SlideShare a Scribd company logo

Vendor Management for PCI DSS, HIPAA, and FFIEC

Download as PPTX, PDF
ControlCase
ControlCase

ControlCase covers the following: •Requirements for PCI DSS, HIPAA, Business Associates, FFIEC and Banking Service Providers •What is Vendor Management •Why is Continual Compliance a challenge in Vendor Management •How to mix technology and manual processes for effective Vendor Management

Technology
1 of 31
VENDOR MANAGEMENT PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 YOUR IT COMPLIANCE PARTNER – GO BEYOND THE CHECKLIST
ControlCase Introduction Challenges About PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 Vendor Management Basic Approach Why ControlCase AGENDA © 2020 ControlCase. All Rights Reserved. 2 1 2 3 4 5
1 CONTROLCASE INTRODUCTION © 2020 ControlCase. All Rights Reserved. 3
ControlCase Snapshot CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. © 2020 ControlCase. All Rights Reserved. 4 • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 300+10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
Solution - Certification and Continuous Compliance Services © 2020 ControlCase. All Rights Reserved. 5 “I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center Certification and Continuous Compliance Services
Certification Services One Audit™ Assess Once. Comply to Many. © 2020 ControlCase. All Rights Reserved. 6 “You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity CSA STAR HIPAA PCI P2PE GDPR NIST 800-53 PCI PIN PCI PA-DSS SCA PCI 3DS
ABOUT PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 2 © 2020 ControlCase. All Rights Reserved. 7
What is PCI DSS © 2020 ControlCase. All Rights Reserved. 8 Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC)
What is FISMA © 2020 ControlCase. All Rights Reserved. 9 Federal Information Security Management Act (FISMA) of 2002 Requires federal agencies to implement a mandatory set of processes, security controls and information security governance. FISMA objectives: • Align security protections with risk and impact • Establish accountability and performance measures • Empower executives to make informed risk decisions
What is HIPAA © 2020 ControlCase. All Rights Reserved. 10 HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs • Reduces health care fraud and abuse • Mandates industry-wide standards for health care information on electronic billing and other processes • Requires the protection and confidential handling of protected health information
What is ISO 27001/ISO 27002 © 2020 ControlCase. All Rights Reserved. 11 ISO Standard: • ISO 27001 is the management framework for implementing information security within an organization • ISO 27002 are the detailed controls from an implementation perspective
What is FERC/NERC © 2020 ControlCase. All Rights Reserved. 12 Federal Energy Regulatory Commission (FERC) The Federal Energy Regulatory Commission (FERC) is the United States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. North American Electric Reliability Corporation (NERC): The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America. Critical Infrastructure Protection Standards • Standards for cyber security protection
VENDOR MANAGEMENT BASIC APPROACH 3 © 2020 ControlCase. All Rights Reserved. 13
REG/STANDARD COVERAGE AREA ISO 27001 A.6, A.10 PCI 12 HIPAA 164.308b1 FISMA PS-3 FERC/NERC Multiple Requirements Why Vendor/Third Party Management? © 2020 ControlCase. All Rights Reserved. 14 • Management of third parties • Attestation/Audit of third parties • Remediation tracking Cloud • Cloud environments must be considered a third party • Need to document “compliance matrix” of requirements which are the responsibility of the cloud provider
High Level Process © 2020 ControlCase. All Rights Reserved. 15 1 Register/Inventory vendors 2 Categorize vendors 3 Create master control checklist 4 Map controls to categories 5 Create vendor risk assessment questionnaire 6 Distribute questionnaire to vendors 7 Analyze responses and attachments 8 Provide a Data Security Rating 9 Track exceptions to closure
