Downloaded 60 times
More Related Content
Similar to Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
- 1. Vendor Management– PCIDSS, ISO 27001, EI3PA, HIPAA and FFIEC By Kishor Vaswani, CEO - ControlCase
- 2. Agenda • About PCIDSS, ISO 27001, EI3PA and HIPAA • Setting up a basic vendor management program • Challenges in the vendor management space • Q&A 1
- 3. What is VendorRisk Management Vendor risk management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of 3rd parties (vendors) to provide information technology (IT) products, business process outsourcing and other related services. 2
- 4. About PCI DSS,ISO 27001, EI3PA, HIPAA and FFIEC
- 5. What is PCIDSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC) 3
- 6. What is ISO27001/ISO 27002 ISO Standard: • ISO 27001 is the management framework for implementing information security within an organization • ISO 27002 are the detailed controls from an implementation perspective 4
- 7. What is EI3PA? ExperianSecurity Audit Requirements: • Experian is one of the three major consumer credit bureaus in the United States • Guidelines for securely processing, storing, or transmitting Experian Provided Data • Established by Experian to protect consumer data/credit history data provided by them 5
- 8. What is HIPAA? HealthInsurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule: • Establishes administrative, physical and technical security and privacy standards • Applies to both healthcare providers and business associates (3rd parties) • Attributes responsibility for monitoring HIPAA compliance of business associates to healthcare providers • Assessment of compliance of business associates due 09/23/13 6
- 9. Impact to BusinessAssociates and their suppliers • Business associates must identify, assess and monitor their supporting business associates (BAs of BAs) and provide regular updates to the respective CE • BAs must establish and define (contractually) security requirements, right to audit, incident reporting clauses with their service providers • BAs must implement an effective monitoring/assessment process based on the nature of the data exchanged with service providers • Be able to show due diligence/due care with respect to monitoring their supplier’s security compliance 7
- 10. CFPB/FFIEC/OCC Guidance • Guidanceprovided by Consumer Financial Protection Bureau (CFPB) – Apr 2012 • Federal Deposit Insurance Corporation (FDIC) guidance issued – Sep 2013 • Office of the Comptroller of the Currency (OCC) – Oct 2013 • All of these regulations require due diligence of vendors in various areas such as risk assessments, contracts, information security, insurance and subcontracting. 8
- 11. Setting up abasic vendor management program
- 12. High Level Process Register/Inventory vendors Categorizevendors Map controls to categories Create vendor risk assessment questionnaire Create master control checklist Distribute questionnaire to vendors Analyze responses and attachments Track exceptions to closure 9
- 13. Step 1 –Register/Inventory vendors 10
- 14. Step 2 –Categorize vendors Questions to ask - What type of data do they store, process or transmit (SSN, Card Numbers, Customer Name, Diagnosis code(s), etc.,) - Is the data in a physical and/or electronic form - What business are they in (Call Center, Recoveries, Managed Service, Software Development, Printing, Hosting) - What risk factors exist based on Geography (North America, Asia/Pacific, South America etc.) 11
- 15. Step 2 –Categorize vendors (continued) Considerations: Less exposure of disclosure/compromise = less verification (i.e., survey only) More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment) 12
- 16. Step 3 –Create master control checklist • Policy Management • Vendor/Third Party Management • Asset and Vulnerability Management • Change Management and Monitoring • Incident and Problem Management • Data Management • Risk Management • Business continuity Management • HR Management • Compliance Project Management 13
- 17. Step 4 –Map controls to categories Map controls from master list to categories based on - What is relevant to the type of data being stored processed or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not) - What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not) - What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls) 14
- 18. Step 5 –Create vendor risk assessment questionnaire 15
- 19. Step 6 –Distribute risk assessment questionnaire to vendors 16
- 20. Step 7 -Analyze responses and attachments 17
- 21. Step 8 –Track exceptions to closure 18
- 22. Challenges in VendorManagement Space
- 23. Challenges • Redundant Efforts •Cost inefficiencies • Lack of dashboard • Fixing of dispositions • Reducing budgets (Do more with less) 19
- 24.
- 25. Vendor/Third Party Management 20 Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Includes BITS FISAP content Reg/Standard Coverage area ISO 27001 A.6, A.10 PCI 12 EI3PA 12
- 26. Why Choose ControlCase? •Global Reach › Serving more than 400 clients in 40 countries and rapidly growing • Certified Resources › Shared Assessment/BITS FISAP Assessor › PCI DSS Qualified Security Assessor (QSA) › QSA for Point-to-Point Encryption (QSA P2PE) › Certified ASV vendor › Certified ISO 27001 Assessor › EI3PA Assessor › SSAE16, SOC1, SOC2, SOC3 Audits › HITRUST and HIPAA 21
- 27. To Learn More… • Visit www.controlcase.com • Call +1 703 483 6383 (North America) • Call +57 1 678 3716 (South America) • Call +44 1276 686 048 (Europe) • Call +971 4440 5958 (Middle East & Africa) • Call +91 982 029 3399 (Asia Pacific) • Kishor Vaswani (CEO) – [email protected] 22
- 28. Thank You forYour Time