The document discusses integrated compliance across several regulations including PCI DSS, ISO 27001, HIPAA, FERC/NERC, and FISMA, presented by ControlCase. It outlines challenges faced in compliance management and offers solutions such as automated data collection, risk management, and third-party vendor management to streamline processes. ControlCase aims to simplify compliance for over 500 clients globally by providing a structured framework to address various regulatory requirements.

1. Integrated Compliance – PCI DSS,
ISO 27001, FERC/NERC, HIPAA
and FISMA
Presented by ControlCase
Kishor Vaswani, CEO

2. ControlCase
Introduction
Best
Practices/Cloud
Implications of
Integrated
Compliance
About Certifications
- PCI DSS
- ISO 27001
- HIPAA
- FERC/NERC
- FISMA
Challenges
AGENDA
2

3. CORPORATE OVERVIEW
ControlCase™
Making Compliance Effortless
Over 500 clients across the
US, CEMEA, Europe, Latin
America and Asia/Pacific
regions,
Headquartered in the
Washington, DC
metro area (Fairfax,
VA)
ControlCase office or
partnership locations
include the US, Canada,
Colombia, India, UK, KSA,
Japan, Indonesia, Vietnam,
Philippines, Kuwait,
Malaysia, Brazil and Dubai
Unique offerings
brings Peace of Mind
to Compliance
3

4. PCI DSS
Qualified Security
Assessor (QSA) Company
ASV: Authorized Security
Vendor
ISO 27001 & 27002
International
Organization for
Standardization
SOC 1, SOC 2, SOC
3, & SOC for
Cybersecurity
Service Organization
Controls (AICPA)
HITRUST CSF
Health Information Trust
Alliance Common
Security Framework (CSF)
HIPAA
Health Insurance
Portability and
Accountability Act
NIST 800-53
National Institute of
Standards and Technology
GDPR
General Data Protection
Regulation
MARS-E
Minimum Acceptable
Risk Standards for
Exchanges
EI3PA
Experian Independent
Third Party Assessment
Microsoft SSPA
Supplier Security and
Privacy Assurance
Third Party Risk
Assessor
Shared Assessments
Program Certified product
licensee for SIG and AUP
PA-DSS
Payment Application
Qualified Security
Assessor (QSA)
CREDENTIALS
4

5. About PCI DSS, FISMA, FERC/NERC,
HIPAA and ISO 27001

6. What is PCI DSS
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting
payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council (PCI SSC)
6

7. What is FISMA
• Federal Information Security Management Act (FISMA)
of 2002
– Requires federal agencies to implement a
mandatory set of processes, security controls and
information security governance
• FISMA objectives:
– Align security protections with risk and impact
– Establish accountability and performance measures
– Empower executives to make informed risk
decisions
7

8. What is HIPAA
• HIPAA is the acronym for the Health Insurance Portability
and Accountability Act that was passed by Congress in
1996. HIPAA does the following:
– Provides the ability to transfer and continue health
insurance coverage for millions of American workers and
their families when they change or lose their jobs;
– Reduces health care fraud and abuse;
– Mandates industry-wide standards for health care
information on electronic billing and other processes;
and
– Requires the protection and confidential handling of
protected health information
8

9. What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for implementing
information security within an organization
• ISO 27002 are the detailed controls from an implementation
perspective
9

10. What is FERC/NERC
10
• Federal Energy Regulatory Commission (FERC)
› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity
sales, wholesale electric rates, hydroelectric licensing, natural
gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation
(NERC):
› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission
is to ensure the reliability of the bulk power system in North
America.
• Critical Infrastructure Protection Standards
› Standards for cyber security protection

11. Best Practices and Cloud Implications for
Comprehensive Compliance

12. Building Blocks – Integrated Compliance
• Compliance Management
• Policy Management
• Vendor/Third Party Management
• Asset and Vulnerability Management
• Logging and Monitoring
• Change Management
• Incident and Problem Management
• Data Management
• Risk Management
• Business continuity Management
• HR Management
• Physical Security
• Compliance Project Management
12

13. Compliance Management
 Test once, comply to multiple regulations
 Mapping of controls
 Automated data collection
 Self assessment data collection
 Executive dashboards
13

