q4). CC37 X X X X 44 Logical Access Provide the organizational access control policy. CC63 X X X X 50 Logical Access For all assets identified in the sample provide evidence of logical access account and password features to include: CC69 X X X X 67 Logging and Monitoring For the sample, provide the audit log policy settings. CC95 X X X 67 77 Security Testing Provide external penetration test reports for network and application layer. CC115 X X X 77
- 21. Compliance Evidence Overlap ©ControlCase. All Rights Reserved. 21 Regulation(s) Completed Other Regulation status based on questions overlap PCI SOC 2 ISO 27001 HIPAA 100% Complete 49.1% (84) Complete 67% (77) Complete 76.1% (54) Complete 50.9% (87) No Evidence Uploaded 33% (38) No Evidence Uploaded 23.9% (17) No Evidence Uploaded
- 22. Assisted by Automation ©ControlCase. All Rights Reserved. 22 ACE • Automated Compliance Engine • Can collect evidence such as configurations remotely CDD • Data Discovery Solution • Can scan end user workstations for card data 1 2
- 23. Compliance & CertificationTime Savings © ControlCase. All Rights Reserved. 23 1,600 HRS. EVIDENCE COLLECTION* 600 HRS. CERTIFICATION SUPPORT* 350 HRS. EVIDENCE COLLECTION* 600 HRS. CERTIFICATION SUPPORT* 2,200 hrs. total time spent on compliance & certification using another auditor* 950 hrs. total time spent on compliance & certification by partnering with ControlCase* * Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, HIPAA).
- 24. Three Key Areasof Focus © ControlCase. All Rights Reserved. 24 CONTROLCASE SOLUTION CONTINUOUS An effective compliance program for cyber security must provide a stream of continuous, accurate information about posture. AUTOMATED Continuous compliance requires an automated platform that collects and processes data in as close to real-time as can be achieved. INTEGRATED The best compliance programs are integrated into the systems being measured, versus built as after-the- fact overlays.
- 25. Summary – WhyControlCase © ControlCase. All Rights Reserved. 25 They provide excellent service, expertise and technology. And, the visibility into my compliance throughout the year and during the audit process provide a lot of value to us. — Dir. of Compliance, SaaS company “
- 26. QUESTIONS & ANSWERS 6 © ControlCase.All Rights Reserved. 26
- 27. THANK YOU FORTHE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com (US) + 1 703.483.6383 (INDIA) + 91.22.62210800 [email protected]