1. Unified Compliance PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA By Kishor Vaswani, CEO - ControlCase

2. Agenda ControlCase Overview About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA Best Practices and Components for Unified Compliance within IT Standards/Regulations Challenges in the Unified Compliance Space Q&A 1 3. ControlCase Overview More than 400 customers in more than 40 countries. Recognized as a Inc 500/5000 company. Continued focus on PCI DSS and Compliance as a Service (CAAS). Continued update and use of technology based on feedback from customers (including many in this room) 2 4. About PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 and FISMA 5. What is PCI DSS? Payment Card Industry Data Security Standard: Guidelines for securely processing, storing, or transmitting payment card account data Established by leading payment card issuers Maintained by the PCI Security Standards Council (PCI SSC) 3 6. What is HIPAA 4 HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; Reduces health care fraud and abuse; Mandates industry-wide standards for health care information on electronic billing and other processes; and Requires the protection and confidential handling of protected health information 7. What is FERC/NERC 5 Federal Energy Regulatory Commission (FERC) The Federal Energy Regulatory Commission (FERC) is the United States federal agency with jurisdiction over interstate electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. North American Electric Reliability Corporation (NERC): The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to ensure the reliability of the bulk power system in North America. Critical Infrastructure Protection Standards Standards for cyber security protection 8. What is EI3PA? Experian Security Audit Requirements: Experian is one of the three major consumer credit bureaus in the United States Guidelines for securely processing, storing, or transmitting Experian Provided Data Established by Experian to protect consumer data/credit history data provided by them 6 9. What is ISO 27001/ISO 27002 ISO Standard: ISO 27001 is the management framework for implementing information security within an organization ISO 27002 are the detailed controls from an implementation perspective 7 10. What is FISMA 8 Federal Information Security Management Act (FISMA) of 2002 Requires federal agencies to implement a mandatory set of processes, security controls and information security governance FISMA objectives: Align security protections with risk and impact Establish accountability and performance measures Empower executives to make informed risk decisions 11. Best Practices and Components for Continual Compliance within IT Standards/Regulations 12. Building Blocks Unified Compliance Unified Compliance Management Policy Management Vendor/Third Party Management Asset and Vulnerability Management Logging and Monitoring Change Management Incident and Problem Management Data Management Risk Management Business continuity Management HR Management Physical Security Compliance Project Management 9 13. Unified Compliance Management 10 Test once, comply to multiple regulations Mapping of controls Automated data collection Self assessment data collection Executive dashboards 14. Policy Management 11 Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies Reg/Standard Coverage area ISO 27001 A.5 PCI 12 EI3PA 12 HIPAA 164.308a1i FISMA AC-1 FERC/NERC CIP-003-6 15. Vendor/Third Party Management 12 Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Reg/Standard Coverage area ISO 27001 A.6, A.10 PCI 12 EI3PA 12 HIPAA 164.308b1 FISMA PS-3 FERC/NERC Multiple Requirements 16. Asset and Vulnerability Management 13 Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability Linkage to non compliance Reg/Standard Coverage area ISO 27001 A.7, A.12 PCI 6, 11 EI3PA 10, 11 HIPAA 164.308a8 FISMA RA-5 FERC/NERC CIP-010 17. Logging and Monitoring 14 Reg/Standard Coverage area ISO 27001 A.7, A.12 PCI 6, 11 EI3PA 10, 11 HIPAA 164.308a1iiD FISMA SI-4 Logging File Integrity Monitoring 24X7 monitoring Managing volumes of data 18. Change Management and Monitoring 15 Escalation to incident for unexpected logs/alerts Response/Resolution process for expected logs/alerts Correlation of logs/alerts to change