This document discusses continual compliance monitoring for various IT security standards and regulations including PCI DSS, HIPAA, FERC/NERC, ISO 27001, and FISMA. It outlines the key components of a continual compliance monitoring program, including domains like policy management, asset management, logging management, and risk management. It also discusses the recurrence frequency for monitoring various domains either daily, monthly/quarterly, or annually. Finally, it discusses some of the challenges with continual compliance monitoring programs.

1. Continual Compliance Monitoring– PCI DSS,
HIPAA, FERC/NERC, EI3PA, ISO 27001 and
FISMA
By Kishor Vaswani, CEO - ControlCase

2. Agenda
• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and
EI3PA
• Components for Continual Compliance Monitoring
within IT Standards/Regulations
• Recurrence Frequency and Calendar
• Challenges in Continual Compliance Monitoring
• Q&A
1

3. About PCI DSS, HIPAA, FERC/NERC,
EI3PA, ISO 27001 and FISMA

4. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council
(PCI SSC)
2

5. What is HIPAA
3
• HIPAA is the acronym for the Health Insurance
Portability and Accountability Act that was
passed by Congress in 1996. HIPAA does the
following:
› Provides the ability to transfer and continue health
insurance coverage for millions of American workers and
their families when they change or lose their jobs;
› Reduces health care fraud and abuse;
› Mandates industry-wide standards for health care
information on electronic billing and other processes; and
› Requires the protection and confidential handling of
protected health information

6. What is FERC/NERC
4
• Federal Energy Regulatory Commission (FERC)
› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity
sales, wholesale electric rates, hydroelectric licensing, natural
gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation
(NERC):
› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission
is to ensure the reliability of the bulk power system in North
America.
• Critical Infrastructure Protection Standards
› Standards for cyber security protection

7. What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer
credit bureaus in the United States
• Guidelines for securely processing, storing, or
transmitting Experian Provided Data
• Established by Experian to protect consumer
data/credit history data provided by them
5

8. What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for
implementing information security within an
organization
• ISO 27002 are the detailed controls from an
implementation perspective
6

9. What is FISMA
7
• Federal Information Security Management Act
(FISMA) of 2002
› Requires federal agencies to implement a mandatory set of
processes, security controls and information security
governance
• FISMA objectives:
› Align security protections with risk and impact
› Establish accountability and performance measures
› Empower executives to make informed risk decisions

10. Components of Continual Compliance Monitoring

11. Continuous Monitoring
8
 Test once, comply to multiple regulations
 Mapping of controls
 Automated data collection
 Self assessment data collection
 Executive dashboards

12. Continual Compliance Monitoring Domains
• Policy Management
• Vendor/Third Party Management
• Asset and Vulnerability Management
• Log Management
• Change Management
• Incident and Problem Management
• Data Management
• Risk Management
• Business Continuity Management
• HR Management
• Physical Security
9

13. Policy Management
10
 Appropriate update of policies and procedures
 Link/Mapping to controls and standards
 Communication, training and attestation
 Monitoring of compliance to corporate policies
Reg/Standard Coverage area
ISO 27001 A.5
PCI 12
EI3PA 12
HIPAA 164.308a1i
FISMA AC-1
FERC/NERC CIP-003-6

14. Vendor/Third Party Management
11
 Management of third parties/vendors
 Self attestation by third parties/vendors
 Remediation tracking
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple
Requirements

15. Asset and Vulnerability Management
12
 Asset list
 Management of vulnerabilities and dispositions
 Training to development and support staff
 Management reporting if unmitigated vulnerability
 Linkage to non compliance
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a8
FISMA RA-5
FERC/NERC CIP-010

16. Logging Management
13
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a1iiD
FISMA SI-4
 Logging
 File Integrity Monitoring
 24X7 monitoring
 Managing volumes of data

17. Change Management and Monitoring
14
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage
area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10
FISMA SA-3

18. Incident and Problem Management
15
 Monitoring
 Detection
 Reporting
 Responding
 Approving
Lost Laptop
Changes to
firewall
rulesets
Upgrades to
applications
Intrusion
Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12
HIPAA 164.308a6i
FISMA IR Series
FERC/NERC CIP-008

19. Data Management
16
 Identification of data
 Classification of data
 Protection of data
 Monitoring of data
Reg/Standard Coverage area
ISO 27001 A.7
PCI 3, 4
EI3PA 3, 4
HIPAA 164.310d2iv
FERC/NERC CIP-011