14. Policy Management
14
 Appropriate update of policies and procedures
 Link/Mapping to controls and standards
 Communication, training and attestation
Cloud
 No significant difference for cloud implementation
Reg/Standard Coverage area
ISO 27001 A.5
PCI 12
EI3PA 12
HIPAA 164.308a1i
FISMA AC-1
FERC/NERC CIP-003-6

15. Vendor/Third Party Management
15
 Management of third parties
 Attestation/Audit of third parties
 Remediation tracking
Cloud
 Cloud environment such as AWS must be considered a third party
 Need to document “compliance matrix” of requirements responsibility of the cloud provider
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple
Requirements

16. Asset and Vulnerability Management
16
 Asset list
 Management of vulnerabilities and dispositions
 Management reporting if unmitigated vulnerability
 Linkage to non compliance
Cloud
 Vulnerability management of base infrastructure
 Segregation of environments between customers
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a8
FISMA RA-5
FERC/NERC CIP-010

17. Logging and Monitoring
17
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a1iiD
FISMA SI-4
 Logging
 24X7 monitoring
Cloud
 Log management of base infrastructure
 Correlation if cloud and internal logs

18. Change Management and Monitoring
18
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage
area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10
FISMA SA-3

19. Incident and Problem Management
19
Lost Laptop
Changes to
firewall
rulesets
Upgrades
to
applications
Intrusion
Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12
HIPAA 164.308a6i
FISMA IR Series
 Monitoring
 Detection
 Reporting
 Responding
 Approving
Cloud
 Coordination with third party
 Inclusion of SLA’s within contracts
of third parties

20. Data Management
20
 Identification of data
 Classification of data
 Protection of data
 Monitoring of data
Cloud
 No significant reliance on third party for cloud
implementation
Reg/Standard Coverage area
ISO 27001 A.7
PCI 3, 4
EI3PA 3, 4
HIPAA 164.310d2iv
FERC/NERC CIP-011

21. Risk Management/Rating
21
 Automated risk management
 Feed from vulnerability management, DLP, log management
solutions etc.
Cloud
 Need to get feeds (such as log feeds) from third parties
 Need to ensure architecture is such that risk can be
managed irrespective of third party provider
Reg/Standard Coverage area
ISO 27001 A.6
PCI 12
EI3PA 12
HIPAA 164.308a1iiB
FISMA RA-3

22. Business Continuity Management
22
 Business Continuity Planning
 Disaster Recovery
 BCP/DR and Remote Site
Cloud
 Cloud provider could be “one of the options” for failover
as part of BCP/DR plan
 Cloud provider must be a part of tabletop exercises
Reg/Standard Coverage area
ISO 27001 A.14
PCI Not Applicable
EI3PA Not applicable
HIPAA 164.308a7i
FISMA CP Series
FERC/SERC CIP-009

23. HR Management
23
 Training
 Background Screening
 Reference Checks
Cloud
 No significant impact
Reg/Standard Coverage area
ISO 27001 A.8
PCI 12
EI3PA 12
HIPAA 164.308a3i
FISMA AT-2
FERC/NERC CIP-004

24. Physical Security
24
 Badges
 Visitor Access
 CCTV
 Biometric
Cloud
 Typically responsibility of cloud provider in a 100%
cloud enabled environment
Reg/Standard Coverage area
ISO 27001 A.11
PCI 9
EI3PA 9
HIPAA 164.310
FISMA PE Series
FERC/NERC CIP-006

25. Compliance Project Management
25
• Your Project Manager is charged with your Success:
1. Serves as your single point of contact and your advocate for all
compliance activities
2. Ensures all compliance requirements are met on schedule.
• Builds a single stream, reliable communication channel
• Strategizes to produce an efficient plan based on your needs
• Periodic pulse checks via status reports &meetings paced
according to your stage and schedule
3. Prepares you for smooth and predictable activities across multiple
compliance paths

26. Common Challenges

27. #ALLMYDATA
27
#ALLMYDATA
• Redundant Efforts
• Cost inefficiencies
• Lack of compliance dashboard
• Fixing of dispositions
• Change in environment
• Reliance on third parties
• Increased regulations
• Reducing budgets (Do more with less)
Challenges

28. ControlCase Solution

29. ControlCase Solution – Integrated Compliance
Test Once – Comply to Many

30. THANK YOU
Q&A
ControlCase: Making Compliance Effortless