Step 1 – Register/Inventory Vendors © 2020 ControlCase. All Rights Reserved. 16
Step 2 – Categorize Vendors QUESTIONS TO ASK • What type of data do they store, process or transmit (SSN, Card Numbers, Customer Name, Diagnosis code(s), etc.,) • Is the data in a physical and/or electronic form • What business are they in (Call Center, Recoveries, Managed Service, Software Development, Printing, Hosting) • What risk factors exist based on Geography (North America, Asia/Pacific, South America etc.) © 2020 ControlCase. All Rights Reserved. 17
Step 2 – Categorize Vendors (contd.) CONSIDERATIONS • Less exposure of disclosure/compromise = less verification (i.e., survey only) • More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment) © 2020 ControlCase. All Rights Reserved. 18
Policy Management Asset and Vulnerability Management Incident and Problem Management Risk Management HR Management Vendor / Third Party Management Change Management and Monitoring Data Management Business Continuity Management Compliance Project Management Step 3 – Create Master Control Checklist © 2020 ControlCase. All Rights Reserved. 19
Step 4 – Map Controls To Categories © 2020 ControlCase. All Rights Reserved. 20 MAP CONTROLS FROM MASTER LIST TO CATEGORIES BASED ON • What is relevant to the type of data being stored processed or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not) • What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not) • What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls)
Step 5 – Create Vendor Risk Questionnaire © 2020 ControlCase. All Rights Reserved. 21
Step 6 – Distribute Questionnaires © 2020 ControlCase. All Rights Reserved. 22
Step 7 – Analyze Responses © 2020 ControlCase. All Rights Reserved. 23
Step 8 – Provide a Data Security Rating for vendor © 2020 ControlCase. All Rights Reserved. 24 Score based on various data points including: • Log Management • Vulnerability Management • Data Leak Prevention or Data Discovery • Other Automated Feeds Collect Data • Logs • Scans and Test Reports • Data Leak • Identity and Access Mgmt. Data Analytics • Analysis of Data Against 15 Int’l Standards Calculate Ratings • Analysis of Data Against 15 Int’l Standards Report • Rating & Remediation Action Plan with Cost Presentation • ControlCase presents to board 1 2 3 4 5
Step 9 – Track Exceptions To Closure © 2020 ControlCase. All Rights Reserved. 25
COMMON CHALLENGES4 © 2020 ControlCase. All Rights Reserved. 26
Redundant Efforts Lack of Compliance Dashboard Change of Environment Increased Regulations Cost Inefficiencies Fixing of Dispositions Reliance on Third Parties Reducing Budgets (Do more with less) Challenges © 2020 ControlCase. All Rights Reserved. 27
WHY CONTROLCASE5 © 2020 ControlCase. All Rights Reserved. 28
Automation and AI © 2020 ControlCase. All Rights Reserved. 29 Automated Data Feed Quarterly Score based on 4 rolling quarters’ worth of data: • Log Management • Vulnerability Management • Data Leak Prevention or Data Discovery • Other Automated Feeds Collect Data • Logs • Scans and Test Reports • Data Leak • Identity and Access Mgmt. Data Analytics • Analysis of Data Against 15 Int’l Standards Calculate Ratings • Analysis of Data Against 15 Int’l Standards Report • Rating & Remediation Action Plan with Cost Presentation • ControlCase presents to board 1 2 3 4 5
Summary – Why ControlCase © 2020 ControlCase. All Rights Reserved. 30 “They provide excellent service, expertise and technology. And, the visibility into my compliance throughout the year and during the audit process provide a lot of value to us. — Dir. of Compliance, SaaS company
THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com (US) + 1 703.483.6383 (INDIA) + 91.22.62210800 contact@controlcase.com

