Elevate Your Business with Our IT Expertise in New Orleans
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
1. Vendor Management– PCI DSS, ISO
27001, EI3PA, HIPAA and FFIEC
By Kishor Vaswani, CEO - ControlCase
2. Agenda
• About PCI DSS, ISO 27001, EI3PA and HIPAA
• Setting up a basic vendor management program
• Challenges in the vendor management space
• Q&A
1
3. What is Vendor Risk Management
Vendor risk management (VRM) is a comprehensive
plan for identifying and decreasing potential
business uncertainties and legal liabilities regarding
the hiring of 3rd parties (vendors) to provide
information technology (IT) products, business
process outsourcing and other related services.
2
5. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
3
6. What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for
implementing information security within an
organization
• ISO 27002 are the detailed controls from an
implementation perspective
4
7. What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer
credit bureaus in the United States
• Guidelines for securely processing, storing, or
transmitting Experian Provided Data
• Established by Experian to protect consumer
data/credit history data provided by them
5
8. What is HIPAA?
Health Insurance Portability & Accountability Act
of 1996 & HIPAA Omnibus Rule:
• Establishes administrative, physical and technical
security and privacy standards
• Applies to both healthcare providers and business
associates (3rd parties)
• Attributes responsibility for monitoring HIPAA
compliance of business associates to healthcare
providers
• Assessment of compliance of business associates
due 09/23/13
6
9. Impact to Business Associates and their suppliers
• Business associates must identify, assess and monitor
their supporting business associates (BAs of BAs) and
provide regular updates to the respective CE
• BAs must establish and define (contractually)
security requirements, right to audit, incident
reporting clauses with their service providers
• BAs must implement an effective
monitoring/assessment process based on the nature
of the data exchanged with service providers
• Be able to show due diligence/due care with respect
to monitoring their supplier’s security compliance
7
10. CFPB/FFIEC/OCC Guidance
• Guidance provided by Consumer Financial
Protection Bureau (CFPB) – Apr 2012
• Federal Deposit Insurance Corporation (FDIC) guidance
issued – Sep 2013
• Office of the Comptroller of the Currency (OCC) – Oct
2013
• All of these regulations require due diligence of
vendors in various areas such as risk
assessments, contracts, information security, insurance
and subcontracting.
8
12. High Level Process
Register/Inventory
vendors
Categorize vendors
Map controls to
categories
Create vendor risk
assessment questionnaire
Create master control
checklist
Distribute questionnaire
to vendors
Analyze responses and
attachments
Track exceptions to
closure
9
14. Step 2 – Categorize vendors
Questions to ask
- What type of data do they store, process or transmit
(SSN, Card Numbers, Customer Name, Diagnosis
code(s), etc.,)
- Is the data in a physical and/or electronic form
- What business are they in (Call Center, Recoveries, Managed
Service, Software Development, Printing, Hosting)
- What risk factors exist based on Geography (North
America, Asia/Pacific, South America etc.)
11
15. Step 2 – Categorize vendors (continued)
Considerations:
Less exposure of disclosure/compromise = less
verification (i.e., survey only)
More exposure of disclosure/compromise = more
verification and validation (e.g., survey, evidence
review, on-site assessment)
12
16. Step 3 – Create master control checklist
• Policy Management
• Vendor/Third Party Management
• Asset and Vulnerability Management
• Change Management and Monitoring
• Incident and Problem Management
• Data Management
• Risk Management
• Business continuity Management
• HR Management
• Compliance Project Management
13
17. Step 4 – Map controls to categories
Map controls from master list to categories based on
- What is relevant to the type of data being stored processed
or transmitted (for e.g. if card data then PCI DSS may be
relevant to check for vs. not)
- What is relevant from a business perspective (e.g. call
centers third parties have VOIP related controls whereas
software development may not)
- What is relevant from a geography perspective (e.g.
background checks in USA vs. India may be different and
may require testing different controls)
14
25. Vendor/Third Party Management
20
Management of third parties/vendors
Self attestation by third parties/vendors
Remediation tracking
Includes BITS FISAP content
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
26. Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› Shared Assessment/BITS FISAP Assessor
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessor
› EI3PA Assessor
› SSAE16, SOC1, SOC2, SOC3 Audits
› HITRUST and HIPAA
21