Kurt Hagerman, CISO of FireHost, gave a presentation on security and compliance. He discussed common myths and misperceptions around security and compliance, such as compliance covering all security needs or being a blueprint for a security program. Hagerman emphasized the importance of both security and compliance, especially in the cloud. He cautioned cloud consumers to evaluate what cloud providers actually do for security and compliance, not just what they say, through documentation of controls, independent audits, and mapping of controls to frameworks. Hagerman concluded by advising cloud consumers to work with transparent providers that can clearly explain how they assist with risk mitigation and compliance requirements.
2. Security vs. Compliance
Today’s Speaker
Kurt Hagerman
Chief Information
Security Officer
Kurt Hagerman oversees all compliance
related and security initiatives. He is
responsible for leading FireHost in
attaining ISO, PCI, HIPAA and other
certifications which allow FireHost
customers to more easily achieve their
own compliance requirements. He
regularly speaks and writes on
information security topics in the
payments and healthcare spaces, as
well as on cloud security.
3. Agenda
• Security & Compliance in the Cloud
• Myths & Misperceptions
• Beyond Compliance: Taking Security
to the Next Level
• Compliance and Your Provider
• It’s Not What They Say –
It’s What They Do
• Be a Smarter Cloud
Consumer
• Questions & Answers
Security vs. Compliance
4. • Security is vital for all clouds
• Regulatory compliance is vital for sensitive data
• Example: PCI is prescriptive
• The cloud requires both components
There is a lot of confusion around the relationship between security and
compliance, and it’s especially true for the cloud.
Security and Compliance in the Cloud
Security vs. Compliance
5. Compliance and security are the same thing
Security and compliance play different roles
Myths & Misperceptions #1
Security vs. Compliance
6. Meeting compliance regulations covers all
security needs
Every organization has security needs
beyond compliance requirements
Myths & Misperceptions #2
Security vs. Compliance
7. Compliance requirements are a good blueprint
for building a security program
An effective security program should be built
from the ground up based on the organization’s
needs
Myths & Misperceptions #3
Security vs. Compliance
8. • Beef up your security
• Reduce your attack appeal
• Pay attention to
anomalous activities
• Turn your data into
your watchdog
Beyond Compliance:
Taking Security to the Next Level
Security vs. Compliance
9. • There are pretty outrageous statements being made
• Sounds good, but it’s kind of like the old
Wendy’s commercial where Clara
shouts out “Where’s the beef?”
• What do they actually mean
to you, the cloud consumer?
Are you confused, frustrated? (I know I am)
HITRUST 2014: PHI and the Cloud
Compliance and Your Provider
10. It’s Not What They Say…
It’s What They DO
• Do you know what your vendor is really doing for you?
• Do they provide information on the specific security controls that are
included with their service?
• Have they mapped their services and security controls to the
HIPAA/HITECH requirements?
• Does your vendor use third parties to provide services to you?
• Have they, and their third parties, been independently assessed?
• Do you know who to call when something goes wrong?
• What about the privacy and breach rule?
• How do I manage a compliance program with multiple
vendors all providing my “cloud services”?
HITRUST 2014: PHI and the Cloud
11. Be A Smarter Cloud Consumer
HITRUST 2014: PHI and the Cloud
Work with vendors that are transparent about how they
directly assist you in mitigating risk & addressing your compliance
requirements.
Your vendor should…….
• Provide a clear, concise explanation of the specific security controls
they include and how these assist you
• Articulate the boundaries between their responsibility and yours
• Provide documentation that backs up any assertions about being
“HIPAA Compliant” including:
• Independent audit reports that clearly state
the scope of the assessment
• The controls framework used
• How this compliance can be leveraged by YOU
12. Security vs. Compliance
What’s Next
• Documentation review
• Evaluating policies and procedures
• Risk assessment
PCI 3.0: Getting Ready 6 Months Out
May 20, 2014
Neil:
Next month, we’ll have another webinar on PCI 3.0 - and this time we’ll go into more detail and talk about documentation review, evaluating policies and procedures and conducting a risk assessment.
Neil:
Now that we’ve taken a look at the difference between compliance and security, let’s hear your questions. If you have any challenges that you’re facing, let us know and we’ll talk about the right actions to take. Just use the chat feature to submit your questions.
Will:
Thank you for joining us today. We hope you enjoyed learning more about security and compliance and that we answered all of your questions. Within a day or so, you’ll receive a recording of this webinar in an email. To learn more, please visit us at firehost.com – and don’t forget to attend our next webinar on <date> for <xx>. We look forward to seeing you again.