Recommended

PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 

Recommended

PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Stepsagiliancecommunity
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceKimberly Simon MBA
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 

More Related Content

What's hot

PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 

What's hot (20)

PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 

Similar to Vendor Management for PCI DSS, HIPAA, and FFIEC

Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerSubhajit Bhuiya
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Cloud Standards Customer Council
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit StandardsKeyur Thakore
 
The programmable RegTech Eco System by Liv Apneseth Watson
The programmable RegTech Eco System by Liv Apneseth WatsonThe programmable RegTech Eco System by Liv Apneseth Watson
The programmable RegTech Eco System by Liv Apneseth WatsonWorkiva
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesBlackBerry
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 

Similar to Vendor Management for PCI DSS, HIPAA, and FFIEC (20)

Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
The programmable RegTech Eco System by Liv Apneseth Watson
The programmable RegTech Eco System by Liv Apneseth WatsonThe programmable RegTech Eco System by Liv Apneseth Watson
The programmable RegTech Eco System by Liv Apneseth Watson
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial Services
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 

More from ControlCase

PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxControlCase
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdfControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 

More from ControlCase (14)

PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Vendor Management for PCI DSS, HIPAA, and FFIEC

  • 1. VENDOR MANAGEMENT PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 YOUR IT COMPLIANCE PARTNER – GO BEYOND THE CHECKLIST
  • 2. ControlCase Introduction Challenges About PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 Vendor Management Basic Approach Why ControlCase AGENDA © 2020 ControlCase. All Rights Reserved. 2 1 2 3 4 5
  • 3. 1 CONTROLCASE INTRODUCTION © 2020 ControlCase. All Rights Reserved. 3
  • 4. ControlCase Snapshot CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. © 2020 ControlCase. All Rights Reserved. 4 • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 300+10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
  • 5. Solution - Certification and Continuous Compliance Services © 2020 ControlCase. All Rights Reserved. 5 “I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center Certification and Continuous Compliance Services
  • 6. Certification Services One Audit™ Assess Once. Comply to Many. © 2020 ControlCase. All Rights Reserved. 6 “You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity CSA STAR HIPAA PCI P2PE GDPR NIST 800-53 PCI PIN PCI PA-DSS SCA PCI 3DS
  • 7. ABOUT PCI DSS, FISMA, FERC/NERC, HIPAA & ISO 27001 2 © 2020 ControlCase. All Rights Reserved. 7
  • 8. What is PCI DSS © 2020 ControlCase. All Rights Reserved. 8 Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC)
  • 9. What is FISMA © 2020 ControlCase. All Rights Reserved. 9 Federal Information Security Management Act (FISMA) of 2002 Requires federal agencies to implement a mandatory set of processes, security controls and information security governance. FISMA objectives: • Align security protections with risk and impact • Establish accountability and performance measures • Empower executives to make informed risk decisions
  • 10. What is HIPAA © 2020 ControlCase. All Rights Reserved. 10 HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs • Reduces health care fraud and abuse • Mandates industry-wide standards for health care information on electronic billing and other processes • Requires the protection and confidential handling of protected health information
  • 11. What is ISO 27001/ISO 27002 © 2020 ControlCase. All Rights Reserved. 11 ISO Standard: • ISO 27001 is the management framework for implementing information security within an organization • ISO 27002 are the detailed controls from an implementation perspective
  • 12. What is FERC/NERC © 2020 ControlCase. All Rights Reserved. 12 Federal Energy Regulatory Commission (FERC) The Federal Energy Regulatory Commission (FERC) is the United States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. North American Electric Reliability Corporation (NERC): The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America. Critical Infrastructure Protection Standards • Standards for cyber security protection
  • 13. VENDOR MANAGEMENT BASIC APPROACH 3 © 2020 ControlCase. All Rights Reserved. 13
