Upload
controlcase
View
157
Download
0
Tags:
Embed Size (px)
Citation preview
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA
By Kishor Vaswani, CEO - ControlCase
Agenda
• About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA
• Components for Continual Compliance Monitoring
within IT Standards/Regulations
• Recurrence Frequency and Calendar
• Challenges in Continual Compliance Monitoring
• Q&A
1
About PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card issuers• Maintained by the PCI Security Standards Council
(PCI SSC)
2
What is HIPAA
3
• HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following:› Provides the ability to transfer and continue health
insurance coverage for millions of American workers and their families when they change or lose their jobs;
› Reduces health care fraud and abuse;› Mandates industry-wide standards for health care
information on electronic billing and other processes; and › Requires the protection and confidential handling of
protected health information
What is FERC/NERC
4
• Federal Energy Regulatory Commission (FERC)› The Federal Energy Regulatory Commission (FERC) is the United
States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates.
• North American Electric Reliability Corporation (NERC):› The North American Electric Reliability Corporation (NERC) is a
not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America.
• Critical Infrastructure Protection Standards› Standards for cyber security protection
What is EI3PA?
Experian Security Audit Requirements:
• Experian is one of the three major consumer credit bureaus in the United States
• Guidelines for securely processing, storing, or transmitting Experian Provided Data
• Established by Experian to protect consumer data/credit history data provided by them
5
What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for implementing information security within an organization
• ISO 27002 are the detailed controls from an implementation perspective
6
What is FISMA
7
• Federal Information Security Management Act (FISMA) of 2002› Requires federal agencies to implement a mandatory set of
processes, security controls and information security governance
• FISMA objectives:› Align security protections with risk and impact› Establish accountability and performance measures› Empower executives to make informed risk decisions
Components of Continual Compliance Monitoring
Continuous Monitoring
8
Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards
Continual Compliance Monitoring Domains
• Policy Management• Vendor/Third Party Management• Asset and Vulnerability Management• Log Management• Change Management• Incident and Problem Management• Data Management• Risk Management• Business Continuity Management• HR Management• Physical Security
9
Policy Management
10
Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies
Reg/Standard Coverage area
ISO 27001 A.5
PCI 12
EI3PA 12HIPAA 164.308a1iFISMA AC-1FERC/NERC CIP-003-6
Vendor/Third Party Management
11
Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking
Reg/Standard Coverage area
ISO 27001 A.6, A.10
PCI 12
EI3PA 12HIPAA 164.308b1FISMA PS-3FERC/NERC Multiple
Requirements
Asset and Vulnerability Management
12
Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11HIPAA 164.308a8FISMA RA-5FERC/NERC CIP-010
Logging Management
13
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11HIPAA 164.308a1iiDFISMA SI-4
Logging File Integrity Monitoring 24X7 monitoring Managing volumes of data
Change Management and Monitoring
14
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10FISMA SA-3
Incident and Problem Management
15
Monitoring Detection Reporting Responding Approving
Lost LaptopChanges to
firewall rulesets
Upgrades to applications
Intrusion Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12HIPAA 164.308a6iFISMA IR SeriesFERC/NERC CIP-008
Data Management
16
Identification of data Classification of data Protection of data Monitoring of data
Reg/Standard Coverage area
ISO 27001 A.7
PCI 3, 4
EI3PA 3, 4HIPAA 164.310d2ivFERC/NERC CIP-011
Risk Management
17
Input of key criterion Numeric algorithms to compute risk Output of risk dashboards
Reg/Standard Coverage area
ISO 27001 A.6
PCI 12
EI3PA 12HIPAA 164.308a1iiBFISMA RA-3
Business Continuity Management
18
Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site
Reg/Standard Coverage area
ISO 27001 A.14
PCI Not Applicable
EI3PA Not applicableHIPAA 164.308a7iFISMA CP SeriesFERC/SERC CIP-009
HR Management
19
Training Background Screening Reference Checks
Reg/Standard Coverage area
ISO 27001 A.8
PCI 12
EI3PA 12HIPAA 164.308a3iFISMA AT-2FERC/NERC CIP-004
Physical Security
20
Badges Visitor Access CCTV Biometric
Reg/Standard Coverage area
ISO 27001 A.11
PCI 9
EI3PA 9HIPAA 164.310FISMA PE SeriesFERC/NERC CIP-006
Recurrence Frequency and Calendar
Daily Monitoring Domains
21
• Asset and Vulnerability Management• New Assets• New Vulnerabilities
• Log Management• Response time window
• Change Management• Impact in case of an error• Unknown and insecure applications
• Incident and Problem Management• Root cause of systemic problems• Response to operational and security incidents
Monthly/Quarterly Monitoring Domains
22
• Vendor/Third Party Management• Time taken by third parties to respond
• Data Management• Identification of unknown data
• HR Management• Time taken for training• Time taken for background checks
• Physical Security Management• Time take to install new physical security
components
Annual Monitoring Domains
23
• Policy Management• Annual policy reviews
• Risk Management• Enterprise wide nature of risk assessment
• BCP/DR Management• Time taken to conduct BCP/DR tests
Challenges in Continual Compliance Monitoring
Challenges
• Redundant Efforts• Cost inefficiencies• Lack of dashboard• Fixing of dispositions• Change in environment• Reliance on third parties• Increased regulations• Reducing budgets (Do more with less)
24
Integrated compliance
25
Question. No.
Question PCI DSS 2.0 Reference PCI DSS 3.0 ISO 27002: 2013 SOC2 HIPAA NIST 800-53
37
Provide data Encryption policy explaining encryption controls implemented for Cardholder data data secure storage (e.g. encryption, truncation, masking etc.) – applicable for application, database and backup tapes
- Screenshots showing full PAN data is encrypted with strong encryption while stored (database tables or files) . The captured details should also show the encryption algorithm and strength used - For Backup tapes, screenshot showing the encryption applied (algorithm and strength – e.g. AES 256 bit) through backup solution
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.4.a, 3.4.b, 3.4.c, 3.4.d 3.4 10.1.1, 18.1.5 164.312(a)(1)
38
If Disk encryption used for card data data, then is the logical access to encrypted file-system is separate from native operating system user access? (Provide the adequate evidences showing the logical access for local operating system and encrypted file system is with separate user authentication)
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.4.1.a 3.4.1 10.1.2 164.312(a)(1)
39
Provide evidence showing restricted access control for Data Encryption Keys (DEK) and Key Encryption Keys (KEK) at store
Security Posture QA: QSA to verify that encryption is appropriate OR compensating controls are per ControlCase standard.
3.5 3.5.2 10.1.2 164.312(a)(1)
40Provide the evidence showing the exact locations where encryption keys are stored (keys should be stored at fewest possible locations)
3.5.3 10.1.2 164.312(a)(1)
Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessment Department
› EI3PA Assessor
› HIPAA Assessor
› HITRUST Assessor
› SOC1, SOC2, SOC3 Assessor
› BITS Shared Assessment Company
26
To Learn More About ControlCase
• Visit www.controlcase.com• Email us at [email protected]
Thank You for Your Time