Continuous Compliance Monitoring

CONTINUOUS COMPLIANCE
MONITORING
YOUR IT COMPLIANCE PARTNER –
GO BEYOND THE CHECKLIST

ControlCase Introduction
Recurrence Frequency & Calendar
About the Regulations
Common Challenges
AGENDA
© 2020 ControlCase. All Rights Reserved. 2
1
2
3
4
5
Continuous Compliance Components
ControlCase Solution6

1 CONTROLCASE INTRODUCTION

ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 275+10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS

Solution
“I’ve worked on both sides of
auditing. I have not seen any other
firm deliver the same product and
service with the same value. No
other firm provides that continuous
improvement and the level of detail
and responsiveness.
— Security and Compliance Manager,
Data Center
Certification and Continuous Compliance Services

Certification Services
“You have 27 seconds to make a first
impression. And after our initial
meeting, it became clear that they
were more interested in helping
our business and building a
relationship, not just getting the
business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HITRUST CSF
PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS FedRAMP PCI 3DS
PCI DSS
HIPAA

ABOUT THE REGULATIONS2

What do the Regulations Mean?
Payment Card Industry Data Security Standard (PCI DSS)
Established by leading payment card issuers - Guidelines for securely
processing, storing, or transmitting payment card account data.
Health Insurance Portability and Accountability Act (HIPAA)
Passed by Congress in 1996 Mandates industry-wide standards for health care
information on electronic billing and other processes and requires the protection
and confidential handling of protected health information.
ISO 27001/ISO 27002 - ISO 27001
The management framework for implementing information security
within an organization. ISO 27002 are the detailed controls from an
implementation perspective.
FISMA
The Federal Information Security Management Act, which the United States
Congress passed in 2002 requires federal agencies to implement information
security plans to protect sensitive data. Any private sector company that has a
contractual relationship with the government, whether to provide services,
support a federal program, or receive grant money, must comply with FISMA
.
PCI SSF
Ensures payment applications support PCI DSS compliance.
NERC
The North American Electric Reliability Corporation (NERC) is a not-for-profit
international regulatory authority whose mission is to ensure the reliability of the
bulk power system in North America.
SOC 2
Created by the American Institute of Certified Public Accountants (AICPA) to fill the
gap for organizations that were being requested to have a SAS 70 (now SSAE 18).
The purpose of a SOC 2 report is to evaluate an organization’s information systems
relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

REGION INDUSTRY REGULATION
APAC Business Process Organizations (BPOs) PCI DSS, SOC2, ISO 27001, HITRUST, HIPAA
APAC Payments PCI DSS, PCI SSF, SOC2, ISO 27001, PCI 3DS
APAC Financial Services PCI DSS, PCI SSF, PCI PIN, PCI 3DS, PCI CP
AMERICAS Payments PCI DSS, PCI SSF, SOC2, ISO 27001, PCI 3DS
AMERICAS Cloud Service Providers PCI DSS, PCI SSF, SOC2, ISO 27001, HITRUST
AMERICAS Retail PCI DSS, PCI P2PE, SOC2, ISO 27001, HIPAA
AMERICAS Technology PCI DSS, PCI SSF, SOC2, ISO 27001, HIPAA
LATIN AMERICA Cloud Services Providers PCI DSS, PCI SSF, SOC2, ISO 27001, HIPAA
EUROPE Cloud Services Providers PCI DSS, PCI SSF, SOC2, ISO 27001
Common Regulations by Region/Industry

COMPONENTS
3

Continuous Compliance Domains
Asset and Vulnerability Management
Change Management
Data Management
Business Continuity Management
Physical Security
Policy Management
Log Management
Incident and Problem Management
Risk Management
HR Management
Vendor / Third Party Management

Continuous Monitoring
Test once, comply to multiple regulations
Mapping of controls
Automated data collection
Self assessment data collection
Executive dashboards

Policy Management
REG/STANDARD COVERAGE AREA
ISO 27001 A.5
PCI 12
HIPAA 164.308a1i
FISMA AC-1
FERC/NERC CIP-003-6
Appropriate update of policies and procedures
Link/Mapping to controls and standards
Communication, training and attestation
Monitoring of compliance to corporate policies

Vendor / Third Party Management
ISO 27001 A.6, A.10
PCI 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple Requirements
Management of third parties/vendors
Self attestation by third parties/vendors
Remediation tracking

Asset / Vulnerability Management
ISO 27001 A.7, A.12
PCI 6, 11
HIPAA 164.308a8
FISMA RA-5
FERC/NERC CIP-010
Asset list
Management of vulnerabilities and dispositions
Training to development and support staff
Management reporting if unmitigated vulnerability
Linkage to non-compliance

Logging & Monitoring
ISO 27001 A.7, A.12
PCI 6, 11
HIPAA 164.308a1iiD
FISMA SI-4
Logging
File Integrity Monitoring
24X7 Monitoring
Managing volumes of data