  • 14. REG/STANDARD COVERAGE AREA ISO 27001 A.6, A.10 PCI 12 HIPAA 164.308b1 FISMA PS-3 FERC/NERC Multiple Requirements Why Vendor/Third Party Management? © 2020 ControlCase. All Rights Reserved. 14 • Management of third parties • Attestation/Audit of third parties • Remediation tracking Cloud • Cloud environments must be considered a third party • Need to document “compliance matrix” of requirements which are the responsibility of the cloud provider
  • 15. High Level Process © 2020 ControlCase. All Rights Reserved. 15 1 Register/Inventory vendors 2 Categorize vendors 3 Create master control checklist 4 Map controls to categories 5 Create vendor risk assessment questionnaire 6 Distribute questionnaire to vendors 7 Analyze responses and attachments 8 Provide a Data Security Rating 9 Track exceptions to closure
  • 16. Step 1 – Register/Inventory Vendors © 2020 ControlCase. All Rights Reserved. 16
  • 17. Step 2 – Categorize Vendors QUESTIONS TO ASK • What type of data do they store, process or transmit (SSN, Card Numbers, Customer Name, Diagnosis code(s), etc.,) • Is the data in a physical and/or electronic form • What business are they in (Call Center, Recoveries, Managed Service, Software Development, Printing, Hosting) • What risk factors exist based on Geography (North America, Asia/Pacific, South America etc.) © 2020 ControlCase. All Rights Reserved. 17
  • 18. Step 2 – Categorize Vendors (contd.) CONSIDERATIONS • Less exposure of disclosure/compromise = less verification (i.e., survey only) • More exposure of disclosure/compromise = more verification and validation (e.g., survey, evidence review, on-site assessment) © 2020 ControlCase. All Rights Reserved. 18
  • 19. Policy Management Asset and Vulnerability Management Incident and Problem Management Risk Management HR Management Vendor / Third Party Management Change Management and Monitoring Data Management Business Continuity Management Compliance Project Management Step 3 – Create Master Control Checklist © 2020 ControlCase. All Rights Reserved. 19
  • 20. Step 4 – Map Controls To Categories © 2020 ControlCase. All Rights Reserved. 20 MAP CONTROLS FROM MASTER LIST TO CATEGORIES BASED ON • What is relevant to the type of data being stored processed or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not) • What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not) • What is relevant from a geography perspective (e.g. background checks in USA vs. India may be different and may require testing different controls)
  • 21. Step 5 – Create Vendor Risk Questionnaire © 2020 ControlCase. All Rights Reserved. 21
  • 22. Step 6 – Distribute Questionnaires © 2020 ControlCase. All Rights Reserved. 22
  • 23. Step 7 – Analyze Responses © 2020 ControlCase. All Rights Reserved. 23
  • 24. Step 8 – Provide a Data Security Rating for vendor © 2020 ControlCase. All Rights Reserved. 24 Score based on various data points including: • Log Management • Vulnerability Management • Data Leak Prevention or Data Discovery • Other Automated Feeds Collect Data • Logs • Scans and Test Reports • Data Leak • Identity and Access Mgmt. Data Analytics • Analysis of Data Against 15 Int’l Standards Calculate Ratings • Analysis of Data Against 15 Int’l Standards Report • Rating & Remediation Action Plan with Cost Presentation • ControlCase presents to board 1 2 3 4 5
  • 25. Step 9 – Track Exceptions To Closure © 2020 ControlCase. All Rights Reserved. 25
  • 26. COMMON CHALLENGES4 © 2020 ControlCase. All Rights Reserved. 26
  • 27. Redundant Efforts Lack of Compliance Dashboard Change of Environment Increased Regulations Cost Inefficiencies Fixing of Dispositions Reliance on Third Parties Reducing Budgets (Do more with less) Challenges © 2020 ControlCase. All Rights Reserved. 27
  • 28. WHY CONTROLCASE5 © 2020 ControlCase. All Rights Reserved. 28
  • 29. Automation and AI © 2020 ControlCase. All Rights Reserved. 29 Automated Data Feed Quarterly Score based on 4 rolling quarters’ worth of data: • Log Management • Vulnerability Management • Data Leak Prevention or Data Discovery • Other Automated Feeds Collect Data • Logs • Scans and Test Reports • Data Leak • Identity and Access Mgmt. Data Analytics • Analysis of Data Against 15 Int’l Standards Calculate Ratings • Analysis of Data Against 15 Int’l Standards Report • Rating & Remediation Action Plan with Cost Presentation • ControlCase presents to board 1 2 3 4 5
  • 30. Summary – Why ControlCase © 2020 ControlCase. All Rights Reserved. 30 “They provide excellent service, expertise and technology. And, the visibility into my compliance throughout the year and during the audit process provide a lot of value to us. — Dir. of Compliance, SaaS company
  • 31. THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com (US) + 1 703.483.6383 (INDIA) + 91.22.62210800 contact@controlcase.com