Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secrets for Successful Regulatory Compliance Projects

232 views

Published on

RDX teams up with MegaplanIT, a nationally known PCI Qualified Security Assessor, to provide strategies and best practices that can be used to adhere to all regulatory compliance frameworks.

The presentation begins with a quick overview of the most popular industry standards and regulatory requirements. MegaplanIT continues with a deep dive into the 12 PCI DSS requirements and discusses risk assessment key considerations.

RDX then follows with a discussion on AICPA's SOC 1, SOC 2 and SOC 3 compliance frameworks and 5 Trust Principles. RDX finishes the webinar by sharing numerous helpful hints, tips and best practices for implementation and ongoing adherence.

A link to a video of the presentations is provided on the last slide.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Secrets for Successful Regulatory Compliance Projects

  1. 1. INSIGHTS Presentation Series Secrets for Successful Regulatory Compliance Projects 12 PCI DSS requirements and risk assessment key considerations AICPA SOC 1, SOC 2, SOC 3 and 5 Trust Principles explained Initial adherence and ongoing compliance best practices RDX: Chris Foot MegaplanIT: Michael Vitolo Date: 9/21/2017 Webinar Video Inside
  2. 2. • Presenters • About RDX and MegaplanIT • Regulatory Standards Overview • AICPA SOC Assessment • PCI DSS Assessment • MegaplanIT PCI Assessment Approach • RDX Assessment Best Practices for Maintaining Compliance • Contact Us
  3. 3. Presenters Michael Vitolo PCI-QSA | PA-QSA | CISSP | CISM | CISA | CRISC | CGEIT | OSWP Managing Partner | MegaplanIT, LLC. Over 18 years working in the Security Industry of which 12 in PCI-DSS mikev@megaplanit.com | www.megaplanit.com Chris Foot Vice President – Delivery Strategies and Technologies Oracle ACE Alumni cfoot@rdx.com www.rdx.com
  4. 4. The Largest Pure Play Provider of Managed Data Infrastructure Services 20 YEARS OF SERVICE DELIVERY EXPERIENCE Database Platforms SQL Server Oracle PostgreSQL* DB2 MongoDB* MySQL* Operating Systems Unix/Linux*Windows Edge Technologies SQL Server BI Oracle EBS SharePoint Exchange Environment 450+ Customers 10,000 Servers 200+ DBAs Fortune 100s Startups All Verticals Cloud Systems Amazon AWS/RDS Oracle Cloud DB DBPaaS Msoft Azure IaaS (dozens) Hybrid Cloud * All distributions
  5. 5. RDX Compliance Experience • Achieved first SOC 1 Type 2 in 2011 • Achieved first SOC 2 Type 2 in 2016 • Achieved first PCI Attestation in 2013 • Engaged MegaplanIT in 2016 to provide QSA examination of our environment RDX is also required to adhere to hundreds of customer specific security frameworks, best practices and individual controls
  6. 6. About MegaplanIT, LLC MegaplanIT, LLC. is an information security and compliance firm specializing in over 30 high-level services designed to protect cardholder data, secure in- scope networks, systems, and websites applications to ensure that your organization is both secure and compliant. MegaplanIT leverages over fifteen years of applied knowledge in the areas of Governance, Risk Mitigation, Information Security, Penetration Testing, Compliance, and Project Management to ensure your goals are consistently met in a timely and efficient manner.
