Cloud Expo pci-hipaa deck 053111


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Jeff
  • Jeff and STacy
  • Jeff
  • StacyQSA - Qualified System AuditorSAQ – Self Assessment QuestionnaireSAQ A, D most common for online merchants.Storage = QSA
  • Jeff
  • Stacy
  • StacyWAF – Web Application FirewallIPS – Intrusion Protection System (or IDS)AOC – Attestation of ComplianceROC – Report on Compliance
  • StacyOver 1M companies ISO certified but it uncommon for companies to expect this from their cloud vendor.
  • I know the description had 5 questions, but we are giving you 20% more for free…SOC 1/2/3 Type 1 and 2Infrastructure - Public / Private, VPN Privacy policy should be in the contractSecure environment – IPS, VPN, Firewalls, VLAN’s, physical securityAWS / Azure Example on SLA
  • Q&A
  • Cloud Expo pci-hipaa deck 053111

    1. 1. HIPAA and PCI Compliance in the Cloud<br />8th International Cloud Expo<br />June 8th, 2011<br />
    2. 2. Agenda<br />Introductions<br />About CCS<br />What is PCI<br />What is HIPAA<br />Why are PCI and HIPAA Important to cloud providers?<br />Technology and Best Practices<br />Other Compliance<br />Key Questions for Providers<br />Questions<br />
    3. 3. Introductions<br />Jeff Uphues<br />Stacy Griggs<br />VP of Sales & Marketing <br />Cbeyond Cloud Services<br />Senior Director of Customer Experience<br />Cbeyond Cloud Services<br />
    4. 4. About Cbeyond Cloud Services<br />3000+ Cloud Customers<br />58,000 Total Customers<br />$450M Publically Traded NASD:CBEY<br />11 Years Old<br />Public Cloud + Managed Dedicated Servers = Hybrid<br />2009 Microsoft Worldwide Hosting Partner of the Year<br />2010 Microsoft Hyper-V Cloud Provider of the Year<br />Focus on SMB’s with complex technology needs<br />
    5. 5. What is PCI<br />Set of regulations that businesses must follow to accept credit cards – mandated by merchant processors.<br />Applies to merchants that take payments on-line or in person.<br />Non-compliance generally results in litigation, reputational damage and loss of ability to take credit cards.<br />2 Levels<br />Audited by a QSA<br />SAQ<br />4 Types of SAD A-D<br />Basically 36 pages of detailed security information<br />Topical for smaller merchants <1M annual transactions<br />Must not store credit card data.<br />
    6. 6. What is HIPAA<br />Set of regulations enacted by congress for the secure handling of patient health information.<br />Applies to medical offices, hospitals, research labs, pharmaceutical companies, drug stores and any other company that handles patient information.<br />Civil and criminal penalties for non-compliance.<br />Requires technical and physical safeguards to protect patient data.<br />Documented policies and annual risk assessments<br />About to become bigger with new proposed rule - would give people the right to get a report on who has electronically accessed their protected health information May 31, 2011 -<br />
    7. 7. Why PCI and HIPAA are important for the cloud<br />US Economy $14.7 T GDP in 2010 - Wikipedia<br />Healthcare = 16% of GDP - Wikipedia<br />Visa / Amex + MC = $410B in Q1/10 – NY Times May,2011<br />Annualized Credit Card Spending = 11% of GDP<br />Collectively > ¼ of the economy<br />Both spending categories are growing at >2X the pace of the general economy.<br />Rapidly moving to the cloud<br />If you aren’t providing PCI and HIPAA compliant service you are leaving ¼ of the economy to your competitors.<br />
    8. 8. Technology Requirements and Best Practices<br />Security!<br />Firewalls<br />Application Isolation (one primary function /server)<br />WAF<br />Log Management<br />IPS<br />Physical<br />Building controls and logs<br />CCTV and history<br />Process, Policy and Review<br />HIPAA – Business Associate Agreement<br />Path to compliance - PCI<br />SAQ or SAQ + QSA<br />AOC - ROC<br />
    9. 9. Other - less common areas of compliance<br />Federal Information Security Act (FISMA) – Federal Government and Vendors<br />Sarbanes-Oxley (SOX) – Public companies and their vendors<br />Information Technology Infrastructure Library (ITIL) – Companies with advanced IT process especially European<br />International Organization for Standards (ISO 9001) – Worldwide<br />European Safe Harbor – Data protection standards for EU countries<br />
    10. 10. Key Questions for Cloud Providers<br />Show me your SAS70 Type II (SSAE16)<br />How will you design a complaint infrastructure?<br />What is the client responsible for and what is the vendor responsible for?<br />Show me your privacy policy<br />What's your SLA?<br />How do you maintain a secure environment?<br />
    11. 11. Contact Information<br />Jeff Uphues<br /><br />678-516-4751<br />Stacy Griggs<br /><br />502-213-7738<br />