• Home

  • Technology

  • Continual Compliance for PCI DSS, E13PA and ISO 27001/2
30
Continual Compliance – PCI DSS, ISO 27001 and EI3PA By Kishor Vaswani, CEO - ControlCase

Continual Compliance for PCI DSS, E13PA and ISO 27001/2

Tags:

Embed Size (px)

DESCRIPTION

About PCI DSS, ISO 27001 and EI3PA Best Practices and Components for Continual Compliance within IT Standards/Regulations Challenges in the Continual Compliance Space

Citation preview

  • 1. Continual Compliance PCI DSS, ISO 27001 and EI3PA By Kishor Vaswani, CEO - ControlCase

2. Agenda About PCI DSS, ISO 27001 and EI3PA Best Practices and Components for Continual Compliance within IT Standards/Regulations Challenges in the Continual Compliance Space Q&A 1 3. About PCI DSS, ISO 27001 and EI3PA 4. What is PCI DSS? Payment Card Industry Data Security Standard: Guidelines for securely processing, storing, or transmitting payment card account data Established by leading payment card issuers Maintained by the PCI Security Standards Council (PCI SSC) 2 5. PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 3 6. What is EI3PA? Experian Security Audit Requirements: Experian is one of the three major consumer credit bureaus in the United States Guidelines for securely processing, storing, or transmitting Experian Provided Data Established by Experian to protect consumer data/credit history data provided by them 4 7. EI3PA Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect Experian provided data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Experian data 3. Protect stored Experian provided data 4. Encrypt transmission of Experian data across open, public networks Antivirus 5. Use and regularly update anti-virus software on all systems housing, accessing or processing Experian provided data. Implement strong access control measures (Logical and Physical) 6. Restrict access to Experian provided data by business need-to- know 7. Restrict physical access to Experian provided data 8. Assign a unique ID to each person with computer access to systems housing or processing Experian provided data. Regularly monitor and test networks 9. Track and monitor all access to network resources that Experian provided data is transmitted across. 10. Develop and maintain secure systems. 11. Regularly test security systems and processes that pertain to Experian provided data. Maintain an information security policy 12. Maintain a policy that addresses information security for employees and contractors. 5 8. What is ISO 27001/ISO 27002 ISO Standard: ISO 27001 is the management framework for implementing information security within an organization ISO 27002 are the detailed controls from an implementation perspective 6 9. ISO 27002 Controls Control Objectives Sub-Requirements Security Policy Information Security Policy Organization of information security Internal organization, External parties Asset Management Responsibility for assets, Information classification Human Resources Security Prior to employment, During employment, Termination or change of employment Physical and environmental security Secure areas, Equipment security Communications and operations management Operational procedures and responsibilities, Third party service delivery management, System planning and acceptance, Malicious and mobile code, Back-up, Network security management, Media handling, Exchange of information, Electronic commerce services, Monitoring Access Control User access management, User responsibilities, Network access control, Operating system access control, Application and information access control, Mobile computing and teleworking Information Systems Acquisition, Development and Maintenance Technical vulnerability management, Security requirements of information systems, Correct processing in applications, Cryptographic controls, Security of system files, Secure development Information Security Incident