Downloaded 49 times
More Related Content
Similar to Continual Compliance Monitoring
Continual Compliance Monitoring
- 1. Continual Compliance Monitoring–PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA By Kishor Vaswani, CEO - ControlCase
- 2. Agenda • About PCIDSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA • Components for Continual Compliance Monitoring within IT Standards/Regulations • Recurrence Frequency and Calendar • Challenges in Continual Compliance Monitoring • Q&A 1
- 3. About PCI DSS,HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA
- 4. What is PCIDSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC) 2
- 5. What is HIPAA 3 •HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: › Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; › Reduces health care fraud and abuse; › Mandates industry-wide standards for health care information on electronic billing and other processes; and › Requires the protection and confidential handling of protected health information
- 6. What is FERC/NERC 4 •Federal Energy Regulatory Commission (FERC) › The Federal Energy Regulatory Commission (FERC) is the United States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. • North American Electric Reliability Corporation (NERC): › The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America. • Critical Infrastructure Protection Standards › Standards for cyber security protection
- 7. What is EI3PA? ExperianSecurity Audit Requirements: • Experian is one of the three major consumer credit bureaus in the United States • Guidelines for securely processing, storing, or transmitting Experian Provided Data • Established by Experian to protect consumer data/credit history data provided by them 5
- 8. What is ISO27001/ISO 27002 ISO Standard: • ISO 27001 is the management framework for implementing information security within an organization • ISO 27002 are the detailed controls from an implementation perspective 6
- 9. What is FISMA 7 •Federal Information Security Management Act (FISMA) of 2002 › Requires federal agencies to implement a mandatory set of processes, security controls and information security governance • FISMA objectives: › Align security protections with risk and impact › Establish accountability and performance measures › Empower executives to make informed risk decisions
- 10. Components of ContinualCompliance Monitoring
- 11. Continuous Monitoring 8 Testonce, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards
- 12. Continual Compliance MonitoringDomains • Policy Management • Vendor/Third Party Management • Asset and Vulnerability Management • Log Management • Change Management • Incident and Problem Management • Data Management • Risk Management • Business Continuity Management • HR Management • Physical Security 9
- 13. Policy Management 10 Appropriateupdate of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies Reg/Standard Coverage area ISO 27001 A.5 PCI 12 EI3PA 12 HIPAA 164.308a1i FISMA AC-1 FERC/NERC CIP-003-6
- 14. Vendor/Third Party Management 11 Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Reg/Standard Coverage area ISO 27001 A.6, A.10 PCI 12 EI3PA 12 HIPAA 164.308b1 FISMA PS-3 FERC/NERC Multiple Requirements
- 15. Asset and VulnerabilityManagement 12 Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance Reg/Standard Coverage area ISO 27001 A.7, A.12 PCI 6, 11 EI3PA 10, 11 HIPAA 164.308a8 FISMA RA-5 FERC/NERC CIP-010
- 16. Logging Management 13 Reg/Standard Coveragearea ISO 27001 A.7, A.12 PCI 6, 11 EI3PA 10, 11 HIPAA 164.308a1iiD FISMA SI-4 Logging File Integrity Monitoring 24X7 monitoring Managing volumes of data
- 17. Change Management andMonitoring 14 Escalation to incident for unexpected logs/alerts Response/Resolution process for expected logs/alerts Correlation of logs/alerts to change requests Change Management ticketing System Logging and Monitoring (SIEM/FIM etc.) Reg/Standard Coverage area ISO 27001 A.10 PCI 1, 6, 10 EI3PA 1, 9, 10 FISMA SA-3
- 18. Incident and ProblemManagement 15 Monitoring Detection Reporting Responding Approving Lost Laptop Changes to firewall rulesets Upgrades to applications Intrusion Alerting Reg/Standard Coverage area ISO 27001 A.13 PCI 12 EI3PA 12 HIPAA 164.308a6i FISMA IR Series FERC/NERC CIP-008
