ControlCase discusses the following:
- Requirements for PCI DSS, EI3PA, HIPAA, Business Associates, FFIEC and Banking Service Providers
- What is Vendor Management
- Why is Continual Compliance a challenge in Vendor Management
- How to mix technology and manual processes for effective Vendor Management
3. CORPORATE OVERVIEW
ControlCase™
Making Compliance Effortless
Over 500 clients across the
US, CEMEA, Europe, Latin
America and Asia/Pacific
regions,
Headquartered in the
Washington, DC
metro area (Fairfax,
VA)
ControlCase office or
partnership locations
include the US, Canada,
Colombia, India, UK, KSA,
Japan, Indonesia, Vietnam,
Philippines, Kuwait,
Malaysia, Brazil and Dubai
Unique offerings
brings Peace of Mind
to Compliance
3
4. PCI DSS
Qualified Security
Assessor (QSA) Company
ASV: Authorized Security
Vendor
ISO 27001 & 27002
International
Organization for
Standardization
SOC 1, SOC 2, SOC
3, & SOC for
Cybersecurity
Service Organization
Controls (AICPA)
HITRUST CSF
Health Information Trust
Alliance Common
Security Framework (CSF)
HIPAA
Health Insurance
Portability and
Accountability Act
NIST 800-53
National Institute of
Standards and Technology
GDPR
General Data Protection
Regulation
MARS-E
Minimum Acceptable
Risk Standards for
Exchanges
EI3PA
Experian Independent
Third Party Assessment
Microsoft SSPA
Supplier Security and
Privacy Assurance
Third Party Risk
Assessor
Shared Assessments
Program Certified product
licensee for SIG and AUP
PA-DSS
Payment Application
Qualified Security
Assessor (QSA)
CREDENTIALS
4
6. What is PCI DSS
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting
payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council (PCI SSC)
6
7. What is FISMA
• Federal Information Security Management Act (FISMA)
of 2002
– Requires federal agencies to implement a
mandatory set of processes, security controls and
information security governance
• FISMA objectives:
– Align security protections with risk and impact
– Establish accountability and performance measures
– Empower executives to make informed risk
decisions
7
8. What is HIPAA
• HIPAA is the acronym for the Health Insurance Portability
and Accountability Act that was passed by Congress in
1996. HIPAA does the following:
– Provides the ability to transfer and continue health
insurance coverage for millions of American workers and
their families when they change or lose their jobs;
– Reduces health care fraud and abuse;
– Mandates industry-wide standards for health care
information on electronic billing and other processes;
and
– Requires the protection and confidential handling of
protected health information
8
9. What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for implementing
information security within an organization
• ISO 27002 are the detailed controls from an implementation
perspective
9
10. What is FERC/NERC
10
• Federal Energy Regulatory Commission (FERC)
› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity
sales, wholesale electric rates, hydroelectric licensing, natural
gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation
(NERC):
› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission
is to ensure the reliability of the bulk power system in North
America.
• Critical Infrastructure Protection Standards
› Standards for cyber security protection
12. Why Vendor/Third Party Management?
12
Management of third parties
Attestation/Audit of third parties
Remediation tracking
Cloud
Cloud environment such as AWS must be considered a third party
Need to document “compliance matrix” of requirements responsibility of the cloud provider
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12
HIPAA 164.308b1
FISMA PS-3
FERC/NERC Multiple
Requirements
13. High Level Process
13
Register/Inventory
vendors
Categorize vendors
Map controls to
categories
Create vendor risk
assessment
questionnaire
Create master control
checklist
Distribute
questionnaire to
vendors
Analyze responses
and attachments
Track exceptions to
closure
15. Step 2 – Categorize Vendors
15
Questions to ask
- What type of data do they store, process or transmit
(SSN, Card Numbers, Customer Name, Diagnosis
code(s), etc.,)
- Is the data in a physical and/or electronic form
- What business are they in (Call Center, Recoveries,
Managed Service, Software Development, Printing,
Hosting)
- What risk factors exist based on Geography (North
America, Asia/Pacific, South America etc.)