Management Reporting of incidents, Management of incidents Business Continuity Management Information security aspects of business continuity Compliance Compliance with legal requirements, Compliance with security policies and standards, Information systems audit consideration 7 10. Best Practices and Components for Continual Compliance within IT Standards/Regulations 11. Components of Continuous Monitoring Unified Compliance Management Policy Management Vendor/Third Party Management Asset and Vulnerability Management Change Management and Monitoring Incident and Problem Management Data Management Risk Management Business continuity Management HR Management Compliance Project Management 8 12. Unified Compliance Management 9 ISO 27001 PCI DSSEI3PA 13. Unified Compliance Management 10 Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards 14. Policy Management 11 Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies Reg/Standard Coverage area ISO 27001 A.5 PCI 12 EI3PA 12 15. Vendor/Third Party Management 12 Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Reg/Standard Coverage area ISO 27001 A.6, A.10 PCI 12 EI3PA 12 16. Asset and Vulnerability Management 13 Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance Reg/Standard Coverage area ISO 27001 A.7, A.12 PCI 6, 11 EI3PA 10, 11 17. Change Management and Monitoring 14 Escalation to incident for unexpected logs/alerts Response/Resolution process for expected logs/alerts Correlation of logs/alerts to change requests Change Management ticketing System Logging and Monitoring (SIEM/FIM etc.) Reg/Standard Coverage area ISO 27001 A.10 PCI 1, 6, 10 EI3PA 1, 9, 10 18. Incident and Problem Management 15 Monitoring Detection Reporting Responding Approving Lost Laptop Changes to firewall rulesets Upgrades to applications Intrusion Alerting Reg/Standard Coverage area ISO 27001 A.13 PCI 12 EI3PA 12 19. Data Management 16 Identification of data Classification of data Protection of data Monitoring of data Reg/Standard Coverage area ISO 27001 A.7 PCI 3, 4 EI3PA 3, 4 20. Risk Management 17 Input of key criterion Numeric algorithms to compute risk Output of risk dashboards Reg/Standard Coverage area ISO 27001 A.6 PCI 12 EI3PA 12 21. Business Continuity Management 18 Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site Reg/Standard Coverage area ISO 27001 A.14 PCI Not Applicable EI3PA Not applicable 22. HR Management 19 Training Background Screening Reference Checks Reg/Standard Coverage area ISO 27001 A.8 PCI 12 EI3PA 12 23. Compliance Project Management 20 Your Project Manager is charged with your Success: 1. Serves as your single point of contact and your advocate for all compliance activities 2. Ensures all compliance requirements are met on schedule. Builds a single stream, reliable communication channel Strategizes to produce an efficient plan based on your needs Periodic pulse checks via status reports &meetings paced according to your stage and schedule 3. Prepares you for smooth and predictable activities across multiple compliance paths 24. Challenges in Continual Compliance Space 25. Challenges Redundant Efforts Cost inefficiencies Lack of compliance dashboard Fixing of dispositions Change in environment Reliance on third parties Increased regulations Reducing budgets (Do more with less) 21 26. ControlCase Solution 27. Learn more about continual compliance . 22 Compliance as a Service (Caas) 28. Why Choose ControlCase? Global Reach Serving more than 400 clients in 40 countries and rapidly growing Certified Resources PCI DSS Qualified Security Assessor (QSA) QSA for Point-to-Point Encryption (QSA P2PE) Certified ASV vendor Certified ISO 27001 Assessment Department EI3PA Assessor 23 29. To Learn More About PCI Compliance or Data Discovery Visit www.ControlCase.com Call +1.703.483.6383 (US) Call +91.9820293399 (India) Kishor Vaswani (CEO) [email protected] 24 30. Thank You for Your Time


