This document discusses how leveraging compliance with security frameworks and industry standards can help raise security standards within an organization. It provides an overview of common compliance objectives for different industries, such as SSAE16 for financial services, PCI DSS for payment processing, and HIPAA for healthcare. Achieving these compliance standards demonstrates high security controls to customers and can enable business expansion. The document recommends mapping controls across compliance frameworks to identify gaps and continuously improving processes to address those gaps through roadmaps, governance, and audits in order to achieve compliance objectives and business benefits.

1. Leveraging compliance to raise the
bar on security
Mike Lemire
Information Security Officer Pearson Higher Ed
@mike_lemire

2. Why leveraging Compliance is important
Compliance with regulations, security frameworks and industry standards is required for many
industries and can also be a business enabler for many types of service providers.
For these reasons compliance is an important business objective. This session will provide an
overview of compliance objectives pertinent to various industries and show how you can enable
compliance to raise the bar on security in your organization.
My experience:
-RiskMetrics
-Acquia
-Pearson

3. Business Reasons for Compliance
While good security practices reduce risk, compliance helps enable business success.
● Lack of compliance is an inhibitor to adoption of services
o Particularly true if:
 you are a SaaS provider
 you hold and process customer confidential data
 your service are important to customer business process
● Compliance demonstrates high standards of security and availability to your customers
o Independent validation of your control environment
● Achieving compliance enables business expansion into related vertical markets
● Management and business leadership will more likely fund security objectives when they enable
business expansion

4. Control Domains Compliance Helps You Improve
● Compliance helps you drive build repeatable processes in your organization
o Change Management
o Scanning and Patch Management process
o User Management
o Role Based Access Controls RBAC
o Separation of Duties
o Business Continuity/ Disaster Recovery
o Authentication and Account Management
o HR (Background checks, NDAs)
o Corporate Policies

5. SSAE16 (formerly SAS70) Service Organization Control
Developed by: American Institute of Certified Public Accountants
Important to: Public companies, US companies, Financial, Insurance and related industries
SOC 1 is focused on controls related to financial reporting
accounting and billing systems
systems which if negatively impacted may impact financial results
focus on corporate controls like HR, RBAC, Change Control, Security Testing
SOC 2 is focused security and privacy controls
Type 1 Examination: Point in time assessment - prepare you for Type 2
Type 2 Examination: Period of time assessment of control environment (6 months, 1 year)
Compliance Objectives and their relation to vertical markets

6. Cloud Security Alliance Security and Trust Assurance Registry (STAR)
Developed by: Technology Industry Consortium
Important to: Companies who outsource to cloud service providers
140 key controls which adopters of cloud services should inquire about
● self assessment
● publish results
● certification
https://cloudsecurityalliance.org/star/
Compliance Objectives and their relation to vertical markets

7. BITS – Shared Assessment
Developed by: Banking Industry Consortium
Important to: Financial Institutions
Shared Assessment is a long list of controls across many domains, similar to ISO 27002
An attempt to standardize how financial firms do vendor risk assessments for outsourced services.
Very comprehensive set of controls
SIG: Standard Information Gathering Questionnare Lite and Full
https://sharedassessments.org/
Compliance Objectives and their relation to vertical markets

8. HIPAA
Developed by: US Dept of Health and Human Services
Important to: Any service provider handling health care information
Health Information Technology for Economic and Clinical Health Act (HITECH) Act provides controls
and assessment framework
Compliance Objectives and their relation to vertical markets

9. FISMA
Developed by: Congress, NIST
Important to: United States Federal Government, other governments
Based on NIST publications and standards
FIPS 199: determine your FISMA level (low, medium, high)
NIST 800-53 rev 3: defines controls applicable to your FISMA level
System Security Plan: Documents your controls
ATO: Authority to Operate
FedRAMP: FISMA for Cloud Service Providers
Compliance Objectives and their relation to vertical markets

10. Payment Card Industry (PCI)
Developed by: Discover, MasterCard, JCB, MasterCard, Visa
Important to: Anyone who accepts credit cards for payment
Step 1: Determine Merchant Level
1: process over 6M CC transactions/ year
2: 1M-6M CC transactions / year
3: 20k - 1M CC transactions / year
4: Fewer than 20K
Compliance Objectives and their relation to vertical markets

11. Step 2: Determine PCI Compliance Type - Relevant Controls
C: CC outsourced but connected to the Internet - 80
D: CC held - 288
Step 3: Complete Self Assessment Questionnaire (ie evidence controls)
Step 4: Quarterly Scanning (no vulns)
Step 5: Complete audit/report by Qualified Security Assessor (QSA) - only if Level 1
Compliance Objectives and their relation to vertical markets

12. There is a lot of alignment between various compliance objectives into your
best practices. CSA Cloud Controls Matrix puts it all together
Putting it Together

13. Putting it Together
Establish your compliance objectives - in line with your business objectives
Itemize the controls of each objective
Create a control mapping (similar to CSA Control Matrix)
Create a control gap tracking worksheet
Add any customer feedback (RFPs, Contracts, Questionnaires from Vendor risk)

14. Tracking Your Controls - Gaps

15. The keys to success:
• Establish compliance objectives as important corporate and business objective
• Develop robust, audit-able processes
• Continuous improvement to administrative and technical controls
• Address the compliance gaps
● product roadmaps
● IT roadmaps
● corporate governance
Achieve your compliance objectives
Profit and be rewarded

16. Questions?
michael_lemire@yahoo.com
@mike_lemire