Logging & Monitoring
(SIEM/FIM, etc.)
Change Management
ticketing System
Correlation of logs /
alerts to change
requests
Response / Resolution
process for expected
logs / alerts
Escalation to incident for
unexpected logs / alerts
1 2 3 4 5
Change Management
ISO 27001 A.10
PCI 1, 6, 10
FISMA SA-3

Incident / Problem Management
ISO 27001 A.13
PCI 12
HIPAA 164.308a6i
FISMA IR Series
FERC/NERC CIP-008
Lost Laptop
Upgrades to
Applications
Changes to
Firewall Rulesets
Intrusion
Alerting
Monitoring
Detection
Reporting
Responding
Approving

Data Management
ISO 27001 A.7
PCI 3, 4
HIPAA 164.310d2iv
FERC / NERC CIP-011
Identification of data
Classification of data
Protection of data
Monitoring of data

Risk Management
ISO 27001 A.6
PCI 12
HIPAA 164.308a1iiB
FISMA RA-3
Input of key criterion
Numeric algorithms to compute risk
Output of risk dashboards

Business Continuity Management
ISO 27001 A.14
PCI Not Applicable
HIPAA 164.308a7i
FISMA CP Series
FERC / NERC CIP-009
Business Continuity Planning
Disaster Recovery
BCP / DR Testing
Remote Site / Hot Site

HR Management
ISO 27001 A.8
PCI 12
HIPAA 164.308a3i
FISMA AT-2
FERC / NERC CIP-004
Training
Background Screening
Reference Checks

ISO 27001 A.11
PCI 9
HIPAA 164.310
FISMA PE Series
FERC / NERC CIP-006
Badges
Visitor Access
CCTV
Biometric
Physical Security

RECURRENCE FREQUENCY
& CALENDAR
4

Daily Monitoring Domains
ASSET & VULNERABILITY
MANAGEMENT
• New Assets
• New Vulnerabilities
LOG
MANAGEMENT
• Response time window
CHANGE
MANAGEMENT
• Impact in case of an error
• Unknown and insecure
applications
INCIDENT & PROBLEM
MANAGEMENT
• Root cause of systemic
problems
• Response to operational and
security incidents

Monthly / Quarterly Monitoring Domains
VENDOR / THIRD PARTY
MANAGEMENT
• New Assets
• New Vulnerabilities
DATA
MANAGEMENT
• Identification of unknown
data
HR
MANAGEMENT
• Time taken for training
• Time taken for background
checks
PHYSICAL SECURITY
MANAGEMENT
• Time take to install new
physical security
components

Annual Monitoring Domains
POLICY
MANAGEMENT
• Annual policy reviews
RISK
MANAGEMENT
• Enterprise-wide nature of risk
assessment
BCP / DR
MANAGEMENT
• Time taken to conduct BCP / DR tests

5 COMMON CHALLENGES

Common Challenges
Redundant Efforts
Lack of Dashboard
Change in Environment
Increased Regulations
Cost Inefficiencies
Fixing of Dispositions
Reliance on Third Parties
Reducing Budgets (Do more with less)

6 CONTROLCASE SOLUTION

Continuous Compliance Services
WHAT IS
BENEFITS OF
DELIVERABLE OF
• Eliminates the need for potential
major last minute audit findings.
• Reduces effort for final audit by
approximately 25%.
• Reduces the risk of technical
shortcomings such as,
⎼ Quarterly scans missed certain
assets.
⎼ Logs from all assets not reporting.
• Quarterly review of 20-25 high
impact/high risk questions.
• Technical review of vulnerability
scans, log management, asset list
and other available automated
systems.

Predictive Continuous Compliance Services
• Go beyond monitoring and alerting to predict, prioritize and
remediate compliance risks before they become security threats
• Address common non-compliant situations that leave you
vulnerable all year long, including:
⎼ In-scope assets not reporting logs
⎼ In-scope assets missed from vulnerability scans
⎼ Critical, overlooked vulnerabilities due to volume
⎼ Risky firewall rule sets go undetected
⎼ Non-compliant user access scenarios not flagged
The continuous compliance
monitoring is a big value add to
their audit and certification
services, which is good for
organizations that don’t have the
team in-house. It’s a big
differentiator for them.”
— VP of IT,
Call Center/BPO Company
“70% Of company’s assets are non-
compliant at some point in the year.

Summary – Why ControlCase
They provide excellent service,
expertise and technology. And,
the visibility into my compliance
throughout the year and during
the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company
“

7 QUESTIONS & ANSWERS

THANK YOU FOR THE
OPPORTUNITY TO CONTRIBUTE TO
YOUR IT COMPLIANCE PROGRAM.
www.controlcase.com
(US) + 1 703.483.6383 (INDIA) + 91.22.62210800
contact@controlcase.com

Continuous Compliance Monitoring

More Related Content

What's hot

Similar to Continuous Compliance Monitoring

More from ControlCase

Recently uploaded

Continuous Compliance Monitoring

Editor's Notes