NISTCSF by organizations like NIST and the International Standardization Organization ... such as PCI-DSS, ISO 27001, ... ISO 27002 Controls Mapping to …

NISTCSF by organizations like NIST and the International Standardization Organization ... such as PCI-DSS, ISO 27001, ... ISO 27002 Controls Mapping to …

Documents
Developing Sustainable Infrastructure To Support The Smart ... · Uptime Institute Tier 3, TIA-942 Target Securities - ISO/IEC 27001, ISO/IEC 20000, PCI DSS, TVRA Redundancy & Resiliency

Developing Sustainable Infrastructure To Support The Smart ... · Uptime Institute Tier 3, TIA-942 Target Securities - ISO/IEC 27001, ISO/IEC 20000, PCI DSS, TVRA Redundancy & Resiliency

Documents
Document History Version Discription Date 1.0 Issued V1.0 document 2… · 2018. 9. 6. · Ref Nos Description ISO 27001 Clause ISO 27001 Clause Description PCI DSS v3.1 clause PCI

Document History Version Discription Date 1.0 Issued V1.0 document 2… · 2018. 9. 6. · Ref Nos Description ISO 27001 Clause ISO 27001 Clause Description PCI DSS v3.1 clause PCI

Documents
27001 S21SEC

27001 S21SEC

Documents
Vendor Risk Management for PCI DSS, ISO 27001, EI3PA and HIPAA

Vendor Risk Management for PCI DSS, ISO 27001, EI3PA and HIPAA

Technology
Continual Innovation

Continual Innovation

Documents
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA

Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA

Documents
ISO/IEC 27001 - atsec.com€¦  · Web view · 2018-03-02Use as appropriate. Examples of ISO/IEC 27001: PA-DSS, Common Criteria

ISO/IEC 27001 - atsec.com€¦  · Web view · 2018-03-02Use as appropriate. Examples of ISO/IEC 27001: PA-DSS, Common Criteria

Documents
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001

Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001

Technology
Security Ontology for Adaptive Mapping of Security …dspace.vgtu.lt/bitstream/1/1763/1/ijccc_Vol8_Iss6_813-825_ramanaus...security standards (ISO 27001, PCI DSS, ISSA 5173 and NISTIR

Security Ontology for Adaptive Mapping of Security …dspace.vgtu.lt/bitstream/1/1763/1/ijccc_Vol8_Iss6_813-825_ramanaus...security standards (ISO 27001, PCI DSS, ISSA 5173 and NISTIR

Documents
CORPORATE PROFILE€¦ · PA-DSS version 3.20, HTNG / OTA standard compliant and ISO 27001 certified India GST compliant, Approved PMS Product for National & State IHM’S by NCHM

CORPORATE PROFILE€¦ · PA-DSS version 3.20, HTNG / OTA standard compliant and ISO 27001 certified India GST compliant, Approved PMS Product for National & State IHM’S by NCHM

Documents
Niilo Ryti Doctoral Student Chair of the DSS The DSS Influencing the development of the graduate school DSS DSS DSS DSS DSS DSS DSS DSS DSS

Niilo Ryti Doctoral Student Chair of the DSS The DSS Influencing the development of the graduate school DSS DSS DSS DSS DSS DSS DSS DSS DSS

Documents
Advancing and Guarding a Great Industry€¦ · 27001 Certifications, PCI DSS Assessment Services, FedRAMP Security Assessments, FISMA Security Assessments, HIPAA and HITECH Services,

Advancing and Guarding a Great Industry€¦ · 27001 Certifications, PCI DSS Assessment Services, FedRAMP Security Assessments, FISMA Security Assessments, HIPAA and HITECH Services,

Documents
27001 Guidelines

27001 Guidelines

Documents
Continuous Protection of Websitessecurity review of source code, audit of smart contracts. • Managed compliance with GDPR, ISO 27001, PCI DSS, HIPAA, ITIL, ISF, NIST, COBIT, etc

Continuous Protection of Websitessecurity review of source code, audit of smart contracts. • Managed compliance with GDPR, ISO 27001, PCI DSS, HIPAA, ITIL, ISF, NIST, COBIT, etc

Documents
LG25 DSS LG40 DSS

LG25 DSS LG40 DSS

Documents
Unified Compliance - Continual Compliance Monitoring for PCI DSS, HIPAA, FERC/ NERC, EI3PA and ISO 27001

Unified Compliance - Continual Compliance Monitoring for PCI DSS, HIPAA, FERC/ NERC, EI3PA and ISO 27001

News & Politics
ISO/IEC 27001 implementation – challenges and practical ...event.dss.lv/sites/all/themes/dss/presentations_2015/session_5/ISO... · ISO/IEC 27001 implementation – challenges and

ISO/IEC 27001 implementation – challenges and practical ...event.dss.lv/sites/all/themes/dss/presentations_2015/session_5/ISO... · ISO/IEC 27001 implementation – challenges and