  7. 7. MegaplanIT Services • PCI DSS Assessment • PA DSS Assessment • P2PE Assessment • HIPAA Security and Privacy Assessment • ISO 27001/27002 Risk Assessment • Shared AUP Assessment • NIST 800-171 • NIST 800-53 • NIST Cybersecurity • 3rd Party Risk Assessment • Policy and Procedure Development • Trusted Advisory and Remediation Assistance • Internal Penetration Testing • External Penetration Testing • Web and Application Penetration Testing • Mobile Penetration Testing • Social Engineering • Wireless Penetration Testing • Reverse Engineering • Internal and External Scanning • Approved Scanning Vendor (ASV) • Password Cracking • Security Architecture Review • Cloud Architecture Review • Managed Security Services COMPLIANCE SERVICES INFORMATION SECURITY SERVICES
  8. 8. PCI DSS - Payment Card Industry Data Security Standard  Information security standard for organizations that handle branded credit cards from the major card providers PA DSS - Payment Application Data Security Standard  Data standard for payment applications, which include any software or hardware that stores, processes or transmits electronic credit card data ISO 27000 - International Standards Organization  Internationally recognized set of standards that provide best practice recommendations on information security management HIPAA/HITECH - Health Insurance Portability and Accountability Act  Health Insurance Portability and Accountability Act (HIPAA) requires any organizations that process and/or maintain healthcare-related information to meet security standards in the handling of patient Protected Health Information (PHI) NERC CIP - North American Electric Reliability Corporation  Establishes mandatory reliability standards, including the Critical Infrastructure Protection (CIP) plan These standards aim to maintain and improve the efficiency of North America’s bulk power system while ensuring its continued security and reliability Wide Range of Standards
  9. 9. Wide Range of Standards SSAE 16/18 - Statement on Standards for Attestation Engagements  Internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service NIST - National Institute of Standards and Technology  A measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness  NIST SP 800-171 provides federal agencies with regulations for protecting the confidentiality of Controlled Unclassified Information (CUI) when the CUI resides in nonfederal information systems/organizations  NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems  NIST Cybersecurity Framework was published in February 2014, following a collaborative process involving industry, academia, and government agencies, as directed by a presidential executive order. It is a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level
  10. 10. Payment Card Industry Standards Council The PCI Security Standards Council is a global open body formed to develop, enhance, disseminate, and assist with the understanding of security standards for payment account security It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training, and education and certification programs Executive Committee • American Express • MasterCard • Discover • JCB International • Visa Board of Advisors* • Amazon • Citigroup • Cisco • Wal-Mart • Wells Fargo • Target • PayPal • Walt Disney • Exxon • Microsoft Not inclusive*
  11. 11. What is a Qualified Security Assessor? Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements • Assist in the validation of their clients scope for the assessment • Verify all technical information given by Merchant or Service Provider, Including documentation and sample of controls • Perform an onsite for the duration of the assessment to conduct interviews • Adherence to the PCI DSS Requirements and Security Assessment Procedures • Select business facilities and system components where sampling is employed • Evaluate any compensating controls which are required to be above and beyond the original requirement • Produce the final Report on Compliance and Attestation of Compliance
  12. 12. Payment Card Industry Security Standards • PCI DSS is a set of industry standards, not a legal requirement • Standards are enforced by the major card brands who created the PCI Council • Financial penalties are levied by the card brands, not the PCI Council. They can be substantial • Each major card brand has its own unique set of PCI compliance objectives • Three types of standards:  PCI PTS - Manufacturers of PIN transaction security devices  PCI PA DSS – Payment application vendor software developers  PCI DSS – Merchants and service providers  PCI P2PE - covers encryption, decryption, and key management requirements • Four defined levels:  Primarily based on card transaction volume  Other classification criteria may vary according to card brand  Levels determine security controls and processes required
  13. 13. Roles and Responsibilities Payment brands’ compliance programs include: • Tracking and enforcement • Penalties, fees, compliance deadlines • Validation process and who needs to validate • Approval and posting of compliant entities • Definition of merchant and service provider levels Payment brands are also responsible for: • Defining rules for forensic investigations and responding to account data compromises • Monitoring and facilitating investigations of account data compromises to completion