20. Risk Management
17
 Input of key criterion
 Numeric algorithms to compute risk
 Output of risk dashboards
Reg/Standard Coverage area
ISO 27001 A.6
PCI 12
EI3PA 12
HIPAA 164.308a1iiB
FISMA RA-3

21. Business Continuity Management
18
 Business Continuity Planning
 Disaster Recovery
 BCP/DR Testing
 Remote Site/Hot Site
Reg/Standard Coverage area
ISO 27001 A.14
PCI Not Applicable
EI3PA Not applicable
HIPAA 164.308a7i
FISMA CP Series
FERC/SERC CIP-009

22. HR Management
19
 Training
 Background Screening
 Reference Checks
Reg/Standard Coverage area
ISO 27001 A.8
PCI 12
EI3PA 12
HIPAA 164.308a3i
FISMA AT-2
FERC/NERC CIP-004

23. Physical Security
20
 Badges
 Visitor Access
 CCTV
 Biometric
Reg/Standard Coverage area
ISO 27001 A.11
PCI 9
EI3PA 9
HIPAA 164.310
FISMA PE Series
FERC/NERC CIP-006

24. Recurrence Frequency and Calendar

25. Daily Monitoring Domains
21
• Asset and Vulnerability Management
• New Assets
• New Vulnerabilities
• Log Management
• Response time window
• Change Management
• Impact in case of an error
• Unknown and insecure applications
• Incident and Problem Management
• Root cause of systemic problems
• Response to operational and security incidents

26. Monthly/Quarterly Monitoring Domains
22
• Vendor/Third Party Management
• Time taken by third parties to respond
• Data Management
• Identification of unknown data
• HR Management
• Time taken for training
• Time taken for background checks
• Physical Security Management
• Time take to install new physical security
components

27. Annual Monitoring Domains
23
• Policy Management
• Annual policy reviews
• Risk Management
• Enterprise wide nature of risk assessment
• BCP/DR Management
• Time taken to conduct BCP/DR tests

28. Challenges in Continual Compliance
Monitoring

29. Challenges
• Redundant Efforts
• Cost inefficiencies
• Lack of dashboard
• Fixing of dispositions
• Change in environment
• Reliance on third parties
• Increased regulations
• Reducing budgets (Do more with less)
24

30. Integrated compliance
25
Question.
No.
Question PCIDSS2.0Reference PCIDSS3.0 ISO27002:2013 SOC2 HIPAA NIST800-53
37
Provide dataEncryptionpolicyexplainingencryptioncontrolsimplementedfor
Cardholderdatadatasecure storage (e.g.encryption,truncation,maskingetc.) –
applicable forapplication,database andbackuptapes
-Screenshotsshowingfull PANdataisencryptedwithstrongencryptionwhile
stored(database tablesorfiles). The captureddetailsshouldalsoshowthe
encryptionalgorithmandstrengthused
-ForBackuptapes,screenshotshowingthe encryptionapplied(algorithmand
strength–e.g.AES256bit)throughbackupsolution
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.4.a,3.4.b,3.4.c,3.4.d 3.4 10.1.1,18.1.5 164.312(a)(1)
38
IfDiskencryptionusedforcarddatadata,thenisthe logical accesstoencryptedfile-
systemisseparatefromnative operatingsystemuseraccess? (Provide the
adequate evidencesshowingthe logical accessforlocal operatingsystemand
encryptedfile systemiswithseparateuserauthentication)
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.4.1.a 3.4.1 10.1.2 164.312(a)(1)
39
Provide evidence showingrestrictedaccesscontrol forDataEncryptionKeys(DEK)
andKeyEncryptionKeys(KEK)atstore
SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating
controlsareperControlCasestandard.
3.5 3.5.2 10.1.2 164.312(a)(1)
40
Provide the evidence showingthe exactlocationswhere encryptionkeysare stored
(keysshouldbe storedatfewestpossible locations)
3.5.3 10.1.2 164.312(a)(1)

31. Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessment Department
› EI3PA Assessor
› HIPAA Assessor
› HITRUST Assessor
› SOC1, SOC2, SOC3 Assessor
› BITS Shared Assessment Company
26

32. To Learn More About ControlCase
• Visit www.controlcase.com
• Email us at contact@controlcase.com

33. Thank You for Your Time