Managing Multiple Assessments Using Zero Trust Principles

MANAGING MULTIPLE
ASSESSMENTS USING
ZERO TRUST PRINCIPLES
YOUR IT COMPLIANCE PARTNER –
GO BEYOND THE CHECKLIST

ControlCase Introduction
Controls for Zero Trust Environments
About Regulations/Standards
Current State
ControlCase Remote Assessment Methodology
AGENDA
© 2020 ControlCase. All Rights Reserved. 2
1
2
3
4
5

1 CONTROLCASE INTRODUCTION

ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 275+10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS

Solution - Certification and Continuous Compliance Services
“I’ve worked on both sides of
auditing. I have not seen any other
firm deliver the same product and
service with the same value. No
other firm provides that continuous
improvement and the level of detail
and responsiveness.
— Security and Compliance Manager,
Data Center
Certification and Continuous Compliance Services

Certification Services
One Audit™
Assess Once. Comply to Many.
“You have 27 seconds to make a first
impression. And after our initial
meeting, it became clear that they
were more interested in helping
our business and building a
relationship, not just getting the
business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
PCI SSF
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS CSA STAR Microsoft SSPA

ABOUT REGULATIONS/
STANDARDS
2

REGION INDUSTRY REGULATION
APAC Business Process Organizations (BPOs) PCI DSS, SOC2, ISO 27001, HITRUST, HIPAA
APAC Payments PCI DSS, PCI SSF, SOC2, ISO 27001, PCI 3DS
APAC Financial Services PCI DSS, PCI SSF, PCI PIN, PCI 3DS, PCI CP
AMERICAS Payments PCI DSS, PCI SSF, SOC2, ISO 27001, PCI 3DS
AMERICAS Cloud Service Providers PCI DSS, PCI SSF, SOC2, ISO 27001, HITRUST
AMERICAS Retail PCI DSS, PCI P2PE, SOC2, ISO 27001, HIPAA
AMERICAS Technology PCI DSS, PCI SSF, SOC2, ISO 27001, HIPAA
LATIN AMERICA Cloud Services Providers PCI DSS, PCI SSF, SOC2, ISO 27001, HIPAA
EUROPE Cloud Services Providers PCI DSS, PCI SSF, SOC2, ISO 27001
Common Regulations by Region/Industry

What do the Regulations Mean?
Payment Card Industry Data Security Standard (PCI DSS)
Established by leading payment card issuers - Guidelines for securely
processing, storing, or transmitting payment card account data.
Health Insurance Portability and Accountability Act (HIPAA)
Passed by Congress in 1996 Mandates industry-wide standards for health care
information on electronic billing and other processes and requires the protection
and confidential handling of protected health information.
ISO 27001/ISO 27002 - ISO 27001
The management framework for implementing information security
within an organization. ISO 27002 are the detailed controls from an
implementation perspective.
PCI P2PE
Ensures data is encrypted at Point of Interaction (POI) at merchant end and can
only be decrypted by dedicated environment. Thus ensures point to point
encryption of payment card account data.
PCI SSF
Ensures payment applications support PCI DSS compliance.
PCI 3DS
Physical and logical requirements for entities that implement 3DS Payment
solution to secure card-not-present e-commerce purchases.
SOC 2
Created by the American Institute of Certified Public Accountants (AICPA) to fill the
gap for organizations that were being requested to have a SAS 70 (now SSAE 18).
The purpose of a SOC 2 report is to evaluate an organization’s information systems
relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

CURRENT STATE3

Current State
Many companies are implementing work-from-home policies,
which challenge traditional IT Compliance and Cyber Security programs.
Organizations are expected
to consider and review their processes
on remote work.
Due to restrictions on travel and physical
meetings as a result of the coronavirus,
regulatory bodies have published guidance for
assessors on the topic of remote
assessments.

Remote Work - Testing Automation
ACE
• Automated Compliance
Engine
• Can collect evidence
such as configurations
remotely
CDD
• Data Discovery Solution
• Can scan end user
workstations for
sensitive/PII
VAPT
• Vulnerability
Assessment &
Penetration Testing
• Can perform remote
vulnerability scans and
penetration tests
LOGS
• Log Analysis and
Alerting
• Can review log settings
and identify missing
logs remotely
1 2 3 4

CONTROLS TO BE IMPLEMENTED
FOR ZERO TRUST ENVIRONMENTS
4

Policy Management
Vulnerability Management
Data Management
Antivirus & Antimalware
Configuration Management
Log Management
Physical Security
Access Management
Applicable Domains (Across all Standards/Regulations)

Provide Information Security Awareness Training
to WFH users on how to secure their wireless network (if any).
Policies & Procedures

Configuration Management
System configuration
standards approved by
organizations must be
enforced on WFH
users’ workstations.
Maintain the inventory
of workstations.