  14. 14. Roles and Responsibilities Responsibilities for Merchants and Service Providers: • Review and understand the PCI security standards • Understand the compliance validation and reporting requirements defined by the card brands with regards to the levels • Validate and report compliance to their acquirer or perhaps a payment card brand as applicable, in addition to maintaining compliance on an ongoing basis • PCI Assessment is a review of compliance at a point in time, but must be maintained throughout the year, and not just at the time of the assessment. • Merchants and Service Providers should read communications from the card brands, acquirers, and the Council on an ongoing basis
  15. 15. Non-Compliance Fines, Fees, and Risk A non-compliant, compromised business could expect: • Damage to their brand/reputation • Investigation costs • Remediation costs • Fines and fees - Non-compliance (each brand issues separate fines) - Re-issuance - Fraud loss • Ongoing compliance audits • Victim notification costs • Financial loss • Data loss • Chargebacks for fraudulent transactions • Operations disruption • Sensitive info disclosure • Denial of service to customers • Individual executives held liable • Possibility of business closure
  16. 16. What is PCI DSS? A set of technical and operational requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of applications and devices used in those transactions Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors Individual Audit Control Objectives https://www.pcisecuritystandards.org/
  17. 17. PCI Compliance – Additional Information PCI Security Standards Council MegaplanIT • PCI SSC Document Library • Robust set of documents that range from glossary of terms to implementation and ongoing adherence best practices • Main document containing the requirements is titled “Requirements and Security Assessment Procedures” • Each control objective contains Requirement definition and description, testing procedure(s), and guidance • The Beginner’s Guide to Understanding PCI Compliance • 5 Tips to Reduce Your PCI Compliance Scope • 10 Ways to Reduce PCI Compliance Costs • Taking PCI Compliance to the Next Level • Penetration Testing for PCI
  18. 18. Why AICPA SOC? • Defacto standard organizations use it to evaluate the quality and security of third party service providers • The controlling organization is the AICPA, which has a strong reputation • The SOC guidelines allow providers to create a set of control objectives that are tailored to the services they perform. RDX provides a unique offering and wanted to be evaluated on the activities that were important to our customers in addition to a standardized set of industry control objectives • AICPA SOC focuses on service delivery QUALITY and system SECURITY • The different levels allowed RDX to begin with a SOC 1 engagement and then move up to a SOC 2 which expands the scope of the audit and the depth of the examination processes
  19. 19. What are AICPA SOC Reports? • SSAE stands for Statement of Standards for Attestation Engagements • Internal control reports that provide information to allow organizations to review, assess and address the risks of an outsourced service • Created by the American Institute of Certified Public Accountants’ Auditing Standards Board • The Statement of Standards establishes requirements and provides guidance on the entire engagement life-cycle:  Establishing overall objectives for SSAE audit engagements  Identifying subject matter and evaluation criteria to be included in engagement  Measuring and examination procedures  Procedural best practices  Reporting standards AICPA Standards Evolution  SAS 70 – Issued in April, 1992 by AICPA. Provided guidance to CPAs reporting on a service organization’s controls relevant to user entities’ financial reporting. SAS 70 was architected to audit controls of financial reporting, not outsourced services  SSAE 16 – Issued in April, 2010. Designed to allow practitioners to report on subject matter other than financial statements. The SSAE 16 focuses on the examination of a service organization’s “system”. Further updates create SOC 1, SOC 2 and SOC 3 reports to better tailor SSAE engagements to clients’ needs  SSAE 18 – Issued in May, 2017. Enhances SSAE 16 SOC 1 by increasing focus on risk assessment/reporting and adding required controls to improve the audited entity’s monitoring of subservice organizations. Subservice organizations perform services that are relevant to the audited entity’s overall offering 1618