- 19. Data Management 16 Identificationof data Classification of data Protection of data Monitoring of data Reg/Standard Coverage area ISO 27001 A.7 PCI 3, 4 EI3PA 3, 4 HIPAA 164.310d2iv FERC/NERC CIP-011
- 20. Risk Management 17 Inputof key criterion Numeric algorithms to compute risk Output of risk dashboards Reg/Standard Coverage area ISO 27001 A.6 PCI 12 EI3PA 12 HIPAA 164.308a1iiB FISMA RA-3
- 21. Business Continuity Management 18 Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site Reg/Standard Coverage area ISO 27001 A.14 PCI Not Applicable EI3PA Not applicable HIPAA 164.308a7i FISMA CP Series FERC/SERC CIP-009
- 22. HR Management 19 Training Background Screening Reference Checks Reg/Standard Coverage area ISO 27001 A.8 PCI 12 EI3PA 12 HIPAA 164.308a3i FISMA AT-2 FERC/NERC CIP-004
- 23. Physical Security 20 Badges Visitor Access CCTV Biometric Reg/Standard Coverage area ISO 27001 A.11 PCI 9 EI3PA 9 HIPAA 164.310 FISMA PE Series FERC/NERC CIP-006
- 24. Recurrence Frequency andCalendar
- 25. Daily Monitoring Domains 21 •Asset and Vulnerability Management • New Assets • New Vulnerabilities • Log Management • Response time window • Change Management • Impact in case of an error • Unknown and insecure applications • Incident and Problem Management • Root cause of systemic problems • Response to operational and security incidents
- 26. Monthly/Quarterly Monitoring Domains 22 •Vendor/Third Party Management • Time taken by third parties to respond • Data Management • Identification of unknown data • HR Management • Time taken for training • Time taken for background checks • Physical Security Management • Time take to install new physical security components
- 27. Annual Monitoring Domains 23 •Policy Management • Annual policy reviews • Risk Management • Enterprise wide nature of risk assessment • BCP/DR Management • Time taken to conduct BCP/DR tests
- 28. Challenges in ContinualCompliance Monitoring
- 29. Challenges • Redundant Efforts •Cost inefficiencies • Lack of dashboard • Fixing of dispositions • Change in environment • Reliance on third parties • Increased regulations • Reducing budgets (Do more with less) 24
- 30. Integrated compliance 25 Question. No. Question PCIDSS2.0ReferencePCIDSS3.0 ISO27002:2013 SOC2 HIPAA NIST800-53 37 Provide dataEncryptionpolicyexplainingencryptioncontrolsimplementedfor Cardholderdatadatasecure storage (e.g.encryption,truncation,maskingetc.) – applicable forapplication,database andbackuptapes -Screenshotsshowingfull PANdataisencryptedwithstrongencryptionwhile stored(database tablesorfiles). The captureddetailsshouldalsoshowthe encryptionalgorithmandstrengthused -ForBackuptapes,screenshotshowingthe encryptionapplied(algorithmand strength–e.g.AES256bit)throughbackupsolution SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.4.a,3.4.b,3.4.c,3.4.d 3.4 10.1.1,18.1.5 164.312(a)(1) 38 IfDiskencryptionusedforcarddatadata,thenisthe logical accesstoencryptedfile- systemisseparatefromnative operatingsystemuseraccess? (Provide the adequate evidencesshowingthe logical accessforlocal operatingsystemand encryptedfile systemiswithseparateuserauthentication) SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.4.1.a 3.4.1 10.1.2 164.312(a)(1) 39 Provide evidence showingrestrictedaccesscontrol forDataEncryptionKeys(DEK) andKeyEncryptionKeys(KEK)atstore SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.5 3.5.2 10.1.2 164.312(a)(1) 40 Provide the evidence showingthe exactlocationswhere encryptionkeysare stored (keysshouldbe storedatfewestpossible locations) 3.5.3 10.1.2 164.312(a)(1)
- 31. Why Choose ControlCase? •Global Reach › Serving more than 400 clients in 40 countries and rapidly growing • Certified Resources › PCI DSS Qualified Security Assessor (QSA) › QSA for Point-to-Point Encryption (QSA P2PE) › Certified ASV vendor › Certified ISO 27001 Assessment Department › EI3PA Assessor › HIPAA Assessor › HITRUST Assessor › SOC1, SOC2, SOC3 Assessor › Shared Assessment Company 26
- 32. To Learn MoreAbout ControlCase • Visit www.controlcase.com • Email us at [email protected]
- 33. Thank You forYour Time