requests Change Management ticketing System Logging and Monitoring (SIEM/FIM etc.) Reg/Standard Coverage area ISO 27001 A.10 PCI 1, 6, 10 EI3PA 1, 9, 10 FISMA SA-3 19. Incident and Problem Management 16 Monitoring Detection Reporting Responding Approving Lost Laptop Changes to firewall rulesets Upgrades to applications Intrusion Alerting Reg/Standard Coverage area ISO 27001 A.13 PCI 12 EI3PA 12 HIPAA 164.308a6i FISMA IR Series FERC/NERC CIP-008 20. Data Management 17 Identification of data Classification of data Protection of data Monitoring of data Reg/Standard Coverage area ISO 27001 A.7 PCI 3, 4 EI3PA 3, 4 HIPAA 164.310d2iv FERC/NERC CIP-011 21. Risk Management 18 Input of key criterion Numeric algorithms to compute risk Output of risk dashboards Reg/Standard Coverage area ISO 27001 A.6 PCI 12 EI3PA 12 HIPAA 164.308a1iiB FISMA RA-3 22. Business Continuity Management 19 Business Continuity Planning Disaster Recovery BCP/DR Testing Remote Site/Hot Site Reg/Standard Coverage area ISO 27001 A.14 PCI Not Applicable EI3PA Not applicable HIPAA 164.308a7i FISMA CP Series FERC/SERC CIP-009 23. HR Management 20 Training Background Screening Reference Checks Reg/Standard Coverage area ISO 27001 A.8 PCI 12 EI3PA 12 HIPAA 164.308a3i FISMA AT-2 FERC/NERC CIP-004 24. Physical Security 21 Badges Visitor Access CCTV Biometric Reg/Standard Coverage area ISO 27001 A.11 PCI 9 EI3PA 9 HIPAA 164.310 FISMA PE Series FERC/NERC CIP-006 25. Compliance Project Management 22 Your Project Manager is charged with your Success: 1. Serves as your single point of contact and your advocate for all compliance activities 2. Ensures all compliance requirements are met on schedule. Builds a single stream, reliable communication channel Strategizes to produce an efficient plan based on your needs Periodic pulse checks via status reports &meetings paced according to your stage and schedule 3. Prepares you for smooth and predictable activities across multiple compliance paths 26. Challenges in Compliance Space 27. Challenges Redundant Efforts Cost inefficiencies Lack of compliance dashboard Fixing of dispositions Change in environment Reliance on third parties Increased regulations Reducing budgets (Do more with less) 23 28. ControlCase Solution 29. Learn more about continual compliance . 24 Compliance as a Service (Caas) 30. Integrated compliance 25 Question. No. Question PCIDSS2.0Reference PCIDSS3.0 ISO27002:2013 SOC2 HIPAA NIST800-53 37 Provide dataEncryptionpolicyexplainingencryptioncontrolsimplementedfor Cardholderdatadatasecure storage (e.g.encryption,truncation,maskingetc.) applicable forapplication,database andbackuptapes -Screenshotsshowingfull PANdataisencryptedwithstrongencryptionwhile stored(database tablesorfiles). The captureddetailsshouldalsoshowthe encryptionalgorithmandstrengthused -ForBackuptapes,screenshotshowingthe encryptionapplied(algorithmand strengthe.g.AES256bit)throughbackupsolution SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.4.a,3.4.b,3.4.c,3.4.d 3.4 10.1.1,18.1.5 164.312(a)(1) 38 IfDiskencryptionusedforcarddatadata,thenisthe logical accesstoencryptedfile- systemisseparatefromnative operatingsystemuseraccess? (Provide the adequate evidencesshowingthe logical accessforlocal operatingsystemand encryptedfile systemiswithseparateuserauthentication) SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.4.1.a 3.4.1 10.1.2 164.312(a)(1) 39 Provide evidence showingrestrictedaccesscontrol forDataEncryptionKeys(DEK) andKeyEncryptionKeys(KEK)atstore SecurityPostureQA:QSAtoverifythatencryptionisappropriateORcompensating controlsareperControlCasestandard. 3.5 3.5.2 10.1.2 164.312(a)(1) 40 Provide the evidence showingthe exactlocationswhere encryptionkeysare stored (keysshouldbe storedatfewestpossible locations) 3.5.3 10.1.2 164.312(a)(1) 31. Why Choose ControlCase? Global Reach Serving more than 400 clients in 40 countries and rapidly growing Certified Resources PCI DSS Qualified Security Assessor (QSA) QSA for Point-to-Point Encryption (QSA P2PE) Certified ASV vendor Certified ISO 27001 Assessment Department EI3PA Assessor HIPAA Assessor HITRUST Assessor SOC1, SOC2, SOC3 Assessor BITS Shared Assessment Company 26 32. To Learn More About ControlCase Visit www.controlcase.com Email us at contact@controlcase.com 33. Thank You for Your Time