  20. 20. SOC 1 (SSAE 18) Reports Two SOC 1 Types: • Type 1 reports focus on the effectiveness of policies and procedures in place at a service organization at a specified point in time and (1), confirm that controls are actively in place, (2), measure the effectiveness of the controls and (3), assess how fairly the service organization's management has presented the controls to you • Type 2 reports cover policies and procedures currently in operation and test their effectiveness over a period of time. These reports include everything from the Type 1 report (examination and confirmation of controls in place) plus an analysis of the controls’ operating effectiveness over a specified period of at least six consecutive months. Type 2 reports are favored by many user organizations for their thoroughness When to choose SOC 1:  Seeking a cost-effective method of preparing for a service audit  Planning to perform an initial Type 2 service audit  Your service organization currently identifies control vulnerabilities using an internal reporting system  Your organization has not recently performed an audit (financial or regulatory) that included IT controls
  21. 21. SOC 2 Reports • Outline the controls in place at your service organization and analyze their confidentiality, security, processing, integrity, availability of Information • Provide evidence for your customers and other stakeholders that effective controls are in place which meet worldwide security concerns • Intended for a wider range of audiences than SOC 1 reports but are not available to the general public. Their availability is restricted to those who have a demonstrated need for the information contained therein, and these reports are often a component of regulatory oversight, vendor management programs, and internal corporate governance • SOC 2 engagements include the option of Type 1 and Type 2 reports, as described in the SOC 1 When to choose SOC 2:  You require third party verification  Your organization operates a system that is critical to your customers  Your organization prefers a detailed audit report  Your organization's system does not affect your customers’ financial reports  Your organization desires that the audit be performed based on the five Trust Services Principles
  22. 22. SOC 3 Reports • SOC 3 reports, also known as Trust Services Reports, are more general and are intended for a broader audience than the other reporting options. They’re designed for anyone interested in a CPA's opinion about the availability, security, and processing integrity of controls at a service organization. SOC 3 Reports are often used for marketing purposes, distributed online, or posted on a service organization's website to prove that they have controls in place to manage risks associated with outsourcing services When to choose SOC 3:  Your organization's reputation relies on the ability to keep information secure, accurate, and private  Your organization operates a system that is critical to your customers  Your organization desires an independent review that allows you to display the SOC 3 seal on your website  Your organization employs more than ten people and/or exceeds $2 million in annual revenue
  23. 23. RDX’s AICPA SOC and PCI Compliance Projects Overall Goals Improve Support Quality RDX clients want us to improve the quality and security of their environments. We can only accomplish this by improving our environment FIRST Strengthen Security RDX customers have turned over the keys to their most sensitive database data stores to our organization. This is a significant responsibility Competitive Advantage RDX’s LOB is extremely competitive. Our competitors range from 2 guys in a garage to fortune 100s. Certifications are key competitive differentiators Reduce Costs RDX chose partners that have strong experience and would provide us with best practices to streamline compliance. RDX is a learning organization $
  24. 24. RDX Compliance Project Hints and Tips • Create a project team that represents all areas of the business - from backend operations to front-line technical support teams  Subject Matter Experts (business OPs, front-line support techs, security team, documentation specialists)  Assign Audit Project Manager  Identify Audit Project Champion • Encourage assigned personnel to self educate. The team should have a strong knowledge of the process before contacting potential auditing firms  RDX created a robust documentation library for both PCI and AICPA SOC during initial stages  RDX collected information from PCI Security Standards Council, AICPA, and well-known, reputable auditing and compliance firm websites • Keep management informed throughout the entire engagement life-cycle  All compliance projects will incur engagement costs, potential hardware and software purchases as well as labor costs required to remediate gaps identified in the initial analysis and labor hours required to collect and present evidence to the auditing firm  RDX was required to produce such a large volume of evidence that we were compelled to build internal applications to automate the evidence recording process • Assign owners to all compliance activities  Subject areas evaluated during audit (network, HR, security, front line support, back office OPs)  Evidence gathering and collection  Ongoing monitoring to identify new anomalies and outliers