Documents
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC

Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC

Internet
Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013cbexcelente.wdfiles.com/local--files/est-seginfo-27001-de2005a2013... · 1 Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013 Carlos

Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013cbexcelente.wdfiles.com/local--files/est-seginfo-27001-de2005a2013... · 1 Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013 Carlos

Documents
Smart Security. Smart Compliance. - srm-solutions.com mapping, VA/Penetration testing and ethical hacking. ... ISO 27001 PCI DSS Advisory Services PCI DSS QSA ISO 27001 Lead Auditor

Smart Security. Smart Compliance. - srm-solutions.com mapping, VA/Penetration testing and ethical hacking. ... ISO 27001 PCI DSS Advisory Services PCI DSS QSA ISO 27001 Lead Auditor

Documents
DSS & MIS 05 - DSS

DSS & MIS 05 - DSS

Documents
Methodology Used: - Q-CERT · Methodology Used: 1.€€€€€€ NIA Policy was mapped to ISO 27001:2013 and PCI DSS v3.1 controls. 2. €€€€€ A green blank in the ISO/PCI

Methodology Used: - Q-CERT · Methodology Used: 1.€€€€€€ NIA Policy was mapped to ISO 27001:2013 and PCI DSS v3.1 controls. 2. €€€€€ A green blank in the ISO/PCI

Documents
Comparison of PCI DSS and ISO/IEC 27001 Standards - ISACA · PDF filecons of the PCI DSS and ISO/IEC 27001 standards are compared and contrasted. ... Comparison of PCI DSS and ISO/IEC

Comparison of PCI DSS and ISO/IEC 27001 Standards - ISACA · PDF filecons of the PCI DSS and ISO/IEC 27001 standards are compared and contrasted. ... Comparison of PCI DSS and ISO/IEC

Documents
ISO 27001 Global Report - Consultia · ISO 27001 Global Report 2015 ISO 27001 certification is the norm 84% of organisations that have implemented an ISO 27001-compliant information

ISO 27001 Global Report - Consultia · ISO 27001 Global Report 2015 ISO 27001 certification is the norm 84% of organisations that have implemented an ISO 27001-compliant information

Documents
Isoiec 27001

Isoiec 27001

Technology
Drive Continual Business Improvement...† ISO 27001 – Information Security † ISO 22301 – Business Continuity Helping you improve business management and deliver quality products

Drive Continual Business Improvement...† ISO 27001 – Information Security † ISO 22301 – Business Continuity Helping you improve business management and deliver quality products

Documents
Digital Transformation platform · • ISO 14001 • OHSAS 18001 • ISO 20000 • ISO 22301 • ISO 27001 • PCI DSS (9 &12) • ISAE/SSAE ... One Bridge . Edge Security SD-WAN

Digital Transformation platform · • ISO 14001 • OHSAS 18001 • ISO 20000 • ISO 22301 • ISO 27001 • PCI DSS (9 &12) • ISAE/SSAE ... One Bridge . Edge Security SD-WAN

Documents
Welcome ControlCase Conference ControlCase Conference ... Support PCI DSS, PA-DSS, PCI P2PE, GDPR, SOC1, SOC2, ISO 27001, MS SSPA, ... - ISO 27002 - CERT-IN

Welcome ControlCase Conference ControlCase Conference ... Support PCI DSS, PA-DSS, PCI P2PE, GDPR, SOC1, SOC2, ISO 27001, MS SSPA, ... - ISO 27002 - CERT-IN

Documents
ISO/IEC 27001 Controls - Solutions Exchangenetwrix.solutions-exchange.fr/wp-content/uploads/pdf...ISO/IEC 27001 Controls and Netwrix Auditor Mapping 2 About ISO/IEC 27001 ISO 27001

ISO/IEC 27001 Controls - Solutions Exchangenetwrix.solutions-exchange.fr/wp-content/uploads/pdf...ISO/IEC 27001 Controls and Netwrix Auditor Mapping 2 About ISO/IEC 27001 ISO 27001

Documents