16. Step 2 – Categorize Vendors (contd.)
16
Considerations:
Less exposure of disclosure/compromise = less
verification (i.e., survey only)
More exposure of disclosure/compromise = more
verification and validation (e.g., survey, evidence
review, on-site assessment)
17. Step 3 – Create Master Control Checklist
17
• Policy Management
• Vendor/Third Party Management
• Asset and Vulnerability Management
• Change Management and Monitoring
• Incident and Problem Management
• Data Management
• Risk Management
• Business continuity Management
• HR Management
• Compliance Project Management
18. Step 4 – Map Controls To Categories
18
Map controls from master list to categories based
on
- What is relevant to the type of data being stored
processed or transmitted (for e.g. if card data then PCI
DSS may be relevant to check for vs. not)
- What is relevant from a business perspective (e.g. call
centers third parties have VOIP related controls
whereas software development may not)
- What is relevant from a geography perspective (e.g.
background checks in USA vs. India may be different
and may require testing different controls)
22. Alternative to steps 5, 6 and 7 - Automation
Collect
Data
Data
Analytics
Calculate
Ratings
Report
1. Logs
2. Scans and Test
Reports
3. Data Leak
4. Identity and Access
Mgmt.
Analysis of Data
Against 15 Int’l
Standards
ControlCase
proprietary rating
mechanism
Rating &
Remediation
Action Plan with
Cost
Presentation
ControlCase
presents to
board
Automated Data Feed
Quarterly Score based on 4 rolling
quarters’ worth of data:
1. Log Management
2. Vulnerability Management
3. Data Leak Prevention or Data
Discovery
4. Other Automated Feeds
22
25. #ALLMYDATA
25
#ALLMYDATA
• Redundant Efforts
• Cost inefficiencies
• Lack of compliance dashboard
• Fixing of dispositions
• Change in environment
• Reliance on third parties
• Increased regulations
• Reducing budgets (Do more with less)
Challenges
27. #ALLMYDATA
WE NOW LIVE IN AN AGE OF OPEN DATA SHARING
AT THE SPEED OF THOUGHT
27
#ALLMYDATA
28. YOU SEE IT IN NEW
REGULATIONS
CUSTOMERS ARE DEMANDING VENDORS
PROTECT THEIR DATA
ISO
rotate
YOU SEE IT IN THE HEADLINES
YOU SEE IT IN NEW
REGULATIONS
29. OF U.S. ADULTS HAD
THEIR PERSONAL
INFORMATION
EXPOSED BY
HACKERS
47%.Case Study:
• Large Multinational Company Client
• Annual Vendor Audit Resulted in
Compliant Report
• Resulted in breach 4 months later
• Investigation showed customer
temporarily adjusted data security only
to meet audit requirements
NEW WAY:
Ongoing Real Time Data, Systems & Operations Vigilance
…Where you can trust vendors you without hesitation
OLD WAY: Annual Single Point-in-Time Questionnaires
29
30. C O N T R O L C A S E D A T A S E C U R I T Y R A T I N G
#stayvigilant
Quarterly Scoring Against 15 international Standards
- AAA to C Score (like Moody’s Ratings)
- Industry Segmentation
Real-time Automated Transparency into Your Data
Systems
- Monthly Automated Data Feeds via APIs
Log Management, Vulnerability Management, Data Leak Prevention (DLP)
or Data Discovery
Clear Insights, Budget & Action Plan to Strengthen
Your Data Systems
- Quarterly Remediation Action Plan & Related Cost
An Objective Measure of Confidence in Your IT Security Strength
I N T R O D U C I N G . . .
30
31. The Data Security Rating Process
Collect
Data
Data
Analytics
Calculate
Ratings
Report
1. Logs
2. Scans and Test
Reports
3. Data Leak
4. Identity and Access
Mgmt.
Analysis of Data
Against 15 Int’l
Standards
ControlCase
proprietary rating
mechanism
Rating &
Remediation
Action Plan with
Cost
Presentation
ControlCase
presents to
board
Automated Data Feed
Quarterly Score based on 4 rolling
quarters’ worth of data:
1. Log Management
2. Vulnerability Management
3. Data Leak Prevention or Data
Discovery
Onsite Audit
• In-person Interviews
• Over the shoulder stress test
• Physical Security Review
31