Vulnerability Management
Internal vulnerability
assessment and penetration
testing must be conducted
for WFH workstations.
Penetration tests
emulating a work from home user
scenario must be performed.

Log Management
Ensure all user activities
done on WFH workstations
are logged.
Ensure all WFH
workstations are
synchronizing time with
designated NTP server.

Data Management
1 2 3
Increase the
frequency of PII data discovery
scanning.
Establish process
to run automated
secure data disposal
on disks of workstations for
WFH users.
Reduce the
exposure of PII.

Physical Security
No realistic way to
control physical access
of personnel working
from home.
Ensure controls (such
as Citrix) are in place
that full sensitive/PII
data cannot be viewed
or downloaded when
working from home.
Data Center reviews
may have to be done
using mobile cameras
and or CCTV
images/photographs
(with time stamp)
based evidence.

Antivirus & Antimalware
All systems should have
an Anti-Virus solution installed
and regularly updated.
Users should not be
able to disable the
Anti-Virus solution.

Access Management
No regular user
(except power users)
should be able to
access any system that
stores, processes or
transmits sensitive/PII.
All the WFH users
must use two factor
authentication to
connect to sensitive/PII
environment.
Need-to-know basis
access along with least
privileges must be
implemented to restrict
access to sensitive/PII
data for WFH users.

CONTROLCASE REMOTE
ASSESSMENT METHODOLOGY
5

3 Key Areas Of Focus
1
Automation (Remote scanning,
evidence collection & testing)
2
Mechanisms to enable
remote assessment (CCTV,
phone cameras etc.)
3
Continuous compliance
controls (such as more
frequent user access
reviews, scans and firewall
ruleset reviews)

1. Remote Work - Testing Automation
ACE
• Automated Compliance
Engine
• Can collect evidence
such as configurations
remotely
CDD
• Data Discovery Solution
• Can scan end user
workstations for
sensitive/PII
VAPT
• Vulnerability
Assessment &
Penetration Testing
• Can perform remote
vulnerability scans and
penetration tests
LOGS
• Log Analysis and
Alerting
• Can review log settings
and identify missing
logs remotely
1 2 3 4

2. Mechanisms to Enable Remote Assessments
Assessors should maintain their structure
for an onsite audit but instead use video
calling and screen sharing to provide
evidence and conduct interviews as
a part of the assessment.
Data Center reviews may have to be done
using mobile cameras and or CCTV
images/photographs (with time stamp)
based evidence.
Prepare for additional time interviewing
vis a vis traditional face to face interviews.
Technology to upload and manage
evidence to be shared between
assessor and organization.

3. Continuous Compliance Enablement
The continuous compliance
monitoring is a big value add to
their audit and certification
services, which is good for
organizations that don’t have the
team in-house. It’s a big
differentiator for them.
— VP of IT,
Call Center / BPO Company
70% of company’s assets
are non-compliant at some
point in the year.
Go beyond monitoring and alerting to predict, prioritize and
remediate compliance risks before they become security threats.
Address common non-compliant situations that leave you
vulnerable all year long, including:
• In-scope assets not reporting logs
• In-scope assets missed from vulnerability scans
• Critical, overlooked vulnerabilities due to volume
• Risky firewall rule sets go undetected
• Non-compliant user access scenarios not flagged
“

Summary – Why ControlCase
“They provide excellent service,
expertise and technology. And,
the visibility into my compliance
throughout the year and during
the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company

THANK YOU FOR THE
OPPORTUNITY TO CONTRIBUTE TO
YOUR IT COMPLIANCE PROGRAM.
www.controlcase.com
(US) + 1 703.483.6383 (INDIA) + 91.22.62210800
contact@controlcase.com

Managing Multiple Assessments Using Zero Trust Principles

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Managing Multiple Assessments Using Zero Trust Principles

Similar to Managing Multiple Assessments Using Zero Trust Principles (20)

More from ControlCase

More from ControlCase (16)

Recently uploaded

Recently uploaded (20)

Managing Multiple Assessments Using Zero Trust Principles

Editor's Notes