  25. 25. RDX Compliance Project Hints and Tips • One of the most critical meetings with your auditing firm will be to:  Perform a final review the control objectives  Agree upon how the evidence will be collected  Agree upon how the evidence will be reported  Agree upon the criteria used to determine if the evidence results in a pass/fail  Establish audit period start and examination dates  Communication procedures when business changes occur that impact audit • Build a strong partnership with your auditing firm(s)  Understand their role in the process  Their goal is to help you improve your service delivery environment  Part of that process will be to identify gaps during the initial analysis  They will also identify exceptions during their audit examinations and report these findings. They aren’t being adversarial; they’re just doing what you pay them to • Understand that all audits are ongoing projects. In addition to the audit examinations, you will be required to:  Add, modify, and remove control objectives as your business processes evolve  Modify internal processes to address audit exceptions  Improve the quality of evidence collection and reporting  Automate processes, buy/build applications as well as purchase toolsets and products to improve ability to comply and reduce audit costs  Constantly monitor evidence to identify anomalies and outliers. Don’t get surprised during the examination
  26. 26. RDX’s AICPA SOC Compliance Project • Project execution and best practices can be compared to most traditional internal initiatives. One difference was the substantial amount of investigation performed to better understand AICPA SOC requirements and select an auditing vendor • Identified stakeholders, project champion and assigned selected personnel as project managers and participants. All participants were assigned a very specific set of responsibilities • First activity was to collect SOC informational materials and best practices documents from reputable sources to educate team members • A traditional vendor evaluation methodology was used to select an auditing vendor. RDX created a robust set of evaluation metrics that were weighted by importance. Evaluation team members reviewed information provided by vendors and compiled a short list of competitors. RDX performed a more in-depth analysis of the surviving competitors and selected the winning vendor • RDX met with a cross-section of customers to determine the criteria they used to evaluate the quality of RDX’s support services. Common themes were identified, discussed with auditors, and used to create a set of audit control objectives that best reflect the key service quality indicators that measure RDX’s operating effectiveness • The audit control objectives included all activities related to physical and logical security controls, data privacy, organization and administration, vendor management, work request and ticket management, incident management, and monitoring installation and configuration
  27. 27. RDX’s AICPA SOC Best Practices • Create a project team that represents all areas of the business - from backend operations to front-line technical support teams  Subject Matter Experts (business OPs, front-line support techs, security team, documentation specialists)  Assign Audit Project Manager  Identify Audit Project Champion • Build a robust educational library. Materials should range from glossary of terms and overviews to in-depth “how-to” documents and best practices  AICPA website  Auditing and compliance firm websites provide a wealth of information to draw from • Encourage your project team to self educate. The team should have a strong knowledge of the audit controls and examination processes before contacting potential auditing firms • Keep management informed throughout the entire engagement life-cycle  All compliance projects will incur engagement costs, potential hardware and software purchases as well as labor costs required to remediate gaps identified in the initial analysis and labor hours required to collect and present evidence to the auditing firm  RDX was required to produce such a large volume of evidence that we were compelled to build internal applications to automate the evidence recording process
  28. 28. RDX’s AICPA SOC Best Practices • Select the appropriate firm to perform the audit  The firm should be a member of the AICPA  Have a strong track record with SOC audits  Experience in auditing organizations that are in, or close to, your line of business (LOB)  Check references  Name recognition is important. The more widely known your auditing firm is, the more credibility your SOC reports will have with potential customers  Easy to work with. Firm but fair • Work with your auditing firm to determine which SOC report best fits your needs • Create a set of control objectives that:  Allows customers to easily evaluate the quality and security of the services you provide  RDX solicited a cross-section of customers to discuss how they evaluated the quality of our services  Allows your organization to internally evaluate the quality and security of the services you provide. Selecting control objectives that you feel are important is critical. The goal of the process is to improve your environment (it isn’t just to create marketing spin) • Work with your auditing firm to evaluate your third party applications and service providers to determine if your ability to deliver support to your customers is dependent upon their services. You may need to include them in your control objectives  Third party applications your shop uses as well as service providers  Review your service providers’ SOC reports with your auditors  Agree upon what should be included  Meet with your service provider to discuss gaps
