Continual Compliance for PCI DSS, E13PA and ISO 27001/2
•Download as PPTX, PDF•
2 likes•3,414 views
About PCI DSS, ISO 27001 and EI3PA Best Practices and Components for Continual Compliance within IT Standards/Regulations Challenges in the Continual Compliance Space
More Related Content
What's hot
What's hot (20)
Similar to Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Similar to Continual Compliance for PCI DSS, E13PA and ISO 27001/2 (20)
More from ControlCase
More from ControlCase (20)
Recently uploaded
Recently uploaded (20)
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
- 1. Continual Compliance – PCI DSS, ISO 27001 and EI3PA By Kishor Vaswani, CEO - ControlCase
- 2. Agenda • About PCI DSS, ISO 27001 and EI3PA • Best Practices and Components for Continual Compliance within IT Standards/Regulations • Challenges in the Continual Compliance Space • Q&A 1
- 3. About PCI DSS, ISO 27001 and EI3PA
- 4. What is PCI DSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC) 2
- 5. PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 3
- 6. What is EI3PA? Experian Security Audit Requirements: • Experian is one of the three major consumer credit bureaus in the United States • Guidelines for securely processing, storing, or transmitting Experian Provided Data • Established by Experian to protect consumer data/credit history data provided by them 4
- 7. EI3PA Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect Experian provided data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Experian data 3. Protect stored Experian provided data 4. Encrypt transmission of Experian data across open, public networks Antivirus 5. Use and regularly update anti-virus software on all systems housing, accessing or processing Experian provided data. Implement strong access control measures (Logical and Physical) 6. Restrict access to Experian provided data by business need-to- know 7. Restrict physical access to Experian provided data 8. Assign a unique ID to each person with computer access to systems housing or processing Experian provided data. Regularly monitor and test networks 9. Track and monitor all access to network resources that Experian provided data is transmitted across. 10. Develop and maintain secure systems. 11. Regularly test security systems and processes that pertain to Experian provided data. Maintain an information security policy 12. Maintain a policy that addresses information security for employees and contractors. 5
- 8. What is ISO 27001/ISO 27002 ISO Standard: • ISO 27001 is the management framework for implementing information security within an organization • ISO 27002 are the detailed controls from an implementation perspective 6
- 9. ISO 27002 Controls Control Objectives Sub-Requirements Security Policy Information Security Policy Organization of information security Internal organization, External parties Asset Management Responsibility for assets, Information classification Human Resources Security Prior to employment, During employment, Termination or change of employment Physical and environmental security Secure areas, Equipment security Communications and operations management Operational procedures and responsibilities, Third party service delivery management, System planning and acceptance, Malicious and mobile code, Back-up, Network security management, Media handling, Exchange of information, Electronic commerce services, Monitoring Access Control User access management, User responsibilities, Network access control, Operating system access control, Application and information access control, Mobile computing and teleworking Information Systems Acquisition, Development and Maintenance Technical vulnerability management, Security requirements of information systems, Correct processing in applications, Cryptographic controls, Security of system files, Secure development Information Security Incident Management Reporting of incidents, Management of incidents Business Continuity Management Information security aspects of business continuity Compliance Compliance with legal requirements, Compliance with security policies and standards, Information systems audit consideration 7
- 10. Best Practices and Components for Continual Compliance within IT Standards/Regulations
- 11. Components of Continuous Monitoring • Unified Compliance Management • Policy Management • Vendor/Third Party Management • Asset and Vulnerability Management • Change Management and Monitoring • Incident and Problem Management • Data Management • Risk Management • Business continuity Management • HR Management • Compliance Project Management 8
- 12. Unified Compliance Management 9 ISO 27001 PCI DSSEI3PA
- 13. Unified Compliance Management 10 Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards
- 14. Policy Management 11 Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies Reg/Standard Coverage area ISO 27001 A.5 PCI 12 EI3PA 12
- 15. Vendor/Third Party Management 12 Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Reg/Standard Coverage area ISO 27001 A.6, A.10 PCI 12 EI3PA 12
- 16. Asset and Vulnerability Management 13 Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance Reg/Standard Coverage area ISO 27001 A.7, A.12 PCI 6, 11 EI3PA 10, 11
- 17. Change Management and Monitoring 14 Escalation to incident for unexpected logs/alerts Response/Resolution process for expected logs/alerts Correlation of logs/alerts to change requests Change Management ticketing System Logging and Monitoring (SIEM/FIM etc.) Reg/Standard Coverage area ISO 27001 A.10 PCI 1, 6, 10 EI3PA 1, 9, 10
- 18. Incident and Problem Management 15 Monitoring Detection Reporting Responding Approving Lost Laptop Changes to firewall rulesets Upgrades to applications Intrusion Alerting Reg/Standard Coverage area ISO 27001 A.13 PCI 12 EI3PA 12
- 19. Data Management 16 Identification of data Classification of data Protection of data Monitoring of data Reg/Standard Coverage area ISO 27001 A.7 PCI 3, 4 EI3PA 3, 4
- 20. Risk Management 17 Input of key criterion Numeric algorithms to compute risk Output of risk dashboards Reg/Standard Coverage area ISO 27001 A.6 PCI 12 EI3PA 12
- 21. Business Continuity Management 18 Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site Reg/Standard Coverage area ISO 27001 A.14 PCI Not Applicable EI3PA Not applicable
- 22. HR Management 19 Training Background Screening Reference Checks Reg/Standard Coverage area ISO 27001 A.8 PCI 12 EI3PA 12
- 23. Compliance Project Management 20 Your Project Manager is charged with your Success: 1. Serves as your single point of contact and your advocate for all compliance activities 2. Ensures all compliance requirements are met on schedule. • Builds a single stream, reliable communication channel • Strategizes to produce an efficient plan based on your needs • Periodic pulse checks via status reports &meetings paced according to your stage and schedule 3. Prepares you for smooth and predictable activities across multiple compliance paths
- 24. Challenges in Continual Compliance Space
- 25. Challenges • Redundant Efforts • Cost inefficiencies • Lack of compliance dashboard • Fixing of dispositions • Change in environment • Reliance on third parties • Increased regulations • Reducing budgets (Do more with less) 21
- 27. Learn more about continual compliance …. 22 Compliance as a Service (Caas)
- 28. Why Choose ControlCase? • Global Reach › Serving more than 400 clients in 40 countries and rapidly growing • Certified Resources › PCI DSS Qualified Security Assessor (QSA) › QSA for Point-to-Point Encryption (QSA P2PE) › Certified ASV vendor › Certified ISO 27001 Assessment Department › EI3PA Assessor 23
- 29. To Learn More About PCI Compliance or Data Discovery… • Visit www.ControlCase.com • Call +1.703.483.6383 (US) • Call +91.9820293399 (India) • Kishor Vaswani (CEO) – kvaswani@controlcase.com 24
- 30. Thank You for Your Time