  29. 29. SOC 2 Type 2 Benefits to RDX Dedicated project that focuses on two subject areas that are critical to our business - service delivery quality and system security Demonstrates to customers that RDX is being held to a rigorous industry standard Competitive differentiation. SOC 2 Type 2 audits are broad in scope and deep in details. They are significant undertakings
  30. 30. Why PCI DSS? PCI compliance allows RDX to more easily and quickly comply with other regulatory frameworks Stringent controls, well defined requirements and test procedures. Controls evolve as new threats are identified RDX uses PCI as the foundation to build our overall security architecture upon PCI is the industry standard businesses use to evaluate security FOUNDATION CONSUMER CONFIDENCE ROBUST CONTROLS NEW COMPLIANCES
  31. 31. PCI is the Foundation of Our Security Architecture PCI Security Training Endpoint Security Config. Standards VPN/IPSEC Logging & Monitoring IDS/FIM Change Control Threat Detection Secure Development Access Control Patch Management Firewall Unique Accounts RDX expands PCI controls to cover our entire network
  32. 32. • Business operations change frequently. You must be aware of their impact on PCI compliance activities  New lines of business  New business processes  Business growth  Improvements to current business processes  Automation  New applications  New organizational units, roles and personnel • Maintain a steady stream of high quality communications with your PCI auditing firm  Discuss any potential changes to compliance activities immediately to reduce confusion during examination period  Continuously monitoring your evidence allows you to identify new anomalies or outliers. Address them immediately with your auditing firm • Perform spot checks on evidence. Tailor evidence evaluation schedules based on occurrence of past issues, potential for exceptions, volume of evidence produced, importance to examination process RDX’s PCI Best Practices
  33. 33. RDX’s PCI Best Practices • Encourage assigned personnel to self educate. The team should have a strong knowledge of the process before contacting potential auditing firms  RDX downloaded the PCI compliance document, copied each control into a spreadsheet and added columns for apply/does not apply, dependent upon third-party vendor, additional product purchases required, how to comply, who complies, level of effort to comply, evidence for compliance, questions for auditor and notes • Select the appropriate firm to perform the audit  The firm should be a Qualified Security Assessor (QSA)  QSAs are held to a high standard by PCI Standards Council  Experience in auditing organizations that are in, or close to, your line of business (LOB)  Check references  Name recognition is important. The more widely known your auditing firm is, the more credibility your PCI will have with potential customers • Work with your auditing firm to determine which PCI Level you should adhere to • Work with your auditing firm to evaluate your third party applications and service providers to determine if your ability to achieve PCI compliance is dependent upon their services. You may need to include them in your control objectives  Third party applications your shop uses as well as service providers  Review your service providers’ SOC and PCI reports with your auditors  Agree upon what should be included  Meet with your service provider to discuss gaps
  34. 34. • Compliance Project Details • Selecting Audit Compliance Firms • Lessons Learned • Ongoing Compliance Challenges • Streamlining and Improving Evidence Collection and Reporting • Audit Compliance Best Practices Contact Us For Additional Information • PCI DSS Assessments • Trusted Advisory and Remediation Assistance • Internal/External Penetration Testing • Internal/External ASV Scanning • PCI DSS GAP assessments • Quarterly Health Checks • Policy and Procedure Development • Compliance Project Management • Web/Mobile Penetration Testing • Managed Security Services Provider And our real core competency: Remote Data Infrastructure Management DATABASE EXPERTSSECURITY EXPERTS
  35. 35. Next Month’s Presentation – Microsoft BI Intelligence Overview and Power BI Demo The RDX Report - Sign up by emailing info@rdx.com Microsoft CosmosDB – NoSQL Competition Killer, Power BI Videos, Amazon AWS, Microsoft Azure and Oracle Cloud IaaS Architecture Deep Dives LinkedIn Selecting Cloud DBMS, NoSQL Architectures, Rising Interest in Open Source Relational Databases, Database Security Series, Improving Customer Service cfoot@rdx.com mikev@megaplanit.com RDX Report Signup View YouTube Video of this Presentation 20YEARS OF SERVICE DELIVERY EXPERIENCE

×